back to article Chrome 56 quietly added Bluetooth snitch API

When Google popped out Chrome 56 at the end of January it was keen to remind us it's making the web safer by flagging non-HTTPS sites. But Google made little effort to publicise another feature that's decidedly less friendly to privacy, because it lets websites connect to Bluetooth devices and harvest information from them …

  1. razorfishsl

    Google shoving a gloved hand up users rectums again.....

    1. elDog

      But it's only to feel your privates, dearie. Perhaps we can also unclog some of your colocated pipes. Silver Stallion? Getting carried away (literally).......

      But now we need to come up with other ways to spoof our USER-AGENT and other mis-identifying information. They're getting down to total personal identification with every use of chrome.

    2. This post has been deleted by its author

    3. cd

      Hmmm...Wonder what purpose their bot has rooting in my Wordpress plugins folder? Blocked some 66's. And now I have a private website. There's your choices. Thankfully they aren't leveraging their search hegemony.

  2. Anonymous Coward
    Black Helicopters

    It gets worse every year it seems...

    I use Opera which is build upon Chromium simply because I like some of the features but mistrust Google. So I'm hoping that Opera will keep out a lot of bullshit like this here. But even so, it never stopped to amaze me how intrusive the whole thing has become.

    When I go to my Opera settings it even states that websites could ask for permission to access ny connected microphone, camera and MIDI devices. The recommended setting being "ask me", but I turned the whole thing off.

    But seriously: a website asking me to access a microphone or camera? Not in a million years.

    And now we're onto Bluetooth. Yaaay.

    But it's the main thing which I think people should do more often: go carefully over the settings of your software (browser in this case) and (try to) figure out what each option does and if you really want to leave this turned on or off.

    And thanks to Microsoft's new "hippie" upgrade model: also continue doing this from time to time. Because nowadays you can no longer be 100% sure that no silent updates haven't run which added, changed or removed certain features (especially when you're running Windows 10).

    1. TRT

      Re: It gets worse every year it seems...

      IF they give you a switch.

      1. Mike 16

        Re: It gets worse every year it seems...

        And IF the switch actually does anything.

    2. davenewman

      Re: It gets worse every year it seems...

      The most common way to access a video conference on a computer these days is via a browser. So the site will need to access the camera and microphone if you are going to talk to someone at a distance using a Google Hangout, Zoom.us etc. The alternative is an app on a phone.

      1. P. Lee

        Re: It gets worse every year it seems...

        >The alternative is an app on a phone.

        Or an app on your laptop with the built in mic and camera.

        Seriously, who runs a camera over bluetooth? If I want to run my bluetooth mic with it, I'll pair it with the computer or phone so the browser can use it as a local device. It does not need to go direct.

        There is no good reason for this "feature." Look at the figures, the suggested use case is IoT but how many of those are there? By how much has the attack surface of the web browser increased? Got a bluetooth tether available on your phone?

        It's definitely time to ditch Chrome if you haven't already.

        And as I've said many times before, we need more fine-grained OS control of applications. I don't care what the current configuration is, remote-triggering of a tunnel between remote websites and (probably) network-capable devices behind a firewall is idiocy.

        1. Paul Hargreaves

          Re: It gets worse every year it seems...

          > Or an app on your laptop with the built in mic and camera.

          Installing an app (on a desktop) for a single use camera isn't ideal either.

          And, one you've installed that app, it's got complete access to local filesystems, bluetooth, local network devices (e.g. can start to sweep your local subnet), etc.

          Don't get me wrong, I want this new functionality disabled/optional as well, but installing software is much worse for security.

    3. Anonymous Coward
      Anonymous Coward

      @ShelLuser - Re: It gets worse every year it seems...

      For the moment Google still allows you to change this setting but soon.....they will just assume you don't want to mess with this.

      1. Mage Silver badge

        Re: perfectly reasonable?

        Why does this stupid API exist at all?

        A web site only ought to know the window size.

        Far too much information is given away by web browsers.

        1. VinceH

          Re: perfectly reasonable?

          "A web site only ought to know the window size."

          Quite. The 'fingerprint' nature of the information they can give is already bad enough - and this this new feature expands that.

          Thankfully #1, I don't use Chrome except on very rare occasions - but even so, thankfully #2 is that I don't use anything with Bluetooth enabled. I suppose I should add "that I know of".

        2. Jason Bloomberg Silver badge

          Re: perfectly reasonable?

          A web site only ought to know the window size.

          And perhaps not even that. But browsers have become far more than rendering engines; have become the thin clients of today.

          Some people really do want to interact with devices through their browsers, want to be able to 'one-click upload' their health tracking dongle data and have it appear as a graph before their eyes. Browser manufacturers can either tell those users to fuck off or cater to their whims.

    4. Triggerfish

      Re: It gets worse every year it seems...

