According to Turley, OpenAI would throw its proverbial hat in the ring if Google had to sell. When asked if OpenAI would want Chrome, he was unequivocal. “Yes, we would, as would many other parties,” Turley said.
OpenAI has reportedly considered building its own Chromium-based browser to compete with Chrome. Several months ago, the company hired former Google developers Ben Goodger and Darin Fisher, both of whom worked to bring Chrome to market.
It’s not hard to see why OpenAI might want a browser, particularly Chrome with its 4 billion users and 67 percent market share. Chrome would instantly give OpenAI a massive install base of users who have been incentivized to use Google services. If OpenAI were running the show, you can bet ChatGPT would be integrated throughout the experience—Turley said as much, predicting an “AI-first” experience. The user data flowing to the owner of Chrome could also be invaluable in training agentic AI models that can operate browsers on the user’s behalf.
Interestingly, there’s so much discussion about who should buy Chrome, but relatively little about spinning off Chrome into an independent company. Google has contended that Chrome can’t survive on its own. However, the existence of Google’s multibillion-dollar search placement deals, which the DOJ wants to end, suggests otherwise. Regardless, if Google has to sell, and OpenAI has the cash, we might get the proposed “AI-first” browsing experience.
While Google’s sandbox project is looking more directionless today, it is not completely ending the initiative. The team still plans to deploy promised improvements in Chrome’s Incognito Mode, which has been re-architected to preserve user privacy after numerous complaints. Incognito Mode blocks all third-party cookies, and later this year, it will gain IP protection, which masks a user’s IP address to protect against cross-site tracking.
What is Topics?
Chavez admits that this change will mean Google’s Privacy Sandbox APIs will have a “different role to play” in the market. That’s a kind way to put it. Google will continue developing these tools and will work with industry partners to find a path forward in the coming months. The company still hopes to see adoption of the Privacy Sandbox increase, but the industry is unlikely to give up on cookies voluntarily.
While Google focuses on how ad privacy has improved since it began working on the Privacy Sandbox, the changes in Google’s legal exposure are probably more relevant. Since launching the program, Google has lost three antitrust cases, two of which are relevant here: the search case currently in the remedy phase and the newly decided ad tech case. As the government begins arguing that Chrome gives Google too much power, it would be a bad look to force a realignment of the advertising industry using the dominance of Chrome.
In some ways, this is a loss—tracking cookies are undeniably terrible, and Google’s proposed alternative is better for privacy, at least on paper. However, universal adoption of the Privacy Sandbox could also give Google more power than it already has, and the supposed privacy advantages may never have fully materialized as Google continues to seek higher revenue.
The extensions share other dubious or suspicious similarities. Much of the code in each one is highly obfuscated, a design choice that provides no benefit other than complicating the process for analyzing and understanding how it behaves.
All but one of them are unlisted in the Chrome Web Store. This designation makes an extension visible only to users with the long pseudorandom string in the extension URL, and thus, they don’t appear in the Web Store or search engine search results. It’s unclear how these 35 unlisted extensions could have fetched 4 million installs collectively, or on average roughly 114,000 installs per extension, when they were so hard to find.
Additionally, 10 of them are stamped with the “Featured” designation, which Google reserves for developers whose identities have been verified and “follow our technical best practices and meet a high standard of user experience and design.”
One example is the extension Fire Shield Extension Protection, which, ironically enough, purports to check Chrome installations for the presence of any suspicious or malicious extensions. One of the key JavaScript files it runs references several questionable domains, where they can upload data and download instructions and code:
URLs that Fire Shield Extension Protection references in its code. Credit: Secure Annex
One domain in particular—unknow.com—is listed in the remaining 34 apps.
Tuckner tried analyzing what extensions did on this site but was largely thwarted by the obfuscated code and other steps the developer took to conceal their behavior. When the researcher, for instance, ran the Fire Shield extension on a lab device, it opened a blank webpage. Clicking on the icon of an installed extension usually provides an option menu, but Fire Shield displayed nothing when he did it. Tuckner then fired up a background service worker in the Chrome developer tools to seek clues about what was happening. He soon realized that the extension connected to a URL at fireshieldit.com and performed some action under the generic category “browser_action_clicked.” He tried to trigger additional events but came up empty-handed.
The Internet might look a bit different on Android soon. Last month, Google announced its intent to make Chrome for Android a more immersive experience by hiding the navigation bar background. The promised edge-to-edge update is now rolling out to devices on Chrome version 135, giving you a touch more screen real estate. However, some websites may also be a bit harder to use.
