Google workers sidestepping controversial Chrome tool sparks security worries

"I'm deeply concerned," a Google security engineer says.

Richard Nieva Former senior reporter
Richard Nieva was a senior reporter for CNET News, focusing on Google and Yahoo. He previously worked for PandoDaily and Fortune Magazine, and his writing has appeared in The New York Times, on CNNMoney.com and on CJR.org.
Richard Nieva
3 min read

Google workers are upset about a controversial new Chrome browser extension.

Stephen Shankland/CNET

Google is facing a backlash over an internal tool for the company's Chrome browser that some employees worry is intended for spying on workers organizing protests and discussing workplace issues. To get around using the tool, some employees have turned to third-party browsers. That's prompted at least one security engineer at Google to voice concern over the possible vulnerabilities that using outside software could bring.

The tool is a software extension for Google's Chrome browser, which is installed on all employee computers. It's designed to activate when workers create calendar events that include more than 100 people or use more than 10 rooms. Google said the tool is a pop-up reminder that asks people to "be mindful" before setting up large meetings. But some employees have accused Google management of trying to keep tabs on big gatherings. Google has called those claims "categorically false" and said the purpose of the tool is to cut down on calendar spam.

To avoid the extension, employees are encouraging each other to use browsers other than Chrome, a Google security engineer wrote in an internal forum, screenshots of which were reviewed by CNET. Those browsers include Chromium, the open-source browser foundation on which Google Chrome is built, the engineer wrote, adding that people shifting to other browsers "has an impact on overall security of this fleet." 
"I'm deeply concerned about increasing the number of users who aren't receiving browser auto-updates or where we can't ensure that security policies are promptly configured," the engineer continued. That person also wondered if Google could consider rolling back the project "until we have some sort of approach for dealing with this problem." It's unclear how many people have switched browsers. 

The discussion comes as tensions rise between Google's management and employees who've organized protests against the company. Workers have spoken out against a Google artificial intelligence contract with the Pentagon, the company's work in China and Google's treatment of temporary workers, vendors and contractors. The demonstrations reached a crescendo last November, when 20,000 Google workers walked out of offices worldwide to protest the company's handling of sexual assault claims leveled against Android creator Andy Rubin and other senior executives. 

When reached for comment, Google pushed back against the idea that employees switching browsers posed a security risk. The company said employees use a variety of browsers, and the security of its systems isn't pinned on using Chrome. Google also said the extension itself doesn't create any security issues. The company also reiterated that the purpose of the extension is to prevent unnecessary messages on its systems.

"These claims about the operation and purpose of this extension are categorically false," the statement, originally issued on Oct. 23, said. "This is a pop-up reminder that asks people to be mindful before auto-adding a meeting to the calendars of large numbers of employees."

The search giant has in the last few months tried to rein in workplace discussions. In August, it unveiled new community guidelines for its internal forums that discourage political debates. And earlier this month, Google reportedly attempted to cancel an employee meeting in Zurich to discuss unionization, though the workers held the meeting anyway. Critics of the clampdowns argue that the tighter stance goes against the famously open and freewheeling culture established by Google co-founders Larry Page and Sergey Brin .

Google CEO Sundar Pichai has acknowledged there are trust issues between management and rank-and-file employees, as well as concerns over the Chrome extension, which was introduced this month. He addressed questions about the tool at the company's weekly all-hands meeting last week, according to a report by The Washington Post. "How do you have a working process and how do you do it at scale with 120,000 people?" Pichai reportedly said. "These are good questions. I think we need to think through and come to better answers."

Google engineers apparently anticipated the blowback they'd receive from releasing the tool. One person wrote on an internal message board that a strong reaction and sarcastic memes were expected. One meme referenced the "dark arts" from Harry Potter, according to Bloomberg.

The Google employees concerned about the extension found the apprehension from the security engineer to be a good sign. 

"That's really encouraging," one employee wrote on an internal message board. That person said switching to Mozilla's rival browser could help to prove a point. "'Use Firefox' is actually an effective means of protest."