      Agree with this, but think of all the non tech users out there. Google must really be harvesting some data if even the paranoid and techy sort that read things like the reg, are finding it harder and harder to get around.

    5. Anonymous Coward
      Anonymous Coward

      Re: It gets worse every year it seems...

      It's always good to be cautious, sceptical and some times even a little paranoid.

      However, I have never been asked by a website to access my Camera or Microphone unless it was legitimate for the task it was trying to do - voice calls, conferencing etc. The less apps I need to download to do this which then have far more access than I would like to give and stick it with a temporary session in a browser that I can then restrict straight after is a better thing, I feel.

      The alternative to the bluetooth searching for an IoT or smart wearable (completely agree that some may be wary of IoT in general, however for some people they find them very useful) is to have it connect over WiFi (sometimes via a zigbee style network first) and then control it via a command and control centre on the web. This raises a whole host of more issues, such as the control website going offline, opening up your IoT to the internet etc.

      This would at least give you the opportunity to control bluetooth devices locally and also without requiring an app for each and every device. Any app you install that has the Bluetooth permission can already access all your Bluetooth devices and Google can already access them all if it wanted that data from an Android or IOS device or even directly from the Browser, regardless of this API.

      So this is more of the push to be app-less and allow web apps to take their place, no install, write once - run anywhere (that's been touted a lot before). A developer doesn't need to write different apps for different devices and persuade users to install them, they can just write for the browser and use standards.

      So, if you mistrust Google then 1) they've been able to collect this information if they wanted it in far more details for a long time from Chromw 2) you wouldn't be using Chrome 3) you wouldn't allow the permission in the first place

      If you mistrust a website to use this information then 1) Don't visit the page on a site that requires it (you probably don't have their device anyway) 2) Don't allow permissions to access it when the site asks you 3) Don't install their app as that would have far greater access to your system anyway.

      TL;DR Why would you care, it doesn't affect you anyway?

      1. Doctor Syntax Silver badge

        Re: It gets worse every year it seems...

        "However, I have never been asked by a website to access my Camera or Microphone unless it was legitimate for the task it was trying to do - voice calls, conferencing etc."

        Why do you think all those sites which have accessed your camera and microphone for illegitimate reasons didn't ask you?

        1. Anonymous Coward
          Anonymous Coward

          Re: It gets worse every year it seems...

          "Why do you think all those sites which have accessed your camera and microphone for illegitimate reasons didn't ask you?"

          They can't get access without asking you, it's a permission based API.

        2. My Alter Ego

          Re: It gets worse every year it seems...

          "Why do you think all those sites which have accessed your camera and microphone for illegitimate reasons didn't ask you?"

          I'm pretty sure they have to ask you. We use the notification and location APIs but I've never seen a browser give access to those permissions by default - it's always asked (unless the user has explicitly told the browser to "Always Allow"

          Take Chrome (v.56 Debian) - Location, Camera, Microphone & Notification are all set on installation to "Ask"

    6. Anonymous Coward
      Anonymous Coward

      Re: It gets worse every year it seems...

      By Opera you mean the chinese owned one?

      Why not use something like QupZilla which is still based on the same engine.

  3. Anonymous Coward
    Anonymous Coward

    Google Chrome was already a pariah

    Ever since I had it "offered" to me as yet another bloody weaponised "optional" payload by an Acrobat (IIRC) update

  4. Doctor Syntax Silver badge

    In another place (OK, /.) there was an article on an Olimex laptop and comment was passed on the 1GB memory and what couldn't be done with it. Someone said that nobody sane runs an out-of-date web-browser. In this case nobody sane runs an up-to-date Chrome.

    1. tiggity Silver badge

      On one of my machines I run an out of date browser on an out of date OS (OS cannot be upgraded to newer versions due to hardware limitations).

      I have no hassles (then again scripting is off by default, login as non admin user with limited rights, machine specific whitelisting in operation so only allows certain sites to be accessed and whitelist extension cannot be done by the low level account) - works for me - but don't go round surfing random sites just have a small number of sites I regularly visit (the likes of faecebook etc. are not amongst them!) and keeps an old machine in use instead of it going to landfill (& saves me buying a new machine just for CPU undemanding browsing / email )

  5. Anonymous Coward
    Anonymous Coward

    Cheers for calling Google out

    We could use more of this.... BS Claims of ease-of-use or connecting-the-world always breezes past the mainstream media unquestioned. Whereas anyone not in a coma knows that Google and Facebook are run by sleazy f*cks who'll sell their granny for a buck. Welcome to the 'cult' of data collection...

    ......"The Register considers it perfectly reasonable to consider the API as another means for sites to gather and aggregate information about users; and if challenged the industry will use familiar weasel-words about how users can experience wonderful new services users will get if they just hand over a little more private data.".......

  6. Anonymous Coward
    Anonymous Coward

    Keep waiting for the day when users will start to push back....