Moving from button to gesture navigation reduced the amount of screen real estate devoted to the system UI, which leaves more room for apps. Google’s move to a “dynamic bottom bar” in Chrome creates even more space for web content. When this feature shows up, the pages you visit will be able to draw all the way to the bottom of the screen instead of stopping at the navigation area, which Google calls the “chin.”
As you scroll down a page, Chrome hides the address bar. With the addition of the dynamic bottom bar, the chin also vanishes. The gesture handle itself remains visible, shifting between white and black based on what is immediately behind it to maintain visibility. Unfortunately, this feature will not work if you have chosen to stick with the classic three-button navigation option.
The government’s 2024 request also sought to have Google’s investment in AI firms curtailed even though this isn’t directly related to search. If, like Google, you believe leadership in AI is important to the future of the world, limiting its investments could also affect national security. But in November, Mehta suggested he was open to considering AI remedies because “the recent emergence of AI products that are intended to mimic the functionality of search engines” is rapidly shifting the search market.
This perspective could be more likely to find supporters in the newly AI-obsessed US government with a rapidly changing Department of Justice. However, the DOJ has thus far opposed allowing AI firm Anthropic to participate in the case after it recently tried to intervene. Anthropic has received $3 billion worth of investments from Google, including $1 billion in January.
New year, new Justice Department
Google naturally opposed the government’s early remedy proposal, but this happened in November, months before the incoming Trump administration began remaking the DOJ. Since taking office, the new administration has routinely criticized the harsh treatment of US tech giants, taking aim at European Union laws like the Digital Markets Act, which tries to ensure user privacy and competition among so-called “gatekeeper” tech companies like Google.
We may get a better idea of how the DOJ wants to proceed later this week when both sides file their final proposals with Mehta. Google already announced its preferred remedy at the tail end of 2024. It’s unlikely Google’s final version will be any different, but everything is up in the air for the government.
Even if current political realities don’t affect the DOJ’s approach, the department’s staffing changes could. Many of the people handling Google’s case today are different than they were just a few months ago, so arguments that fell on deaf ears in 2024 could move the needle. Perhaps emphasizing the national security angle will resonate with the newly restaffed DOJ.
After both sides have had their say, it will be up to the judge to eventually rule on how Google must adapt its business. This remedy phase should get fully underway in April.
Google’s Chrome browser might soon get a useful security upgrade: detecting passwords used in data breaches and then generating and storing a better replacement. Google’s preliminary copy suggests it’s an “AI innovation,” though exactly how is unclear.
Noted software digger Leopeva64 on X found a new offering in the AI settings of a very early build of Chrome. The option, “Automated password Change” (so, early stages—as to not yet get a copyedit), is described as, “When Chrome finds one of your passwords in a data breach, it can offer to change your password for you when you sign in.”
Chrome already has a feature that warns users if the passwords they enter have been identified in a breach and will prompt them to change it. As noted by Windows Report, the change is that now Google will offer to change it for you on the spot rather than simply prompting you to handle that elsewhere. The password is automatically saved in Google’s Password Manager and “is encrypted and never seen by anyone,” the settings page claims.
If you want to see how this works, you need to download a Canary version of Chrome. In the flags settings (navigate to “chrome://flags” in the address bar), you’ll need to enable two features: “Improved password change service” and “Mark all credential as leaked,” the latter to force the change notification because, presumably, it’s not hooked up to actual leaked password databases yet. Go to almost any non-Google site, enter in any user/password combination to try to log in, and after it fails or you navigate elsewhere, a prompt will ask you to consider changing your password.
Screenshot showing the phishing email sent to Cyberhaven extension developers. Credit: Amit Assaraf
A link in the email led to a Google consent screen requesting access permission for an OAuth application named Privacy Policy Extension. A Cyberhaven developer granted the permission and, in the process, unknowingly gave the attacker the ability to upload new versions of Cyberhaven’s Chrome extension to the Chrome Web Store. The attacker then used the permission to push out the malicious version 24.10.4.
