This document describes the features in Chrome that communicate with Google, as well as with third-party services (for example, if you've changed your default search engine). This document also describes the controls available to you regarding how your data is used by Chrome. Here we’re focusing on the desktop version of Chrome; we touch only tangentially on Chrome OS and Chrome for Mobile. This document does not cover features that are still under development, such as features in the beta, dev and canary channel and active field trials, or Android apps on ChromeOS if Play Apps are enabled.
If you have questions about Google Chrome and Privacy that this document doesn’t answer, please contact the privacy team at email@example.com. We’d be happy to hear from you.
Google Chrome uses a combined web address and search bar (we call it the “omnibox”) at the top of the browser window.
As you use the omnibox, your default search engine can suggest addresses and search queries that may be of interest to you. These suggestions make navigation and searching faster and easier, and are turned on by default. They can be turned off by unchecking "Use a prediction service to help complete searches and URLs typed in the address bar or the app launcher search box" in the “Privacy” section of Chrome's settings.
In order to provide these suggestions, Chrome sends the text you've typed into the omnibox, along with a general categorization (e.g., "URL", "search query", or "unknown"), to your default search engine. Your IP address and certain cookies are also sent to your default search engine with the request, in order to return the results that are most relevant to you. If Chrome determines that your typing may contain sensitive information, such as authentication credentials, local file names, or URL data that is normally encrypted, it will not send the typed text.
If you've chosen to sync your Chrome history, and if Google is your default search engine, Chrome may present suggestions as soon as you place the cursor in the omnibox, before you start typing. To do this, Chrome sends the URL of the page you're viewing to Google. URLs are sent only for HTTP pages and Google HTTPS pages.
If Google is your default search engine, logs of these suggestion requests are retained for two weeks, after which 2% of the log data is randomly selected, anonymized, and retained in order to improve the suggestion feature. URLs are not included in this 2% sample.
If you select one of the omnibox suggestions, Chrome sends your original search query, the suggestion you selected, and the position of the suggestion back to Google. This information helps improve the quality of the suggestion feature, and it's logged and anonymized in the same manner as Google web searches.
Additionally, when you use the omnibox to search for a single word, Chrome may send this word to your DNS server to see whether it corresponds to a host on your network, and may try to connect to the corresponding host. This gives you the option to navigate to that host instead of searching. For example, if your router goes by the hostname “router”, and you type “router” in the omnibox, you’re given the option to navigate to http://router/, as well as to search for the word “router” with your default search provider. This feature is not controlled by the "Use a prediction service to help complete searches and URLs..." option because it does not involve sending data to your default search engine.
Chrome uses a prediction service to load pages more quickly. The prediction service uses navigation history and local heuristics to predict which resources and pages are likely to be needed next, and it initiates actions such as DNS prefetching, TCP and TLS preconnection, and prerendering of web pages. To turn off network predictions, uncheck “Use a prediction service to load pages more quickly” in the “Privacy” section of Chrome’s settings.
If you have chosen to sync your Chrome history, your history can be used to improve predictions. When synced history is used, the URL of the current page is sent to Google, as well as the URLs of the pages Chrome predicts you'll visit next.
To improve load times, sites and Android apps can also request the browser to preload links that sites or apps think you might click next to help the page load faster. Preloading requests from Android apps are controlled by the same setting as Chrome-initiated predictions. But preloading requests from sites are always performed, regardless of whether Chrome’s network prediction feature is enabled.
If prerendering is requested, whether by Chrome or by a site or app, the preloaded site is allowed to set and read its own cookies just as if you had visited it (even if you don’t end up visiting the prerendered page). Website-initiated preloading is disabled if you disallow third party cookies, to prevent cookies from being set from pages that you did not visit.
Google search locale
If Google is set as your default search engine, Chrome will try to determine the most appropriate locale for Google search queries conducted from the omnibox in order to give you relevant search results based on your location. For example, if you were in Germany, your omnibox searches may go through google.de instead of google.com.
In order to do this, Chrome will send a request to google.com each time you start the browser. If you already have any cookies from the google.com domain, this request will also include these cookies, and is logged as any normal HTTPS request to google.com would be (see the description of “server logs” in the privacy key terms for details). If you do not have any cookies from google.com, this request will not create any.
New Tab page
The Chrome New Tab page may display suggestions for websites that you might want to visit.
In order to help you get started, Chrome may suggest content that is popular in your country or region. Chrome uses your IP address to identify your country or region.
Chrome tries to make personalized suggestions that are useful to you. For this, Chrome uses the sites you have visited from your local browsing history.
If you are signed into Chrome, suggestions are also based on data stored in your Google account activity. You can control the collection of data in your Google account at Activity controls and manage your account activity at My Activity. For example, if you sync your browsing history and have enabled its use in your Web & App activity, Google may suggest sites that relate to sites you have visited in the past. Chrome measures the quality of suggestions by sending Google information about the sets of suggestions that were displayed, and those that were selected.
For desktop versions of Chrome, when you open a new tab, Chrome loads a New Tab page from your default search engine (e.g., google.com). This page is preloaded in the background and refreshed periodically so that it opens quickly. Your IP address and cookies, as well as your current browser theme, are sent to your search engine with each refresh request so that the New Tab page can be correctly displayed. See the embedded search API for more details.
The New Tab page content may be designed by your default search provider. Suggested websites are embedded by Chrome into the New Tab page in a way that does not expose them to your default search provider.
This information about the New Tab page may not apply if you've installed an extension that overrides the New Tab page.
Touch to Search
If you've enabled "Touch to Search" on Chrome Mobile you can search for terms by tapping them.
When you tap a word, the word and the surrounding text are sent to Google to identify recommended search terms (for example, tapping on "Michael" on a site about Michael Jackson might lead to a suggested search for "Michael Jackson"). The tapped word is logged in accordance with standard Google logging policies, and the surrounding text is logged only when the page is already in Google's index. If you sync your browsing history, the URL of the page is also sent and logged, and is used to improve your query suggestions.