    But that seems further and further away... So will people ever wake up... I thought Win10 slurping might do the trick, but no. Sorry to sink to the depths of Godwin's Law, but we live in an era of Stasi / Nazi / data fascism, where annihilation of data rights and privacy is repeatedly sold as being good for us....

    1. ecofeco Silver badge

      Re: Keep waiting for the day when users will start to push back....

      You will have to wait until long after you and I are dead.

      I keep saying this: the average person has no clue about computers and never will and THAT'S why they are being taken advantage of. Nor will they ever for a long, long time. Think about how many people actually know how their car works. That will eventually be the same average for computers.

      1. Triggerfish

        Re: Keep waiting for the day when users will start to push back....

        I have to agree with this, until it get's to a point where it becomes so intrusive people psh back it's going to carry on.

        But I think not just because most people don't understand computers, but because companies actively are trying many different ways to get your data.

        In a way, slurping on the QT can cause some issues because you can get bitten once people catch on, there's even companies who have taken decent size hits because of this.

        The way it really works is companies working the angle through omnichannel marketing and such. Want some vouchers for your supermarket? Sign up, give them your details let them tie that to the data they are picking up when you now connect via wifi to use those vouchers in the shop, and your profile and data footprint grows.

        Only the most tinfoil of us would not sign up to nothing, I use things like Amazon for example, and it's these ways that people are really giving away their data, sign up to that supermarket and give them your name, and next thing you know the ad hoarding in your shopping centre is reading your wifi MAC and saying "Hello dave, want to buy some stretchy pants?" (I know you keep buying pie, the supermarket told me so).

        Problem is we are getting generations of people who are more and more used to this, and havng the convenience of things just working when they expect, which is the other side of omnichannel marketing, and for the current and coming generations a lot of this is also the boiling frog effect.

      2. chas49

        Re: Keep waiting for the day when users will start to push back....

        "Think about how many people actually know how their car works. That will eventually be the same average for computers."

        Only if a national programme of IT education is instituted. Otherwise it'll remain close to zero.

    2. DropBear
      Facepalm

      Re: Keep waiting for the day when users will start to push back....

      Doesn't matter how intrusive it will get, nothing will happen. Not until consequences start coming back to users and hurt them somewhere they do care about: right now, there's no tangible consequence of any kind due to the (very real) loss of privacy. That's why you have such a problem explaining anyone else why you care about it - because right now it's down to ideology, and an "oh no I'm not walking into that trap" attitude rather than practical considerations. Sooner or later it will have to get so bad as to cause real hurt, and then people might suddenly prefer to care - but I suspect by that point it will be way too late and resistance will be genuinely flat out impossible..

  7. This post has been deleted by its author

    1. luminous

      Good grief you live in a bubble then. You've never heard of the site years ago called pleaserobme.com - took facebook posts of idiots boasting about their new massive tv then going on holiday for 2 weeks. They got robbed. It happened so frequently that insurers updated their policies to exempt them if the insured person made such posts.

      And I guess you've never heard of identity theft either? Or someone not getting a job or something because of a stupid post online.

      You can still be online and keep most things private. It's about the choices you make.

      1. Anonymous Coward
        Anonymous Coward

        "And I guess you've never heard of identity theft either? Or someone not getting a job or something because of a stupid post online."

        Read what I wrote. "Big tech data privacy issues" I specifically made the distinction between *security* issues (e.g. someone stealing your credit card info), which is obviously a problem, and "big tech data privacy" (e.g. fb or Google securely collecting click data to serve more relevant ads). I have never heard of anyone who has had a negative impact because of Google or fb or MSFT or another big tech player securely collecting their data.

        Did you honestly think I meant that I have never heard of a negative impact from people getting their credit card stolen?

        1. folbec

          "big tech data privacy" :

          - unless you live in China, and the government is helpfully computing your "social score", which will determine if you get credit, or access to a university, or to the local gulag...

          - unless you live in the USA, and you need credit, and your credit score is computed from those "big tech data privacy" data. The catch is you won't even know it, unless you go on an expensive legal rampage, which you won't, because if you need credit, you don't have the money

    2. Nolveys

      I know of no one who has ever had anything negative happen to them as a result of one of these big tech privacy issues.

      Sounds like you're ready to...have an affair. Or you could give your credit card to Sony, that would work too.

      1. Anonymous Coward
        Anonymous Coward

        Security vs privacy. Two different things.

    3. Triggerfish

      @Ac

      Hi Mr Ribbit, please come sit in this nice water, yeah I know it's a pot and sitting on a stove, but trust me.

    4. Anonymous Coward
      Anonymous Coward

      So says the one posting as AC

  8. I Like Heckling Silver badge

    aaaaaaaaaaaannnnnnnnnnnnndddddddddddddd that's why....

    I install Firefox and disable Chrome as soon as I get any android device.

    1. bazza Silver badge

      Re: aaaaaaaaaaaannnnnnnnnnnnndddddddddddddd that's why....

