Infrequently Noted

Alex Russell on browsers, standards, and the process of progress.

Comments for Beta!


I appreciate your concern about privacy, not least of all because I implemented many of the privacy features in GCF. Hopefully when you look closer you'll see that what we're doing is designed with your concerns in mind.

GCF doesn't undermine privacy protection in the slightest. In fact, one of the biggest changes between Dev and Beta was our addition of increased privacy controls. For instance, when you clear your cache in IE, GCF's cache is cleared. When you remove browsing history, GCF respects that, and when you use InPrivate mode, GCF respects that too. We've worked very, very hard to ensure that GCF is among the best behaved plugins you can install as a user. As I said in the post, our goal is for things to Just Work -- and that includes ensuring that user's intent with regards to privacy is always respected.

Further, GCF is Open Source. With last week's release of the RLZ component of Chrome (which doesn't get used in GCF since we don't surface a search box), all of the Chrome codebase is available for you to peruse and come to your own conclusions about.

So just to sum up: GCF is among the very best plugins in terms of respecting user privacy, it integrates completely with browser-provided privacy controls, and we're doing all of our work in the open. I encourage you to join our mailing list if you've got further questions about GCF's privacy features:

We want your direct feedback and are happy to answer questions.


by alex at
Thank you for your detailed explanation.

Does that mean that GCF's only concern is rendering a website and does not interact with Google servers at all?

If so, why doesnt Google install it, e.g. during installation of Google Chrome or the Google Toolbar for IE? Would that be too evil?

by Sakuraba at
As much as I would love to do exactly what you describe, how can I force my users to use a browser plugin that could undermine their needs in protection of privacy.

We need something like GCF, but built by Mozilla, so we can be sure that we dont enforce a loss of privacy on our users.

by Sakuraba at
Hi Sakuraba,

GCF's sole job is to render websites, but it turns out that the web is complex and worse, dangerous. GCF uses the built-in malware protection mechanisms from Chrome. That means that GCF downloads a list of hashes of known-bad URLs from Google on a regular basis. If you visit a page that matches a hash in that list, then the exact hash may be sent to Google for a final "is this really bad?" decision. The reason we can't turn this off in GCF is that it would be terrible if attackers could bypass malware checking in a browser by sending the GCF header. The protocol for this is open:

This is the same system that Mozilla uses and a similar mechanism is implemented in IE8. Odds are if you're using an even remotely modern browser, it's already doing this in some form, perhaps in the exact same way.

Similarly, GCF will check for updated versions of itself. That necessarily means sending a request to Google.

If and only if you chose to opt-in to crash reporting and usage analysis (that checkbox in the EULA page in the GCF install flow), GCF will use the histogram service to send anonymous usage information back to Google to help improve the product. Again, this is not enabled by default.

Since GCF doesn't have any interaction with the toolbar in the host browser, concerns that some have about Chrome's OmniBox implementation (which can be easily disabled) are moot for GCF.

As for distribution, there are principles that every Google product is responsible to:

They don't preclude bundling, but they do impose good and strong constraints on how it would have to be done.

Does that answer your question?

by alex at
wow, you are a class act. I cant thank you enough for answering my question in such an informative way.

I guess the fears that I posted here are general misconceptions that people have about GCF. Maybe you guys should emphasize those points a little more when pitching GCF.

Another thing is the installation procedure. I guess a lot of users are scared when they get redirected to another page that tells them to install something. If I would redo that, I would design it like the installation of FlashPlayer, which is less intrusive in my mind.

by Sakuraba at