When Google returns a search suggestion, a card "peeks through" at the bottom of the screen, showing the suggested search term. Opening this card is considered a regular search and navigation on Google, so standard logging policies apply.
Long-pressing on a word opens a peeking card with the selected word. No communication with Google occurs until the card is opened, and no surrounding text is sent. Saying “Ok Google” after long-pressing on a word provides the word and its surrounding text as context for the voice search.
Touch to Search is enabled in a limited mode by default: potentially privacy-sensitive data, such as the URL and surrounding text, is not sent for HTTPS pages. Touch to Search can be fully enabled and disabled in the card or in the Chrome privacy settings.
Safe Browsing protection
Google Chrome includes an optional feature called "Safe Browsing" to help protect you against phishing, social engineering, malware, unwanted software, and abusive websites or extensions. This protection helps prevent attackers from tricking you (social engineering) into sharing personal information with them (phishing) or installing malicious software on your computer (malware). Safe Browsing also helps protect you from websites and extensions that abuse browser functionality in order to steal your data, corrupt your browser environment, or spam you with unwanted interactions. Safe Browsing is designed specifically to protect your privacy and is also used by other popular browsers.
Safe Browsing is able to protect users by collecting anonymous metrics to establish a baseline for determining which websites’ behavior or permissions may be harmful. Data that's specific to you or the websites you visit is randomized, constructed in a manner that ensures differential privacy, permitting only the monitoring of aggregate statistics that apply to thousands of users. (The reports are an instance of Randomized Aggregatable Privacy-Preserving Ordinal Responses, or RAPPOR; for technical details, see this technical report.) In particular, this means Google cannot use the reports to determine which websites you've visited. This data is used only to improve Safe Browsing protection. Baseline data that is collected without using RAPPOR is described below.
When Safe Browsing is enabled in Chrome, Chrome contacts Google's servers periodically to download the most recent Safe Browsing list of unsafe sites, including phishing, social engineering, and malware sites, as well as sites that lead to unwanted software. The most recent copy of this list is stored locally on your system. Chrome checks the URL of each site you visit or file you download against this local list. If you navigate to a URL that appears on the list, Chrome sends a partial URL fingerprint (the first 32 bits of a SHA-256 hash of the URL) to Google for verification that the URL is indeed dangerous. Chrome also sends a partial URL fingerprint when a site requests a potentially dangerous permission, so that Google can protect you if the site is malicious. Google cannot determine the actual URL from this information.
In addition to the URL check described above, Chrome also conducts client-side checks. If a website looks suspicious, Chrome sends a subset of likely phishing and social engineering terms found on the page to Google, in order to determine whether the website should be considered malicious.
If you encounter a website that is on Chrome’s Safe Browsing list, you will see a warning like the one shown below. From there, you can choose to opt in to reporting data relevant to security to help improve Safe Browsing and security on the Internet. If you opt in, an incident report will be sent every time you receive a warning or visit a suspicious page. Chrome is currently transitioning this opt-in to change the reporting functionality. If your checkbox reads “Automatically send some system information and page content to Google to help detect dangerous apps and sites” then you are part of the new group of users. This setting differs from the old “report security incidents to Google” in that security reports will also be sent on a very small sample of other sites to help Safe Browsing learn about new threats you may be encountering. This new setting will be unchecked by default even if you opted in to the older setting. The reports are sent to Google over an encrypted channel and can include URLs, headers, and snippets of content from the page and they never include data from browsing you do in Incognito mode. In cases where Chrome discovers unwanted or malicious software on your machine, the reports may also include details about malicious files and registry entries. This data is used only to improve Safe Browsing and to improve security on the Internet. For example, Chrome reports some SSL certificate chains to Google to help improve the accuracy of Chrome’s SSL warnings.
You can visit our malware warning test page or social engineering warning test page to see the above example in action. For more information about the warning pages, see Manage warnings about unsafe sites. You can find settings for Safe Browsing and the additional reports in the Privacy section of Chrome settings. Please be aware that if you disable this feature, Chrome will no longer be able to protect you from websites that try to steal your information or install harmful software. We don't recommend turning it off.
Safe Browsing also protects you from downloading malicious software. If you attempt to download a file on Chrome’s Safe Browsing list, you'll see a warning like this one:
To warn you about potentially dangerous files, Chrome checks the URL of potentially dangerous file types you download against a whitelist of known-good URLs maintained locally on your computer and updated regularly. Chrome trusts potentially dangerous file types that match URLs in the whitelist, and it also trusts files signed by a trusted authority. Other potentially dangerous file types are presumed unsafe; for these, Chrome sends Google the information needed to help determine whether the download is harmful, including some or all of the following: information about the full URL of the site or file download, all related referrers and redirects, code signing certificates, file hashes, and file header information. Chrome may then show a warning like the one pictured above.
If Chrome suspects that your settings have been tampered with, Chrome reports the URL of the last downloaded potentially dangerous file, and information about the nature of the possible tampering, to the Safe Browsing service.
For some downloads, Chrome may ask you to opt in to reporting to Google Safe Browsing some data relevant to security, in order to improve the quality of download protection. Once you've opted in, downloaded files that are suspicious will be sent to Google for investigation each time they are encountered. You can change this opt-in setting at any time in the Chrome settings.
Chrome asks your permission before using certain web features (APIs) that might have associated risks. To improve the safety and utility of Chrome permissions, Chrome may anonymously report the domains on which you grant, reject and revoke permissions or ignore or dismiss permission prompts. This happens only if you are a Safe Browsing user and have activated syncing your browsing history and settings with Google without a custom passphrase.