      I remember reading somewhere that Firefox logs the WiFi networks that it can see and sends that all off to Mozilla...

      1. Colin 22

        Re: aaaaaaaaaaaannnnnnnnnnnnndddddddddddddd that's why....

        Firefox can and have been able to for some time. However, the default behaviour is that this is switched off.

      2. Anonymous Coward
        Anonymous Coward

        Hmmm.

        I keep the WiFi on my Android mobile switched OFF most of the time for power-saving reasons, and when I turn it back on at home, surprise! It briefly presents me with a list of all the WiFi hot spots I've been near while I was out and about WITH WIFI SWITCHED OFF. Clearly, the WiFi receive functionality *never* turns off (it's an open question whether the *transmit* functionality is still running or not). I wonder how much of that location info gets sent to The Mighty Google, and how much of it is being used for location-based pestering.

        Anon because I'm just a paranoid bastard.

        1. Paul Crawford Silver badge
          Big Brother

          Re: Hmmm.

          "how much of it is being used for location-based pestering"

          All of it. All of the time. Like a jackboot stamping on your face forever.

        2. tiggity Silver badge

          Re: Hmmm.

          Ensure you have wifi scanning off too - this is used by location services they will wake up wifi to aid in geolocation (you probably want location services disabled anyway)

          Also check what apps are running in the background in case some of them are waking wifi.

          Permission are a lot of apps want is huge.

    2. Paul Crawford Silver badge

      Re: aaaaaaaaaaaannnnnnnnnnnnndddddddddddddd that's why....

      Also turn off Bluetooth as well, unless you really REALLY need it for something (e.g. switch on for car's hand-free support, but probably you are safer just ignoring your phone while driving).

      1. Natasha Live

        Re: aaaaaaaaaaaannnnnnnnnnnnndddddddddddddd that's why....

        If you read the documents: The bluetooth chrome features do not work on mobile devices. Only Windows, Mac OS and Chromebook. your mobile is fine.

        1. IsJustabloke

          Re: aaaaaaaaaaaannnnnnnnnnnnndddddddddddddd that's why....

          "Only Windows, Mac OS and Chromebook. your mobile is fine."

          I guess it's only a matter of time before it extends though at which point I'll have to do something about it because my laptops/desktops all have bluetooth disabled.

        2. Anonymous Coward
          Anonymous Coward

          Re: aaaaaaaaaaaannnnnnnnnnnnndddddddddddddd that's why....

          Only Windows, Mac OS and Chromebook. your mobile is fine.

          Android written by Google, Google writes Chrome, Google likes the API so it can whore your data to sell personalised ads.

          Mobile is fine, honest, you can trust them.

        3. I Like Heckling Silver badge

          Re: aaaaaaaaaaaannnnnnnnnnnnndddddddddddddd that's why....

          Even better as none of my windows machines use bluetooth, and BT on my phone/tablet is turned off until I actually need to turn it on... IE, when using my BT headphones or in the car (most of the time I forget anyway).

          I do have chrome installed on one desktop, but it's only used for google hangouts because they do their best to stop it working right on anything else... I also stop any chrome related background services from starting with windows.

        4. Crazy Operations Guy

          "The bluetooth chrome features do not work on mobile devices."

          Well, this API doesn't, but I'm pretty damn sure the mobile version of Chrome already has these capabilities, what with it being integrated so deeply into the OS it knows what the Kernel dev had for breakfast...

  9. Andrew Jones 2

    I'm so confused - why is there an outcry exactly? This can't detect anything until the website has asked for and been granted permission right? The whole point of this is supposed to be to do away with the current stupid situation we are in where every product you buy (like for example Bluetooth controlled Christmas Lights) - also requires an app to be downloaded for whatever mobile operating system you happen to be running - and usually it's only available for Apple and Google, Microsoft is often left out. Further - it's only for mobile users. Having a website that allows you to configure the product on whatever platform you are on - regardless of whether it is mobile or desktop via Bluetooth seems like a no-brainer idea to me.

    If anyone even bothered to watch last years IO - the plan would be that you could go to a parking meter or EV charger and the Bluetooth Eddystone beacon broadcasts the URL for the parking meter to your phone which announces it's existence, and then the Bluetooth API allows you to connect to it locally so you can pay for your parking or electricity. But I mean if you would prefer absolutely everything should be connected to the internet and you would do things via a central server requiring an account and something sitting constantly listening for commands from a central server - feel free.

    I know which solution sounds better from a privacy aspect to me.

    1. Kevin McMurtrie Silver badge

      Google usually asks for permission to do things deep down in a terms of service agreement. Chrome is essentially a Trojan horse data harvester so it would not surprise me one bit if Google gives themselves continuous Bluetooth access. On Android, Google grants itself such permissions after nagging you to change the Location Settings to "improve performance."