Screenshot showing the Google permission request. Credit: Amit Assaraf
As word of the attack spread in the early hours of December 25, developers and researchers discovered that other extensions were targeted, in many cases successfully, by the same spear phishing campaign. John Tuckner, founder of Secure Annex, a browser extension analysis and management firm, said that as of Thursday afternoon, he knew of 19 other Chrome extensions that were similarly compromised. In every case, the attacker used spear phishing to push a new malicious version and custom, look-alike domains to issue payloads and receive authentication credentials. Collectively, the 20 extensions had 1.46 million downloads.
“For many I talk to, managing browser extensions can be a lower priority item in their security program,” Tuckner wrote in an email. “Folks know they can present a threat, but rarely are teams taking action on them. We’ve often seen in security [that] one or two incidents can cause a reevaluation of an organization’s security posture. Incidents like this often result in teams scrambling to find a way to gain visibility and understanding of impact to their organizations.”
The earliest compromise occurred in May 2024. Tuckner provided the following spreadsheet:
Name
ID
Version
Patch
Available
Users
Start
End
VPNCity
nnpnnpemnckcfdebeekibpiijlicmpom
2.0.1
FALSE
10,000
12/12/24
12/31/24
Parrot Talks
kkodiihpgodmdankclfibbiphjkfdenh
1.16.2
TRUE
40,000
12/25/24
12/31/24
Uvoice
oaikpkmjciadfpddlpjjdapglcihgdle
1.0.12
TRUE
40,000
12/26/24
12/31/24
Internxt VPN
dpggmcodlahmljkhlmpgpdcffdaoccni
1.1.1
1.2.0
TRUE
10,000
12/25/24
12/29/24
Bookmark Favicon Changer
acmfnomgphggonodopogfbmkneepfgnh
4.00
TRUE
40,000
12/25/24
12/31/24
Castorus
mnhffkhmpnefgklngfmlndmkimimbphc
4.40
4.41
TRUE
50,000
12/26/24
12/27/24
Wayin AI
cedgndijpacnfbdggppddacngjfdkaca
0.0.11
TRUE
40,000
12/19/24
12/31/24
Search Copilot AI Assistant for Chrome
bbdnohkpnbkdkmnkddobeafboooinpla
1.0.1
TRUE
20,000
7/17/24
12/31/24
VidHelper – Video Downloader
egmennebgadmncfjafcemlecimkepcle
2.2.7
TRUE
20,000
12/26/24
12/31/24
AI Assistant – ChatGPT and Gemini for Chrome
bibjgkidgpfbblifamdlkdlhgihmfohh
0.1.3
FALSE
4,000
5/31/24
10/25/24
TinaMind – The GPT-4o-powered AI Assistant!
befflofjcniongenjmbkgkoljhgliihe
2.13.0
2.14.0
TRUE
40,000
12/15/24
12/20/24
Bard AI chat
pkgciiiancapdlpcbppfkmeaieppikkk
1.3.7
FALSE
100,000
9/5/24
10/22/24
Reader Mode
llimhhconnjiflfimocjggfjdlmlhblm
1.5.7
FALSE
300,000
12/18/24
12/19/24
Primus (prev. PADO)
oeiomhmbaapihbilkfkhmlajkeegnjhe
3.18.0
3.20.0
TRUE
40,000
12/18/24
12/25/24
Cyberhaven security extension V3
pajkjnmeojmbapicmbpliphjmcekeaac
24.10.4
24.10.5
TRUE
400,000
12/24/24
12/26/24
GraphQL Network Inspector
ndlbedplllcgconngcnfmkadhokfaaln
2.22.6
2.22.7
TRUE
80,000
12/29/24
12/30/24
GPT 4 Summary with OpenAI
epdjhgbipjpbbhoccdeipghoihibnfja
1.4
FALSE
10,000
5/31/24
9/29/24
Vidnoz Flex – Video recorder & Video share
cplhlgabfijoiabgkigdafklbhhdkahj
1.0.161
FALSE
6,000
12/25/24
12/29/24
YesCaptcha assistant
jiofmdifioeejeilfkpegipdjiopiekl
1.1.61
TRUE
200,000
12/29/24
12/31/24
Proxy SwitchyOmega (V3)
hihblcmlaaademjlakdpicchbjnnnkbo
3.0.2
TRUE
10,000
12/30/24
12/31/24
But wait, there’s more
One of the compromised extensions is called Reader Mode. Further analysis showed it had been compromised not just in the campaign targeting the other 19 extensions but in a separate campaign that started no later than April 2023. Tuckner said the source of the compromise appears to be a code library developers can use to monetize their extensions. The code library collects details about each web visit a browser makes. In exchange for incorporating the library into the extensions, developers receive a commission from the library creator.