For all Safe Browsing requests and reports, Google logs the transferred data in its raw form for up to two weeks. Google collects standard log information for Safe Browsing requests, including an IP address and one or more cookies. After at most two weeks, Safe Browsing deletes the raw logs, storing only calculated data in an anonymized form that does not include your IP addresses or cookies. Additionally, Safe Browsing requests won’t be associated with your Google Account. They are, however, tied to the other Safe Browsing requests made from the same device.
Unwanted software protection
Navigation error tips
Google Chrome can show tips to help guide you to the page you were trying to reach in cases where the web address cannot be found, a connection cannot be made, the server returns a very short (under 512 byte) error message, or you've navigated to a parked domain.
Google Chrome will first check the address against a locally-stored list of suspected parked domains. If there is a match, Chrome sends a partial fingerprint (a hash prefix) of the URL to Google for verification that the domain is indeed parked. This uses the same methodology as the Safe Browsing service (see the “Safe Browsing protection” section, above).
In the case of other navigation errors, the URL of the web page you're trying to reach is stripped of all GET parameters, and then sent to Google in order to retrieve navigation tips. This information is logged and anonymized in the same manner as Google web searches. The logs are used to ensure and improve the quality of the feature.
Additionally, to provide you with more informative error messages when a domain name cannot be found, Chrome will investigate the underlying cause by attempting to resolve “google.com” using both Google Public DNS and the default DNS service configured for your system.
In the event that Chrome detects SSL connection timeouts, certificate errors, or other network issues that might be caused by a captive portal (a hotel's WiFi network, for instance), Chrome will make a cookieless request to http://www.gstatic.com/generate_204 and check the response code. If that request is redirected, Chrome will open the redirect target in a new tab on the assumption that it's a login page. Requests to the captive portal detection page are not logged.
You can disable navigation error tips by unchecking the box in the "Privacy" section of Google Chrome's options.
Google Chrome and the Google Chrome Apps Launcher use Google Update to keep you up to date with the latest and most secure versions of software. In order to provide greater transparency and to make the technology available to other applications, the Google Update technology is open source.
Google Update requests include information that help us understand how many people are using Google Chrome and the Chrome Apps Launcher, specifically, whether the software was used in the last day, the number of days since the last time it was used, the total number of days that it has been installed, and the number of active profiles. Google Update also periodically sends a non-unique four-letter tag to Google which contains information about how you obtained Google Chrome. This tag is not personally identifiable, does not encode any information about when you obtained Google Chrome, and is shared with everyone who obtained Google Chrome the same way.
Since Chrome OS updates the entire OS stack, Google Update on that platform will additionally send the current Chrome OS version and hardware model information in order to ensure that the correct software updates and hardware manufacturer customizations such as apps, wallpaper, and help articles are delivered. This information is not personally identifiable, and is common to all users of Chrome OS on the same revision of device. For desktop versions of Chrome, limited and not personally identifiable information about your hardware is sent to Google to provide the correct updates.
A similar system is in place to keep extensions and applications that you’ve installed up to date. These requests include similar information (the application ID, when the application was last used, and how long it’s been installed). We use these update requests to determine the aggregate popularity and usage of applications and extensions. If you are using an extension or application restricted to a certain audience, authentication tokens will be sent with update requests for these add-ons. For security reasons, Chrome will occasionally send a cookieless request to the Chrome Web Store to verify that installed extensions and applications that claim to be from the store are genuine.
In order to keep updates as small as possible, Google Chrome is internally split into a variety of components, each of which is independently updateable. Each component is uniquely identified via an ID that is shared among all Google Chrome installations (for example “fmeadaodfnidclnjhlkdgjkolmhmfofk”). Update requests for component updates contain these IDs, the hash of the previous download (called a "fingerprint"), and the components’ versions. As every installation has the same ID, and downloads of the same component have the same fingerprint, none of this information is personally identifiable.
Chrome may download and execute a binary executable, for example as part of the software update or to improve Safe Browsing protection. Any such executable will be cryptographically signed and verified before execution. Chrome may download further static resources like dictionaries on demand to reduce the size of the installer.
Chrome’s recovery component tries to repair Google Update in case it is broken. After the binary was executed, Google Update uploads the statistics on which actions were performed. The statistics contain no personal identifiable information.
Chrome needs to know the time in order to verify SSL certificates, which are valid only for a specified time. At random intervals or when Chrome encounters an expired SSL certificate, Chrome may send requests to Google to obtain the time from a trusted source. These requests are more frequent if Chrome believes the system clock is inaccurate. These requests contain no cookies and are not logged on the server.
In order to measure the success rate of Google Chrome downloads and installations of the Windows version of Google Chrome, a randomly-generated token is included with Google Chrome's installer. This token is sent to Google during the installation process to confirm the success of that particular installation. A new token is generated for every install. It is not associated with any personal information, and is deleted once Google Chrome runs and checks for updates the first time.
For Chrome to know how many active installations it has, the mobile version of Chrome sends a ping to Google with a salted hash of a device identifier on an ongoing basis. The desktop version of Chrome does not send any stable identifier to count active installations. Instead an anonymous message to Google with a timestamp of the last ping is used to infer number of active installations.
Measuring effectiveness of a promotion
Chrome utilizes two measurements to understand how effective a promotional campaign has been: how many Chrome installations are acquired through a promotional campaign, and how much Chrome usage and traffic to Google is driven by a campaign.
To measure installations or reactivations of Chrome through a campaign, Chrome will send a token or an identifier unique to your device to Google at the first launch of Chrome, as well as the first search using Google. On desktop versions of Chrome, a token unique to your device is generated. The same token will be sent if Chrome is later reinstalled at first launch and at first use of the Omnibox after reinstallation or reactivation. Rather than storing the token on the computer, it is generated when necessary by using built-in system information that is scrambled in an irreversible manner. On iOS, Chrome uses the IDFA for counting installations acquired by a campaign, and it can be reset in iOS settings.