      1. Anonymous Coward
        Anonymous Coward

        Kevin McMurtrie>>nagging you to change the Location Settings to "improve performance"

        Every single bloody location based app tells me that I need to turn on WiFi for improved accuracy. This is simply a lie: my GPS fixes in seconds with a resolution of <10m, and I do not believe either time to first fix nor resolution can be improved by WiFi triangulation. In fact it's worse --- my phone kept thinking I was back at home 30 miles away simply because I brought my hotspot with me!

        1. matjaggard

          WiFi improves the time to fix on GPS satellites with some hardware and when you can't see enough satellites - I think it can get a vague idea of location to require fewer other data points.

      2. My Alter Ego

        That's not how the API works - it's required to ask for permission (unless the user has explicitly told the browser to always allow access to Location, Camera, etc).

        Easiest way to see is to click on the Info icon (or Certificate) in the address bar. It'll give you a list of all the permissions the website has. Any of the ones that have privacy issues will be Ask (default), unless you've previously given access.

    2. Anonymous Coward
      Anonymous Coward

      @Andrew J. - You're naive

      if you think they work so hard just so you can pay for your parking. This is definitely not how they got filthy rich. Please wake up!

  10. ecofeco Silver badge

    Chrome is done

    Between this and the latest change that cripples your plug-ins, I don't see the point of Chrome any more.

    1. Anonymous Coward
      Anonymous Coward

      Re: Chrome is done

      I'd add Firefox to the list as well if there was anything else viable today. Mozilla seems to have lost the plot, too. They seem to have a similar API in the works from what I've heard, but who knows. Requiring Microsoft style approval of plugins did for me.

    2. nematoad Silver badge
      Happy

      Re: Chrome is done

      "Between this and the latest change that cripples your plug-ins, I don't see the point of Chrome any more."

      I never did, that's why I use Palemoon.

      Chrome comes from Google so what did you expect?

  11. Spoonguard
    Stop

    USB

    wasn't there also a USB web API that got aborted recently?

  12. sabroni Silver badge

    re: the API lets websites ask your browser “what Bluetooth devices can you see,”

    And who is in control of which bluetooth devices the browser can see? The article totally omits any talk of the user interface for this feature. How does it work? Can the browser see any bluetooth device that's active and in range of my pc or does it have to be paired with the pc? Can I "pair" devices with the browser like I do with my phone?

    There's no reason this API should be a problem if the user still has control over what is visible. If the browser prompts the user before sharing any information, like it does with the location api, then what's the issue?

    1. Anonymous Coward
      Anonymous Coward

      Re: re: the API lets websites ask your browser “what Bluetooth devices can you see,”

      99.99% of users will just click everything they see.

      That's the problem.

      1. matt

        Re: re: the API lets websites ask your browser “what Bluetooth devices can you see,”

        Should we remove the webcam and webmedia API's too? they "only" require a prompt.

    2. DaLo

      Re: re: the API lets websites ask your browser “what Bluetooth devices can you see,”

      You don't need to pair with a device you see it but you may need to pair with the device to read any information or communicate directly with it (depends on the security settings of the device).

      This is most likely to be used for Bluetooth LE devices which often don't require traditional pairing or authentication.

      1. Tim 37

        Re: re: the API lets websites ask your browser “what Bluetooth devices can you see,”

        On Windows 10 you can't currently see Bluetooth Low Energy devices (the only ones which work with this API) unless they've already been paired so the risk is even lower. Microsoft are planning on fixing this in the future as every other platform allows BLE discovery without pairing and some basic devices don't even support pairing.

  13. Dieter Haussmann

    TBH, I think the access should be denied/granted at OS level (maybe it is).

  14. Natasha Live

    My first thought is "Why not turn off my computers bluetooth?". Then I remembers I'm on a Mac so my keyboard and mouse are both bluetooth. A quick run of "show available bluetooth devices" gives mouse, keyboard and soundbar within detection range. Okay no so bad. Oh wait, there's my neighbours phone (computer on a shared wall). Well now Google can link me with him. Hum.

    Just tried to run some of the google examples for this feature and received this error message:

    "Web Bluetooth API is not available. Please make sure the "Experimental Web Platform features" flag is enabled.". So right now it's only a test that you have to enable to us.

  15. Christian Berger

    It's a general trend in the browser community

    Instead of doing things that would improve security (limiting Javascript from external servers, turning off APIs, simple client certificates) they do everything to solidify their oligopoly.

    Every new API makes it harder for a new competitors to enter the browser engine "market", which gives the browser vendors more power. Just imagine there would be a truely free browser that does everything you want, like blocking external Javascript or selectively blocking Flash, instead of constantly making the UI less usefull. Mozilla would be broke in months.

    1. Trilkhai

      Re: It's a general trend in the browser community

      Well, at the moment, Pale Moon with its AdBlock Latitude (for selective crap–blocking) fulfills those needs quite nicely for me. I agree, though: if PM existed to make money rather than as a community project, it'd be kaput in pretty short order.