Google called the DOJ extending search remedies to AI “radical,” an “overreach.”
The US Department of Justice finally proposed sweeping remedies to destroy Google’s search monopoly late yesterday, and, predictably, Google is not loving any of it.
On top of predictable asks—like potentially requiring Google to share search data with rivals, restricting distribution agreements with browsers like Firefox and device makers like Apple, and breaking off Chrome or Android—the DOJ proposed remedies to keep Google from blocking competition in “the evolving search industry.” And those extra steps threaten Google’s stake in the nascent AI search world.
This is only the first step in the remedies stage of litigation, but Google is already showing resistance to both expected and unexpected remedies that the DOJ proposed. In a blog from Google’s vice president of regulatory affairs, Lee-Anne Mulholland, the company accused the DOJ of “overreach,” suggesting that proposed remedies are “radical” and “go far beyond the specific legal issues in this case.”
From here, discovery will proceed as the DOJ makes a case to broaden the scope of proposed remedies and Google raises its defense to keep remedies as narrowly tailored as possible. After that phase concludes, the DOJ will propose its final judgement on remedies in November, which must be fully revised by March 2025 for the court to then order remedies.
Even then, however, the trial is unlikely to conclude, as Google plans to appeal. In August, Mozilla’s spokesperson told Ars that the trial could drag on for years before any remedies are put in place.
In the meantime, Google plans to continue focusing on building out its search empire, Google’s president of global affairs, Kent Walker, said in August. This presumably includes innovations in AI search that the DOJ fears may further entrench Google’s dominant position.
Scrutiny of Google’s every move in the AI industry will likely only be heightened in that period. As Google has already begun seeking exclusive AI deals with companies like Apple, it risks appearing to engage in the same kinds of anti-competitive behavior in AI markets as the court has already condemned. And giving that impression could not only impact remedies ordered by the court, but also potentially weaken Google’s chances of winning on appeal, Lee Hepner, an antitrust attorney monitoring the trial for the American Economic Liberties Project, told Ars.
Ending Google’s monopoly starts with default deals
In the DOJ’s proposed remedy framework, the DOJ says that there’s still so much more to consider before landing on final remedies that it reserves “the right to add or remove potential proposed remedies.”
Through discovery, DOJ said that it plans to continue engaging experts and stakeholders “to learn not just about the relevant markets themselves but also about adjacent markets as well as remedies from other jurisdictions that could affect or inform the optimal remedies in this action.
“To be effective, these remedies… must include some degree of flexibility because market developments are not always easy to predict and the mechanisms and incentives for circumvention are endless,” the DOJ said.
Ultimately, the DOJ said that any remedies sought should be “mutually reinforcing” and work to “unfetter” Google’s current monopoly in general search services and general text advertising markets. That effort would include removing barriers to competition—like distribution and revenue-sharing agreements—as well as denying Google monopoly profits and preventing Google from monopolizing “related markets in the future,” the DOJ said.
Any effort to undo Google’s monopoly starts with ending Google’s control over “the most popular distribution channels,” the DOJ said. At one point during the trial, for example, a witness accidentally blurted out that Apple gets a 36 percent cut from its Safari deal with Google. Lucrative default deals like that leave rivals with “little-to-no incentive to compete for users,” the DOJ said.
“Fully remedying these harms requires not only ending Google’s control of distribution today, but also ensuring Google cannot control the distribution of tomorrow,” the DOJ warned.
To dislodge this key peg propping up Google’s search monopoly, some options include ending Google’s default deals altogether, which would “limit or prohibit default agreements, preinstallation agreements, and other revenue-sharing arrangements related to search and search-related products, potentially with or without the use of a choice screen.”
A breakup could be necessary
Behavior and structural remedies may also be needed, the DOJ proposed, to “prevent Google from using products such as Chrome, Play, and Android to advantage Google search and Google search-related products and features—including emerging search access points and features, such as artificial intelligence—over rivals or new entrants.” That could mean spinning off the Chrome browser or restricting Google from preinstalling its search engine as the default in Chrome or on Android devices.
In her blog, Mulholland conceded that “this case is about a set of search distribution contracts” but claimed that “overbroad restrictions on distribution contracts” would create friction for Google users and “reduce revenue for companies like Mozilla” as well as Android smart phone makers.