To measure searches and Chrome usage driven by a particular campaign, Chrome inserts a promotional tag, not unique to you or your device, in the searches you perform on Google. This non-unique tag contains information about how Chrome was obtained, the week when Chrome was installed, and the week when the first search was performed. For desktop versions of Chrome, Chrome generates a promotional tag, if the promotional installation token described in the previous paragraph indicates that Chrome has been installed or reactivated by a campaign on a device which has not been associated with any campaign yet. For Chrome on Mobile, a promotional tag is always sent regardless of the source of installations.
The promotional tag is generated using a software library called "RLZ" and looks similar to “1T4ADBR_enUS236US239”. The RLZ library was fully open-sourced in June 2010. For more information, please see the In the Open, for RLZ post on the Chromium blog and the article “How To Read An RLZ String”. On Android, this promotional tag can also be a readable string like "android-hms-tmobile-us" instead of an RLZ string, and is not unique to either you or your device.
This non-unique promotional tag is included when performing searches via Google (the tag appears as a parameter beginning with "rlz=" when triggered from the Omnibox, or as an “x-rlz-string” HTTP header). We use this information to measure the searches and Chrome usage driven by a particular promotion.
If usage statistics and crash reports are enabled, the RLZ string is sent along with the report. This allows us to improve Chrome based on variations that are limited to specific geographic regions.
For the desktop version of Chrome, you can opt-out of sending this data to Google by uninstalling Chrome, and installing a version downloaded directly from www.google.com/chrome. To opt-out of sending the RLZ string in Chrome OS, press Ctrl + Alt + T to open the crosh shell, type rlz disable followed by the enter key, and then reboot your device.
Usage statistics and crash reports
Chrome has a feature to automatically send usage statistics and crash reports to Google in order to help improve Chrome’s feature set and stability.
Usage statistics contain aggregated information such as preferences, user interface feature usage, responsiveness, and memory usage. This feature is enabled by default for Chrome installations of version 54 or later. You can enable or disable the feature in the "Privacy" section of Google Chrome's settings. These statistics do not include any personal information. Crash reports contain system information gathered at the time of the crash, and may contain web page URLs or personal information depending on what was happening at the time of the crash.
If this feature is enabled, Google Chrome stores a randomly generated unique token on your device, which is sent to Google along with your usage statistics and crash reports. The token does not contain any personal information and is used to de-duplicate reports and maintain accuracy in statistics. Chrome will also anonymously report to Google if requests to websites operated by Google fail or succeed in order to detect and fix problems quickly.
If usage statistics and crash reports are enabled, Chrome will also report anonymous, randomized data that is constructed in a manner which is not linked to the unique token, and which ensures that no information can be inferred about any particular user's activity. This data collection mechanism is summarized on the Google research blog, and full technical details have been published in a technical report and presented at the 2014 ACM Computer and Communications Security conference.
Suggestions for spelling errors
Google Chrome can provide smarter spell-checking by sending text you type into the browser to Google's servers, allowing you to use the same spell-checking technology used by Google products, such as Docs. If the feature is enabled, Chrome will send the entire contents of text fields as you type in them to Google along with the browser’s default language. Google returns a list of suggested spellings, which will be displayed in the context menu. Cookies are not sent along with these requests. Requests are logged temporarily and anonymously for debugging and quality improvement purposes.
This feature is disabled by default, and can be enabled via the “Ask Google for suggestions” context menu that appears after right-clicking on misspelled words. When disabled, spelling suggestions are generated locally without sending data to Google's servers.
Google Chrome’s built-in translation feature helps you read more of the Web, regardless of the language of the web page. The feature is enabled by default.
Automatic translation can be disabled at any time in Chrome’s settings in the “Languages” section.
Language detection is done entirely using a client-side library, and does not involve any Google servers. For translation, the contents of a web page are only sent to Google if you explicitly decide to translate it by clicking “Translate” on the bar, or if you’ve previously chosen “Always translate” for a given language via the translate bar Options menu.
Sign In to Chrome
Google Chrome provides the option to sign in with your Google Account and synchronize your Chrome data across multiple devices. Synced data can include bookmarks, saved passwords, open tabs, browsing history, extensions and other settings. In Advanced sync settings, you can choose which types of data to synchronize with this device. By default, all syncable data types are enabled.
You can sign in to Chrome or disconnect your Google Account from Chrome at any time using the “Sign in” section of Chrome’s settings. Signing in to Chrome or Chrome OS will automatically sign you in to the associated Google Account. If you are using a managed device, your system admin may disable the sign in feature or require that data be deleted when you disconnect your account.
Google uses your personal synchronized data to provide you a consistent browsing experience across your devices, and to customize features in Chrome. You can manage your synchronized history by going to chrome://history in your Chrome browser. If “Include history from Chrome and other apps in your Web & App Activity” is checked on the Web & App Activity controls page, Google also uses your synchronized browsing data to provide personalized Google products and services to you. You can change your preference any time, and manage individual activities associated with your Google account.
The paragraph above describes the use of your personal browsing history. Google also uses aggregated and anonymized synchronized browsing data to improve other Google products and services. For example, we use this information to improve Google Search by helping to detect mobile friendly pages, pages which have stopped serving content, and downloads of malware.
If you would like to use Google's cloud to store and sync your Chrome data without allowing any personalized and aggregated use by Google as described in the previous paragraphs, you can choose to encrypt all of your synced data with a sync passphrase. If you choose this option, it’s important to note that Google won’t have access to the sync passphrase you set; we won’t be able to help you recover data if you forget the passphrase. Regardless of how you choose to encrypt your data, all data is always sent over secure SSL connections to Google’s servers.