      1. Anonymous Coward
        Anonymous Coward

        Re: It's a general trend in the browser community

        And how do you know Adblock Latitude isn't storing all your browser history and selling it to the highest bidder?

  16. Mystic Megabyte
    WTF?

    Shopping

    Yesterday I was buying something online using Chromium Version 55.0.2883.87 Built on Ubuntu , running on Ubuntu 16.04 (64-bit).

    IIRC I had clicked on the PayPal button when a Google box appeared saying something like "As this is a Google approved store would you like to pay Google instead?" It also mentioned £1000 cover for losses. I should have taken a screen shot but I was so annoyed that I hastily closed the box.

    I have never seen this before, has anybody else?

    1. Anonymous Coward
      Anonymous Coward

      Re: Shopping

      Yes, and in order to get that £1000 cover you have to sell your soul to the devil.

      "Your Privacy

      Google will not share personally identifiable information about You or Your order with any third parties except as set forth in the privacy policy applicable to the Program. By agreeing to participate in the Program, You agree that Google may contact You, Your Merchant, Your product manufacturer, and/or any other relevant party regarding any claims You file; and Google may contact You requesting feedback about Your experience with the item(s) and/or the Merchant. Google will use any personally identifiable information about You which You provide to Google in accordance with the privacy policy applicable to the Program."

      And of course, we know that Googles standard policy includes, we will use every last shred of information we can gather about you.

    2. Ogi

      Re: Shopping

      > I have never seen this before, has anybody else?

      Yeah I have seen it a few times. Usually when the store you are buying from has been approved by Google (i.e. they signed up to Google store and added Googles JavaScript to their site), Google will spam you incessantly every time you try to buy something using anything other than Google payments.

      I get it when I pay by PayPal, or when I pay direct using my credit card. Basically, if you do anything apart from the Google way, you will get the messages.

      Irritating, yes, also annoying as I block as much google JS as I can (I usually have to switch to Chrome to actually do the online purchase because if you block Google JS, it breaks the site even if you are not paying by Google) but fewer and fewer options are out there. More and more stores sign up for it.

      My biggest worry is one day stores will just cease providing direct purchase options via CC, and you will have no choice but to go through Google or PayPal.

      1. Doctor Syntax Silver badge

        Re: Shopping

        "My biggest worry is one day stores will just cease providing direct purchase options via CC, and you will have no choice but to go through Google or PayPal."

        OTOH, if you pay through PayPal you have to trust just one business. With CC you have to trust every single place you shop to keep your CC details safe; good luck with that.

        1. Ogi

          Re: Shopping

          > OTOH, if you pay through PayPal you have to trust just one business. With CC you have to trust every single place you shop to keep your CC details safe; good luck with that.

          To be honest, the one and only reason I use CC is because my bank provides me protection against such fraud anyway. That is the main benefit to CC (in my case, the only benefit).

          Hence I am not so worried about my CC details being leaked, but that it just me. Having Google profile, datamine and force me into their system worries me far more than anything else. So I am happy to risk leakage of my CC data for that.

  17. Anonymous Coward
    Anonymous Coward

    So now they're phishing find my wireless headphones as well as my credit card details...

    I know which one I'm more worried about.

    No, Chrome, I do not want to store my credit card details, with you, or within any other piece of software. I'll re-install you when you give me a clear, easy to find option to turn off that nagging for good.

  18. Doctor Syntax Silver badge

    A year or so ago there was a lot of talk about Thunderbird finding a new home and the Document Foundation was mentioned. My own view was that they would do well to take over not only Thunderbird but also Seamonkey. I liked the idea of a browser free from the influences of both Google and Mozilla. Sadly I haven't heard about the Thunderbird proposals for months.

  19. Anonymous Coward
    Anonymous Coward

    Bluetooth controlled what?!

    Wow, this has really got me feeling like I've time-slipped from the 1990's - Bluetooth controlled Xmas tree lights, eh? (stunned look of amazement). I still haven't gotten over the shock of realisation that there are people actually using Bluetooth (which ISTR was roundly derided many years ago as being rather cack - or did I dream that?), and have never felt any need for Bluetooth enabled anything. Indeed, it annoys me that there are bits in Linux to do with Bluetooth that apparently can't be removed from some dsitros without knackering them, unless you're prepared to do far more faffing around than I am. I digress, apologies...

    Seriously, Xmas tree lights do not require bluetooth. Neither do your regular lights, both are fine with perfectly good manual switches. I can just about see the case for some form of wireless headsets, and if Bluetooth can do that, well and good, but I'll stick with wires, thanks very.

    As for websites being enabled to sniff for other devices in ones home, I refer my fellow esteemed commentards to my rant about HTML5 being able to force users browsers into fullscreen mode - in short, it's a shitheaded decision to allow this that only a cretin or thief would consider a good idea. IMHO, of course.