Asked to comment on supposedly feared revenue losses, a Mozilla spokesperson told Ars, “[We are] closely monitoring the legal process and considering its potential impact on Mozilla and how we can positively influence the next steps. Mozilla has always championed competition and choice online, particularly in search. Firefox continues to offer a range of search options, and we remain committed to serving our users’ preferences while fostering a competitive market.”
Mulholland also warned that “splitting off” Chrome or Android from Google’s search business “would break them” and potentially “raise the cost of devices,” because “few companies would have the ability or incentive to keep them open source, or to invest in them at the same level we do.”
“We’ve invested billions of dollars in Chrome and Android,” Mulholland wrote. “Chrome is a secure, fast, and free browser and its open-source code provides the backbone for numerous competing browsers. Android is a secure, innovative, and free open-source operating system that has enabled vast choice in the smartphone market, helping to keep the cost of phones low for billions of people.”
Google has long argued that its investment in open source Chrome and Android projects benefits developers whose businesses and customers would be harmed if those efforts lost critical funding.
“Features like Chrome’s Safe Browsing, Android’s security features, and Play Protect benefit from information and signals from a range of Google products and our threat-detection expertise,” Mulholland wrote. “Severing Chrome and Android would jeopardize security and make patching security bugs harder.”
Hepner told Ars that Android could potentially thrive if broken off from Google, suggesting that through discovery, it will become clearer what would happen if either Google product was severed from the company.
“I think others would agree that Android is a company that is capable [being] a standalone entity,” Hepner said. “It could be independently monetized through relationships with device manufacturers, web browsers, alternative Play Stores that are not under Google’s umbrella. And that if that were the case, what you would see is that Android and the operating system marketplace begins to evolve to meet the needs and demands of innovative products that are not being created just by Google. And you’ll see that dictating the evolution of the marketplace and fundamentally the flow of information across our society.”
Mulholland also claimed that sharing search data with rivals risked exposing users to privacy and security risks, but the DOJ vowed to be “mindful of potential user privacy concerns in the context of data sharing” while distinguishing “genuine privacy concerns” from “pretextual arguments” potentially misleading the court regarding alleged risks.
One possible way around privacy concerns, the DOJ suggested, would be prohibiting Google from collecting the kind of sensitive data that cannot be shared with rivals.
Finally, to stop Google from charging supra-competitive prices for ads, the DOJ is “evaluating remedies” like licensing or syndicating Google’s ad feed “independent of its search results.” Further, the DOJ may require more transparency, forcing Google to provide detailed “search query reports” featuring currently obscured “information related to its search text ads auction and ad monetization.”
Stakeholders were divided on whether the DOJ’s initial framework is appropriate.
Matt Schruers, the CEO of a trade association called the Computer & Communications Industry Association (which represents Big Tech companies like Google), criticized the DOJ’s “hodgepodge of structural and behavioral remedies” as going “far beyond” what’s needed to address harms.
“Any remedy should be narrowly tailored to address specific conduct, which in this case was a set of search distribution contracts,” Schruers said. “Instead, the proposed DOJ remedies would reshape numerous industries and products, which would harm consumers and innovation in these dynamic markets.”
But a senior vice president of public affairs for Google search rival DuckDuckGo, Kamyl Bazbaz, praised the DOJ’s framework as being “anchored to the court’s ruling” and appropriately broad.
“This proposal smartly takes aim at breaking Google’s illegal hold on the general search market now and ushers in a new era of enduring competition moving forward,” Bazbaz said. “The framework understands that no single remedy can undo Google’s illegal monopoly, it will require a range of behavioral and structural remedies to free the market.”
Bazbaz expects that “Google is going to use every resource at its disposal to discredit this proposal,” suggesting that “should be taken as a sign this framework can create real competition.”
AI deals could weaken Google’s appeal, expert says
Google appears particularly disturbed by the DOJ’s insistence that remedies must be forward-looking and prevent Google from leveraging its existing monopoly power “to feed artificial intelligence features.”
As Google sees it, the DOJ’s attempt to attack Google’s AI business “comes at a time when competition in how people find information is blooming, with all sorts of new entrants emerging and new technologies like AI transforming the industry.”
But the DOJ has warned that Google’s search monopoly potentially feeding AI features “is an emerging barrier to competition and risks further entrenching Google’s dominance.”