If you're signed in to Chrome and are syncing passwords and/or other types of login credentials without a sync passphrase, these credentials are stored in your Google Account. Chrome may help you sign in with credentials you've saved in Android apps on websites that are associated with the respective apps. Likewise, credentials you've saved for websites can be used to help you sign in to related Android apps. You can view the credentials you've saved in Chrome and Android by visiting passwords.google.com in any browser. If you've saved credentials for Android applications, Chrome periodically sends a cookieless request to Google to get an updated list of websites that are associated with those applications. To stop websites and Android apps from automatically signing in using credentials you previously saved, you can turn off Auto Sign-In on passwords.google.com or in Chrome settings under "Manage passwords". For more details see this article.
Google Chrome has a form autofill feature that helps you fill out forms on the web more quickly. Autofill is enabled by default, but it can be turned off at any time in Chrome’s settings.
If Autofill is enabled and you encounter a web page containing a form, Chrome sends some information about that form to Google. This information includes a hash of the web page’s hostname, as well as form identifiers (such as field names), the basic structure of the form, and Chrome’s guess at each field’s data type (for example, “field X looks like a phone number, and field Y looks like a country”). This information helps Chrome match up your locally stored Autofill data with the contents of the form, and it also helps to improve the quality of form-filling over time.
If Autofill is enabled when you submit a form, Chrome sends the data types you actually used in the form. This information helps Chrome improve its guesses over time. The actual text you typed into the form is not sent to Google.
You can manage your Autofill entries via Chrome’s settings, and you can edit or delete saved information at any time. Chrome will never store credit card information without explicit confirmation. If you scan your credit card using a phone camera, the recognition is performed locally.
Chrome may help you sign in to websites with credentials you've saved to Chrome's password manager or Google Smart Lock by autofilling sign-in forms, by offering you an account picker, or by automatically signing you in. You can manage and delete your saved credentials in the “Forms and passwords” section of Chrome’s settings.
Also, if you choose, you can bring your Autofill data with you to all your Chrome-enabled devices by syncing it as part of your browser settings (see the “Sign In to Chrome” section of this document). If you choose to sync Autofill information, field values are sent as described in “Sign In to Chrome”; otherwise, field values are not sent.
If you are signed in, Chrome will offer to save your credit cards and related billing addresses to Google Payments. Integration with Google Payments can be disabled via Chrome’s Advanced sync settings. If you choose not to sync credit cards with Google Payments, credit cards will be saved locally but will not be synced. If you are signed in and integration with Google Payments is enabled, Chrome may offer to autofill forms with credit card data stored in your Google Payments account. Credit card numbers from your Google Payments account will be masked until you provide the correct CVV code. When providing your CVV code for verification, you can choose to store the credit card locally as part of your Chrome Autofill data. If you choose not to store the card locally, you will be prompted for your CVV code each time you use the card. If you use a card from Google Payments, Chrome will collect information about your computer and share it with Google Payments to prevent fraudulent use of your card.
To delete credit card information saved in Chrome, follow the “Add and edit credit cards” steps in the Autofill article. When you delete a credit card that's also saved in your Google Payments account, you will be redirected to the Google Payments to complete the deletion. After your card has been deleted from your Google Payments account, Chrome will automatically remove that card from your Autofill suggestions.
On Android, Chrome supports the PaymentRequest API by allowing you to pay for purchases with credit cards from both Autofill and Android Pay. PaymentRequest allows the merchant to request the following information: full name, shipping address, billing address, phone number, email, credit card number, credit card expiration, CVV, and Android Pay credentials. Information is not shared with the merchant until you agree. New credit cards added using PaymentRequest can be saved to Google Payments.
Google Chrome supports the Geolocation API, which provides access to fine-grained user location information with your consent.
By default, Chrome will request your permission when a web page asks for your location information, and does not send any location information to the web page unless you explicitly consent.
Furthermore, whenever you are on a web page which is using your location information, Chrome will display a location icon on the right side of the omnibox. You can click on this icon in order to find out more information or manage location settings.
In Chrome’s settings, by clicking “Show advanced settings.”, then clicking “Content Settings” and scrolling to the “Location” section, you can choose to allow all sites to receive your location information, have Chrome ask you every time (the default), or block all sites from receiving your location information. You can also configure exceptions for specific web sites.
In Chrome for Android, if Google is set as your default search engine and you have permitted your device to use your geolocation in Android OS's settings, omnibox searches in Chrome for Android will automatically send your location to Google. The same is true for Chrome on iOS if you have permitted Chrome to use geolocation in iOS Settings.
If you do choose to share your location with a web site, Chrome will send local network information to Google (also used by other browsers such as Mozilla Firefox) in order to estimate your location. This local network information can include data about nearby Wi-Fi access points or cellular signal sites/towers (even if you’re not using them), and your computer’s IP address. The requests are logged, and aggregated and anonymized before being used to operate, support, and improve the overall quality of Google Chrome and Google Location Services.
For further reading on the privacy and user interface implications of the Geolocation API (as well as other HTML5 APIs), see ”Practical Privacy Concerns in a Real World Browser” written by two Google Chrome team members.
Speech to text
Chrome supports the Web Speech API, a mechanism for converting speech to text on a web page. It uses Google's servers to perform the conversion. Using the feature sends an audio recording to Google (audio data is not sent directly to the page itself), along with the domain of the website using the API, your default browser language and the language settings of the website. Cookies are not sent along with these requests.
Hands-free Voice Search
This feature is only available on Chrome OS. If you opt-in to the feature, Chrome OS will listen for you to say "Ok Google" and then send the audio of the next thing you say, plus a few seconds before, to Google. Detection of the phrase "Ok Google" is performed locally on your computer, and the audio is only sent to Google after it detects "Ok Google". You can enable or disable this feature in Chrome Settings.
