Shock and Awe: Google Reserves Private API in Chromium Allowing Google Websites to Access More PC Hardware Information
Brook.X
The open-source browser project led by Google, Chromium, serves as the foundation for several major browsers including Google's Chrome, Microsoft's Edge, Opera, Brave, and Vivaldi.
Recently, developer @lcasdev made a startling discovery in the Chromium source code: Google has reserved a private API exclusively for its main domain, *.google.com.
What does this API do? It enables Google websites to access detailed information about a user's PC hardware, such as CPU and GPU utilization rates, memory usage, CPU specifications, and log recording.
Typically, websites can only obtain information about a user's PC through the UserAgent string, which might include the CPU architecture, operating system version, or screen resolution through other means.
The level of hardware detail Google can obtain through this private API raises significant privacy concerns, especially since it is exclusively available to Google domains. This exclusivity violates the European Union's latest Digital Markets Act (DMA).
For instance, both Google Meet and Zoom offer video conferencing services. With access to this private API, Google can optimize the performance of Google Meet on PCs to a degree that Zoom, lacking access to detailed CPU/GPU usage information, cannot match. This gives Google an unfair competitive advantage through Chrome.
Further investigation revealed that this private API is implemented via a Chrome extension (ID: nkeimhogjdpnpccoofpliimaahmaaome). Users cannot disable this extension, nor can they find it on the extension management page, making it entirely secretive to users.
Notably, at least two third-party browsers based on Chromium have also integrated this extension, seemingly without the developers' awareness. Otherwise, they would likely have removed the extension during the development process.
These browsers are Microsoft Edge and Brave, and it is presumed that other Chromium-based browsers also include this extension to provide Google websites with additional hardware information about users.
Given the issues of overreach, privacy, and potential DMA violations, Google may soon respond, though it is currently unclear if Google will update Chrome to allow users to disable this extension.