The DOJ has apparently been weighing some of the biggest complaints about Google’s AI training when mulling remedies. That includes listening to frustrated site owners who can’t afford to block Google from scraping data for AI training because the same exact crawler indexes their content in Google search results. Those site owners have “little choice” but to allow AI training or else sacrifice traffic from Google search, The Seattle Times reported.
Remedy options may come with consequences
Remedies in the search trial might change that. In their proposal, the DOJ said it’s considering remedies that would “prohibit Google from using contracts or other practices to undermine rivals’ access to web content and level the playing field by requiring Google to allow websites crawled for Google search to opt out of training or appearing in any Google-owned artificial-intelligence product or feature on Google search,” such as Google’s controversial AI summaries.
Hepner told Ars that “it’s not surprising at all” that remedies cover both search and AI because “at the core of Google’s monopoly power is its enormous scale and access to data.”
“The Justice Department is clearly thinking creatively,” Hepner said, noting that “the ability for content creators to opt out of having their material and work product used to train Google’s AI systems is an interesting approach to depriving Google of its immense scale.”
The DOJ is also eyeing controls on Google’s use of scale to power AI advertising technologies like Performance Max to end Google’s supracompetitive pricing on text ads for good.
It’s critical to think about the future, the DOJ argued in its framework, because “Google’s anticompetitive conduct resulted in interlocking and pernicious harms that present unprecedented complexities in a highly evolving set of markets”—not just in the markets where Google holds monopoly powers.
Google disagrees with this alleged “government overreach.”
“Hampering Google’s AI tools risks holding back American innovation at a critical moment,” Mulholland warned, claiming that AI is still new and “competition globally is fierce.”
“There are enormous risks to the government putting its thumb on the scale of this vital industry—skewing investment, distorting incentives, hobbling emerging business models—all at precisely the moment that we need to encourage investment, new business models, and American technological leadership,” Mulholland wrote.
Hepner told Ars that he thinks that the DOJ’s proposed remedies framework actually “meets the moment and matches the imperative to deprive Google of its monopoly hold on the search market, on search advertising, and potentially on future related markets.”
To ensure compliance with any remedies pursued, the DOJ also recommended “protections against circumvention and retaliation, including through novel paths to preserving dominance in the monopolized markets.”
That means Google might be required to “finance and report to a Court-appointed technical committee” charged with monitoring any Google missteps. The company may also have to agree to retain more records for longer—including chat messages that the company has been heavily criticized for deleting. And through this compliance monitoring, Google may also be prohibited from owning a large stake in any rivals.
If Google were ever found willfully non-compliant, the DOJ is considering a “range of provisions,” including risking more extreme structural or behavioral remedies or enduring extensions of compliance periods.
As the remedies stage continues through the spring, followed by Google’s prompt appeal, Hepner suggested that the DOJ could fight to start imposing remedies before the appeal concludes. Likely Google would just as strongly fight for any remedies to be delayed.
While the trial drags on, Hepner noted that Google already appears to be trying to strike another default deal with Apple that appears pretty similar to the controversial distribution deals at the heart of the search monopoly trial. In March, Apple started mulling using Google’s Gemini to exclusively power new AI features for the iPhone.
“This is basically the exact same anticompetitive behavior that they were found liable for,” Hepner told Ars, suggesting this could “weaken” Apple’s defense both against the DOJ’s broad framework of proposed remedies and during the appeal.
“If Google is actually engaging in the same anti-competitive conduct and artificial intelligence markets that they were found liable for in the search market, the court’s not going to look kindly on that relative to an appeal,” Hepner said.
Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.
After US District Judge Amit Mehta ruled that Google has a monopoly in two markets—general search services and general text advertising—everybody is wondering how Google might be forced to change its search business.
Specifically, the judge ruled that Google’s exclusive deals with browser and device developers secured Google’s monopoly. These so-called default agreements funneled the majority of online searches to Google search engine result pages (SERPs), where results could be found among text ads that have long generated the bulk of Google’s revenue.
At trial, Mehta’s ruling noted, it was estimated that if Google lost its most important default deal with Apple, Google “would lose around 65 percent of its revenue, even assuming that it could retain some users without the Safari default.”
Experts told Ars that disrupting these default deals is the most obvious remedy that the US Department of Justice will seek to restore competition in online search. Other remedies that may be sought range from least painful for Google (mandating choice screens in browsers and devices) to most painful (requiring Google to divest from either Chrome or Android, where it was found to be self-preferencing).