    It'll all end badly, at this rate.

  20. Anonymous Coward
    Anonymous Coward

    And this is news how?

    OK, granted, they have found yet another hole to gather information with, totally by accident and just the work of a rogue engineer who also just happened to set up a data collection back end for it .. sorry, I was channeling the Streetview team for a moment there.

    What I want to know is why this comes as a surprise.

    Google's money comes from the theft acquisition of personal data and its resale and, in the best tradition of most US companies, it's hot on profit and not so hot on laws so why, oh why, does it come as a surprise that something supplied by them for "free" doesn't make you pay in a different way? Surely you're not expecting benevolence from Google?

    If you haven't figured out by now that you always pay for "free" with Google you really are beyond hope.

    1. Anonymous Coward
      Anonymous Coward

      Re: And this is news how?

      "...acquisition of personal data and its resale... "

      Where can you buy the data that Google collects? Why would they sell it? Google profile you into certain demographics, categories and locations which advertisers can then bid to target ads at if you fall into that category.

      Their targeting never seems great and I'm yet to see an advert that I think is particularly relevant, however Ad Block/Ghostery* helps.

      *How do you know you can trust them? They see every page you visit and can access all that information even on 'https' sites. Web Of Trust (WOT) did something of a reputation service and were then found to be selling all the private search data to third parties.

  21. Tom 7

    Chrome is really useful

    I use it on a throwaway user login when I cant get some videos to play due to the armoury of addblocks and other security measures. The script that launches that one off user no longer has access to bluetooth devices.

  22. pop_corn

    > "Merely scanning for nearby devices is a marketer's dream"

    I have never understood why people think marketers having more information is an issue? As a middle aged, balding, pot bellied man, I don't want to see adverts for Barbie dolls or frilly dresses, I want to see adverts for powertools, beer and gadgets.

    Marketers being able to target ads is good for everyone concerned: I see ads for things I'm interested in buying and that are relevant to me; and they spend less money on advertising, so the cost of their product is cheaper, which helps to keep the cost to me the consumer down.

    Further more, if all ads could be better targeted, that would likely lead to less adverts overall, as many marketing schemes currently just go for the blanket approach, hoping to hit their intended audience. E.g. if pizza companies know I don't eat pizza, that would save 30+ leaflets a year being shoved through my door unnecessarily.

    Let's use a more practical example, if I want to buy a new case for my phone, wouldn't it be useful for the website to be able to check what phone I've got and warn me if I've accidentally picked the wrong model case, without me having to manually remember my model number, and then compare it to the probably very long list of supported models?

    Now of course that's a task you and I may find easy, but my pensioner parents certainly don't!

    So I see no problem with this at all, though yes of course as long as we can turn it off... at those times when we *do* want to buy that special frilly dress! :)

    1. Martin an gof Silver badge
      Flame

      Marketers being able to target ads is good for everyone concerned: I see ads for things I'm interested in buying...

      Are you actually admitting that your buying decisions are influenced by adverts? That you are still interested in an advert for a power drill, even though you already own three?(*) You are one of the very few people that would admit to that. Even when people do watch adverts, I know very few people who would choose a particular product (especially if it's different from their "normal" one) simply because they've seen an advert for it. Most people I know couldn't tell you what adverts for which products they saw even just five minutes ago.

      Unless and until I know that I need product type x I do not want to see any adverts for product type x, from any manufacturer of said product. If there are such adverts on a website I usually don't notice them - I've developed a kind of blind spot - even if they are potentially relevant. For TV, I'll do five minutes of washing-up or feeding the washing machine or putting the kettle on and making a pot of tea rather than watching adverts.

      When I need product x I will go and do my research and at that point, if a site like Amazon says "people who considered buying x also considered y from a different manufacturer" I'll accept that kind of advert. But not before that point.

      Heck, we're so tired of being bombarded by adverts in general that we rarely watch anything "live" these days, except on a BBC channel.

      Save my bandwidth. Save my sanity. Turn off the adverts. When I want something, I will go looking for it.

      </rant>

      M.

      (*)Most half-serious DIY-ers that I know own two or three drills; a battery one for 90% of the jobs, a mains one when the battery one won't cope and probably an SDS for the really tough stuff, or a pillar drill if they're that kind of person. I don't want to see adverts for drills until one of the above needs replacing and probably not even then; I'll look through the Screwfix catalogue, check out some details online and pop down to the local counter.

      1. Anonymous Coward
        Anonymous Coward

        " I'll look through the Screwfix catalogue,"

        Interesting that Screwfix is your default choice for DIY hardware, they aren't that cheap but they do a lot of advertising ;-)

      2. pop_corn

        I appreciate what you're saying Martin. Yes we'd all like less / no adverts, but the reality is that's not going to happen, so the least I can hope for is that they are made more relevant to my needs and wants.

        And yes, though most people don't like to admit it, we are influenced by ads, that's an undeniable fact.