On Chrome OS devices with a local audio processor, enabling this feature in Chrome Settings will cause Chrome to listen whenever the screen is on and unlocked. On these devices, Chrome will also prompt you to enable Voice & Audio Activity for the associated Google account. If this setting is enabled, the audio is stored with your Google account, and you can view and delete this audio in Voice & Audio Activity.
On other Chrome OS devices, when this feature is enabled, Chrome listens for “Ok Google” only when a Google search page, the New Tab page, or the Chrome OS Launcher is in the foreground. In this case, the audio is sent to Google anonymously and logged anonymously.
Once the audio has been converted to text, a search with that text is submitted by Chrome to Google for which standard search logging policies apply.
You can determine your Chrome OS device’s behavior by examining the text in the “Search” section of settings.
Google Cloud Print
The Google Cloud Print feature allows you to print documents from your browser over the Internet. You do not need a direct connection between the machine that executes Chrome and your printer.
If you choose to print a web page via Cloud Print, Chrome will generate a PDF of this website and upload it over an encrypted network connection to Google’s servers. If you choose to print other kinds of documents, they may be uploaded as raw documents to Google’s servers.
A print job will be downloaded by either a Chrome browser (“Connector”) or a Cloud Print capable printer that you selected when printing the website. In some cases the print job must be submitted to a third-party service to print (HP’s ePrint, for example).
The print job is deleted from Google’s servers when any of three criteria is met:
- You delete the print job
- The job has been printed and marked as printed by the printer/connector
- The job has been queued on Google’s servers for 30 days
You can manage your printers and print jobs on the Google Cloud Print website.
SSL certificate reporting
Chrome stores locally a list of expected SSL certificate information for a variety of high-value websites, in an effort to prevent man-in-the-middle attacks. For Google websites and other websites that choose to opt in, Chrome will report a possible attack or misconfiguration. If the certificate provided by the web server doesn’t match the expected signature, Chrome reports information about the SSL certificate chain to Google or to a report collection endpoint of the website's choosing. Chrome sends these reports only for certificate chains that use a public root of trust.
Chrome also allows users to choose to send information that helps Google improve SSL warnings and error pages. You can opt in to this feature by checking the box on any SSL error page. While you are opted in, each time you see an SSL error page, a report will be sent to Google's security team. The report contains the SSL certificate chain, the server's hostname, the local time, and relevant details about the validation error and SSL error page type. Because Chrome sends these reports for all certificate chains, even those that chain to a private root of trust, these chains can contain personally identifiable information. You can opt out anytime by unchecking the box “Automatically report details of possible security incidents to Google” in the Privacy section of Chrome’s advanced settings.
Token Binding IDs do not contain any information about the user, and a different Token Binding ID is created for each secure origin. A Token Binding ID created for one server will be shared with another server only if the original server requests it to be shared. Token Binding IDs are not shared between Chrome profiles, and all Token Binding IDs created during Incognito browsing are destroyed when you exit the Incognito session. Note that Token Bindings are not used for requests that block cookies.
You can determine which Token Binding IDs have been created (and you can remove unwanted IDs) in the Cookies and Site Data dialog (available at chrome://settings/cookies). Token Binding IDs are also subject to removal when "Cookies and Site Data" are cleared via the "Clear Browsing Data" dialog (chrome://settings/clearBrowserData). Token Binding is an evolution of the TLS Channel ID feature.
For more technical details and background information, visit browserauth.net and the work-in-progress IETF draft.
Installed Applications and Extensions
Installing an application or extension from the Chrome Web Store directly or via an inline installation flow on a third-party site involves a request to the Chrome Web Store for details about the application. This request includes cookies, and if you’re logged into Google when you install an application, that installation is recorded as part of your Google account. The store uses this information to recommend applications to you in the future, and in aggregate to evaluate application popularity and usage. As noted above, applications and extensions are updated via Google Update.
Apps and extensions installed in Chrome, as well as websites that you give permission to, may receive push messages from their respective backend servers. The message’s data is sent over a secure channel from the developer through Google’s infrastructure to Chrome on your device, which can wake up applications, extensions, and websites to deliver the message. Google servers handle the messages as plain text, and retain up to 4 weeks of messages in order to ensure delivery to users even if their devices are offline at the time of sending.
If you install an application or extension that uses push messaging or grant the notifications permission to a website, Chrome provides it with a registration ID which can be used to send messages to the entity (app, extension, or website). One or more registration IDs are generated for each entity that uses push messages. Websites you visit in Incognito mode are not currently allowed to send you push messages and therefore cannot get a registration ID.
When you uninstall an application or extension, or clear cookies for a permitted website, its registration ID is revoked and will not be reused even if the same app or extension is re-installed, or the same website is re-visited. Registration IDs used by Chrome components such as Sync are revoked once they are no longer in use, for example when the user disables Sync. When a registration ID is revoked, the associated entity on your device stops receiving messages sent from its developer’s server.
The registration IDs that are passed to entities contain an encrypted device ID, which is used for routing the messages. Google can decrypt the device ID, but other entities cannot, and the encryption is designed such that two registration IDs for the same device ID cannot be correlated. The device ID is reset when the Chrome profile is removed (via Chrome Settings -> People), or when neither Chrome Sync nor any of the entities requires it for push messages. Any messages routed to registration IDs containing the revoked device ID will not be delivered. On Android the lifetime of the device ID is governed by the operating system and is independent of Chrome.
Chrome custom tabs
On Android devices, an app developer may use a Custom Tab to show web content when you click on a URL from their app. A Custom Tab may look different from a regular Chrome tab, for example it may have app-specified visual style, and the absence of an editable URL bar. Despite the different visual style a Custom Tab may have, the data sent and received in the Custom Tab, such as cookies, saved passwords and browsing history function the same way they do in a normal Chrome tab. The Custom Tab is an app-customized view using the same underlying user profile.
