Google says Chrome’s new real-time URL scanner won’t invade your privacy

Enlarge / Google’s safe browsing warning is not subtle. (credit: Google)

Google Chrome’s “Safe Browsing” feature—the thing that pops up a giant red screen when you try to visit a malicious website—is getting real-time updates for all users. Google announced the change on the Google Security Blog. Real-time protection naturally means sending URL data to some far-off server, but Google says it will use “privacy-preserving URL protection” so it won’t get a list of your entire browsing history. (Not that Chrome doesn’t already have features that log your history or track you.)

Safe Browsing basically boils down to checking your current website against a list of known bad sites. Google’s old implementation happened locally, which had the benefit of not sending your entire browsing history to Google, but that meant downloading the list of bad sites at 30- to 60-minute intervals. There are a few problems with local downloads. First, Google says the majority of bad sites exist for “less than 10 minutes,” so a 30-minute update time isn’t going to catch them. Second, the list of all bad websites on the entire Internet is going to be very large and constantly growing, and Google already says that “not all devices have the resources necessary to maintain this growing list.”

If you really want to shut down malicious sites, what you want is real-time checking against a remote server. There are a lot of bad ways you could do this. One way would be to just send every URL to the remote server, and you’d basically double Internet website traffic for all of Chrome’s 5 billion users. To cut down on those server requests, Chrome is instead going to download a list of known good sites, and that will cover the vast majority of web traffic. Only the small, unheard-of sites will be subject to a server check, and even then, Chrome will keep a cache of your recent small site checks, so you’ll only check against the server the first time.