        I used the example of drills just cos it was an easy stereotype. Here's a better example perhaps: last week I bought a card game (Hero Realms if you're interested, it's excellent), so if this week I were to see adverts for card sleeves perhaps, that would be a relevant crossover product. Or ads for the expansion card packs, they would be a relevant up sell advert.

        That's got to be better then getting bombarded with random ads, surely?

    2. David Nash

      @pop_corn

      I agree with the reply from @Martin an gof but also you mentioned being able to turn it off. That is something most people won't know how to do.

    3. Doctor Syntax Silver badge

      "As a middle aged, balding, pot bellied man, I don't want to see adverts for Barbie dolls or frilly dresses, I want to see adverts for powertools, beer and gadgets."

      Frankly, unless I'm specifically looking for something I don't want to see adverts for any of them. If I need something I'll conduct a search. When I've done that I'll try to avoid any vendor who's managed to piss me off by slinging ads at me in the past.

      1. Anonymous Coward
        Anonymous Coward

        Ironically, without advertising most of the sites left on the web would be trying to sell you something.

  23. Patrician

    All Bluetooth devices in my house are off unless, for some reason, I'm using it. But as I have enabled and used Bluetooth less times in the last five years than I have fingers on one hand and then only for a few minutes each time, I don't see it's an issue really.

    Just don't leave Bluetooth enabled on devices unless you need to use Bluetooth surely? Chrome can't detect devices where they're disabled so a scan of my house would reveal no Bluetooth devices at all.

  24. bazza Silver badge

    Er, Hang On...

    Isn't this kind of thing just adding stuff to Javascript that makes it less "safe"?

    After all we don't like Java plug-ins because they allow websites to do things like this.

  25. Jason Bloomberg Silver badge

    The sky is falling

    you can also find out what phone/s are in the house, whether they're using Philips or Osram smart lights, their TV and so on

    For all the good that will do them. At best they'll be able to target ads a bit better, set some flags for me in their database, but I am struggling to see how it would actually and profoundly impact my privacy.

    Even if they discovered a cache of Bluetooth-enabled sex toys I can't see how they'd use that against me or that they would.

    I know, I know; if some fascist regime comes to power and seeks to round up everyone with a Nexus phone or who uses Colgate toothpaste I'll have to eat my words. In the meantime I'm pretty satisfied that all they'd be collecting is data which is of no real use to man nor beast, and that some people have a concept of 'privacy' and 'personal data' that goes well beyond the sensible.

    1. Anonymous Coward
      Anonymous Coward

      Re: The sky is falling

      Well, I would guess that if they knew you used the "Low-Cost Insecure" Lightbulb and they know you are on IP 100.200.100.200 then they can set a worm to inject a malicious script into a poosly secured interface or wait until the default 1:00am software update it performs to inject a new firmware etc.

      Custom attacks based upon your hardware.

  26. ChodaBoy

    Did anyone else notice...

    Did anyone else notice that the books in the background of the video were arranged by color?

    (Publisher, maybe?)

  27. matt

    "you have to explicitly grant the remote web app access to your Bluetooth gadgets before anything happens".... This is like complaining "Firefox (and every single other browser) sucks because they can spy on you with the webcam and getUserMedia api"... if you click the link allowing it. The big difference between this and the battery API issue was the fact that the battery API did not prompt for access.

    1. diodesign (Written by Reg staff) Silver badge

      Re: matt

      Matt, we hate the fact that web browsers can access webcams, too. Fuck that noise.

      C.

      1. suth_a

        Re: matt

        they can only do this with the users permission

  28. fredesmite

    We need cyber security

    for protection from Google

  29. Delbert Grady

    Optional

    or just dont install it. scrutinise everything you own between the keyboard and the fibre/wire leaving your house.

  30. This post has been deleted by its author

  31. Anonymous Coward
    FAIL

    Luddites

    I really don't think this is as big a deal as this clickbait implies.

    Frankly you would have to be mental to worry about a website being able to read your laptops battery level or nearby Bluetooth device IDs, given all the real bad stuff going on in the world right now.

  32. suth_a

    Fearmongering

    A classic example of a journalist writing about something they don't understand. First read Google's post on the subject where they explain that for public websites this will only be possible on sites with HTTPS:

    "We care deeply about security, so you will notice that new Web capabilities require HTTPS. The Web Bluetooth API is no different"

    https://developers.google.com/web/updates/2015/07/interact-with-ble-devices-on-the-web

    On top of this a user gesture is required, i.e. the user has to give permission.

    With regards to Mozilla's view on the API, they haven't given one, the warning you reference is their default warning for every browser feature that they don't support, see zoom for example:

    https://developer.mozilla.org/en-US/docs/Web/CSS/zoom

  33. HAL-9000
    Pint

    Fscking hell yeah !!

    Where do I sign up for some of that?

    Brought to you by the refreshing, flavour of Kool aid

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like