With Chrome Custom Tabs, an Android app developer may also specify custom actions in the Chrome toolbar and overflow menu that are relevant to their app, for example,"share", “save page”, “copy URL”. If you tap on such a button, the address of the current website is shared with the application.
An application can request Chrome to pre-render a given URL in the background. This allows Chrome to show you a pre-loaded site instantly when you open it from the app. At the same time it allows an application to set cookies in your browser in the background. To disable pre-rendering, you can uncheck "Prefetch page resources" in the privacy settings.
Continue where you left off
If you have selected the option to “Continue where you left off” in Chrome settings, then when opening Chrome, the browser will attempt to bring you right back to the way things were when the browser was closed. Chrome will reload the tabs you had open, and persist session information to get you up and running as quickly as possible. This has the practical impact of extending the concept of a browsing session across restarts. In this mode, session cookies are no longer deleted when the browser closes, but remain available on restart to keep you logged into your favorite sites.
By default, this feature is enabled for Chrome OS users. Users on all platforms can enable or disable the feature by selecting the “Continue where you left off” setting under “On Startup”.
We want to build features that users want, so a subset of users may get a sneak peek at new functionality being tested before it’s launched to the world at large. A list of field trials that are currently active on your installation of Chrome will be included in all requests sent to Google. This Chrome-Variations header (X-Client-Data) will not contain any personally identifiable information, and will only describe the state of the installation of Chrome itself, including active variations, as well as server-side experiments that may affect the installation.
The variations active for a given installation are determined by a seed number which is randomly selected on first run. If usage statistics and crash reports are disabled, this number is chosen between 0 and 7999 (13 bits of entropy). If you would like to reset your variations seed, run Chrome with the command line flag “--reset-variation-state”. Experiments may be further limited by country (determined by your IP address), operating system, Chrome version and other parameters.
Do Not Track
If you enable the “Do Not Track” preference in Chrome’s settings, Chrome will send a DNT:1 HTTP header with your outgoing HTTP, HTTPS and SPDY browsing traffic (Chrome cannot, however, guarantee that NPAPI plugins also send the header.) The header will not be sent with system traffic such as the geolocation, metrics or device management services.
The effect of Do Not Track depends on whether a website responds to the request, and how the request is interpreted. For example, some websites may respond to this request by showing you ads that aren't based on other websites you've visited. Many websites will still collect and use your browsing data - for example, to improve security; to provide content, services, ads and recommendations on their websites; and to generate reporting statistics.
Chrome on iOS now uses WKWebView to provide a more stable and faster browser. As a result of this move, the Do Not Track preference is no longer available due to iOS constraints. If Apple makes changes to allow this feature, Chrome will make Do Not Track available again in iOS.
Chrome ships with an Adobe Flash Player implementation that is based on the Pepper API. Flash and other Pepper-based plugins may ask you for “Access to your computer”. If you grant this permission, the plugin is granted unsandboxed access. This allows content providers to offer you access to DRM protected content like videos or music but may have security and privacy implications, so consider carefully whether you trust a plugin or website with this privilege.
Some websites encrypt media to protect against unauthorized access and copying. When users play media from these sites, they typically log into the site, which authenticates the user, and then digital rights management negotiates a key exchange for the decryption and playback of the media.
For HTML5 sites, this key exchange is done using the Encrypted Media Extensions API. The implementation of that API is tightly coupled with the browser to protect user privacy and security, through Content Decryption Modules (CDM), which are provided by digital rights management solutions such as Google Widevine or Microsoft PlayReady.
When a user asks Chrome to play encrypted HTML5 media (for example, watching a movie on Google Play Movies), Chrome will generate a request for a license to decrypt that media. This license request contains an automatically generated request ID, which is created by the Content Decryption Module, as well as proof that the CDM is legitimate. After generation, the license request is typically sent to a license server managed by either the content website or Google. Neither the license request, the proof, nor the request ID include any personally identifying information. After being sent, the license request is not stored locally on the user’s device.
As part of the license request, Chrome also generates a unique session ID which does not contain personally identifying information. This session ID is sent to the license server, and when the server returns a license the session ID is used to decrypt the media. The session ID and license may be stored locally even after the site has been closed. Session ID and licenses may be cleared by the user in Chrome using Clear Browsing Data with “Media licenses” enabled.
When returning a license, the site license server may include a client ID, generated by the site. This client ID is unique to the user and the site, it is not shared between sites. If provided, the client ID is included by Chrome in subsequent license requests to that site. The client ID may be cleared by the user in Chrome using Clear Browsing Data with “Media licenses” enabled.
On Chrome OS, the website may additionally request verification that the device is eligible to play HD or other high quality content (known as Verified Access). In this case, Google creates a certificate using a unique hardware identifier for the device. This hardware ID identifies the device, but does not identify the user. Before Chrome sends this hardware ID to Google, the user is prompted asking permission to do so. If the user agrees, Google receives the hardware ID and generates a certificate verifying the device for the requested site. The certificate does not include the hardware ID or any other information that could permanently identify the device. Certificates are stored locally similar to other cached browsing data, and may be cleared by the user in Chrome using Clear Browsing Data with “Media licenses” enabled.
Some sites use Flash instead of HTML5. If a website you visit chooses to use Adobe Flash Access DRM protection, Chrome for Windows and Chrome OS will give Adobe Flash access to a device identifier. You can deny this access in the settings under Content Settings, Protected content, and reset the ID using Clear Browsing Data with “Media licenses” enabled.
In order to give you access to licensed music, the Google Play Music app can retrieve a device identifier that is derived from your hard drive partitions or, on a Chrome OS or Linux installation, from a unique file on your disk. This identifier can be reset by reinstalling your operating system.
When you sign into a Chrome OS device, Chrome on Android, or a desktop Chrome profile with an account associated with a Google Apps domain, Chrome checks whether the domain has configured enterprise policies. If so, the Chrome OS device or Chrome profile is assigned a unique ID, and registered as belonging to that domain. Any configured policies are applied to the device or profile. In order to revoke the registration, you'll need to wipe the Chrome OS device, sign out of Chrome on Android or Chrome on iOS, or remove the desktop profile.
Registered profiles check for policy changes periodically (every 3 hours by default). In some cases, the server pushes policy changes to the client without waiting for Chrome's periodic check. Unregistered profiles check whether a policy has been turned on for their domain each time Chrome starts up.
The policy list contains details about the types of configurations that are available via Cloud Policy.
If you enable Data Saver, Chrome will send your HTTP traffic through Google's optimizing proxy servers. This option reduces the amount of data downloaded, and protects you against malware and phishing via the Safe Browsing service. You can find more information about the data compression benefits on the Chromium blog.
The proxy service is disabled for connections to HTTPS origins and connections made from Incognito tabs. These connections are not routed through Google's servers. For connections to HTTP origins, request URLs are logged. Cookies and If-None-Match headers are stripped from the logs. Additionally, the content of proxied pages is also cached but not logged. The logs are not associated with your Google Account, and the entire log entry is removed within 6 months. These logs are also governed by standard Google search logging policies.
Google uses the logged and cached data to improve both Data Saver and Safe Browsing; for example, more effective optimizations can be uncovered by analyzing timing data for pages loaded through the proxy service, and malware can be detected more rapidly by analyzing response data in realtime.
Your IP address is forwarded to the origin HTTP server via an X-Forwarded-For header, in accordance with the HTTP standard. The Data Saver service is a transparent proxy, not an anonymization service.
By default, the connection between the browser and the Data Saver proxy is over an encrypted channel. However, a network administrator can disable the use of an encrypted channel to Data Saver.
If you create a supervised user on Chrome or Chrome OS, certain information such as the supervised user’s browsing activity, profile settings and permissions requests for blocked content will be sent to Google in association with your Google Account. You can access the browsing activity of your supervised users at chrome.com/manage. In order to remove data that is associated with a supervised user from Google’s servers, please sign in to your Google Account at chrome.com/manage and delete the respective supervised user.
Incognito and Guest Mode
Incognito mode in Chrome is a temporary browsing mode. It ensures that you don’t leave browsing history and cookies on your computer. The browsing history and cookies are deleted only once you have closed the last incognito window. Incognito mode cannot make you invisible on the internet. Websites that you navigate to may record your visits. Going incognito doesn’t hide your browsing from your employer, your internet service provider, or the websites you visit.
Browsing as a Guest in Chrome allows you to use somebody else's computer without modifying their profile. For example, no bookmarks or passwords get stored on their computer. Note that Guest mode does not protect you for example, if the computer you are using is infected by a keylogger that records what you type.
iOS 8 and Mac OS X Yosemite Handoff Support
While browsing in a standard (i.e. non-Incognito) session, Chrome will share your current URL with iOS 8+ to support the Handoff feature that was added in OS X Yosemite. This information is only sent to Apple devices that are paired with your iOS device, and the data is encrypted in transit.
A FIDO U2F Security Key provides a non-phishable credential which can be used to authenticate a user. This mitigates the risk of various kinds of man-in-the-middle attacks in which websites try to steal your password and use it later.
To prevent abuse, a website is required to be delivered over a secure connection (HTTPS), and to register the security key before it can be used for identification. Once a website is registered with a specific security key, that security key will provide a persistent identifier, regardless of which computer it is plugged into, or whether you're in incognito or guest mode, but you must physically interact with the security key to give a website access to an identifier (by, for example, touching it, or plugging it in).
The Physical Web lets you see a list of URLs being broadcast by objects in the environment around you. Google Chrome looks for Physical Web devices with Bluetooth Low Energy beacons that are broadcasting URLs using the Eddystone protocol. Bluetooth signals can be received from 90 feet away or more, depending on signal strength and the user’s environment (although the range is often much shorter, due to obstacles and signal noise). If the Physical Web feature is enabled, Chrome sends detected URLs to Google’s Physical Web Service (PWS) via a cookieless HTTPS request. For each URL, the PWS obtains the title of the web page, filters out unsafe results, and returns a ranking based on non-personalized signals about the quality and relevance of the web page.
The Physical Web feature is available on Chrome on iOS and Android. Users will need to turn on Bluetooth to use the feature.
If Android users have location settings enabled on both their device and in Chrome, they will receive a notification the first time they are near a beacon that will give them the option to turn on the Physical Web feature. This beacon’s URL is not sent to Google’s PWS unless the Physical Web feature is enabled. Users can also enable (or disable) the feature in the Privacy settings. Once a user enables the feature, Chrome scans for nearby devices for a few seconds each time the user unlocks the mobile device in use and sends them to the PWS in order to obtain more information about the beacon. The user receives a silent notification when Chrome finds a nearby URL.
On iOS devices, users can enable (or disable) the feature in the Privacy settings or by adding the Chrome widget to their Today view in the notification center. Additionally, the feature is automatically enabled for users who have location enabled on their device, granted Chrome the location permission, and have granted Google the geolocation permission. Chrome scans for nearby devices whenever it is open in the foreground. When Chrome finds nearby URLs, users will see them as omnibox suggestions. Additionally, Chrome scans for nearby devices for a few seconds when the Today widget is displayed in the notification center.
Chrome does not let any page communicate with a device unless you explicitly consent. When a web page asks to pair with a device, Chrome will ask you to choose which device the web page should access, if any. Selecting a device for one page does not give other pages access to the device you have chosen, and does not allow that page to access other devices. Currently, permission for a page to communicate with a device is usually revoked when the page is reloaded, and is always revoked when Chrome is restarted.