But the remedies phase of litigation may have to wait until after Google’s appeal, which experts said could take years to litigate before any remedies are ever proposed in court. Whether Google could be successful in appealing the ruling is currently being debated, with anti-monopoly advocates backing Mehta’s ruling as “rock solid” and critics suggesting that the ruling’s fresh takes on antitrust law are open to attack.
Google declined Ars’ request to comment on appropriate remedies or its plan to appeal.
Previously, Google’s president of global affairs, Kent Walker, confirmed in a statement that the tech giant would be appealing the ruling because the court found that “Google is ‘the industry’s highest quality search engine, which has earned Google the trust of hundreds of millions of daily users,’ that Google ‘has long been the best search engine, particularly on mobile devices,’ ‘has continued to innovate in search,’ and that ‘Apple and Mozilla occasionally assess Google’s search quality relative to its rivals and find Google’s to be superior.'”
“Given this, and that people are increasingly looking for information in more and more ways, we plan to appeal,” Walker said. “As this process continues, we will remain focused on making products that people find helpful and easy to use.”
But Mehta found that Google was wielding its outsize influence in the search industry to block rivals from competing by locking browsers and devices into agreements ensuring that all searches went to Google SERPs. None of the pro-competitive benefits that Google claimed justified the exclusive deals persuaded Mehta, who ruled that “importantly,” Google “exercised its monopoly power by charging supra-competitive prices for general search text ads”—and thus earned “monopoly profits.”
While experts think the appeal process will delay litigation on remedies, Google seems to think that Mehta may rule on potential remedies before Google can proceed with its appeal. Walker told Google employees that a ruling on remedies may arrive in the next few months, The Wall Street Journal reported. Ars will continue monitoring for updates on this timeline.
As the DOJ’s case against Google’s search business has dragged on, reports have long suggested that a loss for Google could change the way that nearly the entire world searches the Internet.
Adam Epstein—the president and co-CEO of adMarketplace, which bills itself as “the largest consumer search technology company outside of Google and Bing”—told Ars that innovations in search could result in a broader landscape of more dynamic search experiences that draw from sources beyond Google and allow searchers to skip Google’s SERPs entirely. If that happens, the coming years could make Google’s ubiquitous search experience today a distant memory.
“By the end of this decade, going to a search engine results page will seem quaint,” Epstein predicted. “The court’s decision sets the stage for a remedy that will dramatically improve the search experience for everyone connected to the web. The era of innovation in search is just around the corner.”
The DOJ has not meaningfully discussed potential remedies it will seek, but Jonathan Kanter, assistant attorney general of the Justice Department’s antitrust division, celebrated the ruling.
“This landmark decision holds Google accountable,” Kanter said. “It paves the path for innovation for generations to come and protects access to information for all Americans.”
Google Chrome’s long, long project to implement a new browser extension platform is seemingly going to happen, for real, after six years of cautious movement.
One of the first ways people are seeing this is if they use uBlock Origin, a popular ad-blocking extension, as noted by Bleeping Computer. Recently, Chrome users have seen warnings pop up that “This extension may soon no longer be supported,” with links asking the user to “Remove or replace it with similar extensions” from Chrome’s Web Store. You might see a similar warning on some extensions if you head to Chrome’s Extensions page (chrome://extensions).
What’s happening is Chrome preparing to make Manifest V3 required for extensions that want to run on its platform. First announced in 2018, the last word on Manifest V3 was that V2 extensions would start being nudged out in early June on the Beta, Dev, and Canary update channels. Users will be able to manually re-enable V2 extensions “for a short time,” Google has said, “but over time, this toggle will go away as well.” The shift for enterprise Chrome deployments is expected to be put off until June 2025.
Google has said that its new extension platform was built for “improving the security, privacy, performance, and trustworthiness of the extension ecosystem.” The Electronic Frontier Foundation (EFF) disagrees most strongly with the security aspect, and Firefox-maker Mozilla, while intending to support V3 extensions for cross-browser compatibility, has no plans to cut off support for V2 extensions, signaling that it doesn’t see the big improvement.
Perhaps the biggest point of friction is with ad blockers. Google has said it “isn’t killing ad blockers” but “making them safer,” in an explanatory blog post. Google noted in November 2023 that Manifest V3 allowed for a greater number, and more dynamic updating, of content-blocking rules in extensions, specifically ad blockers.
But one of the biggest changes is in disallowing “remotely hosted code,” which includes the filtering lists that ad blockers keep regularly updated. Ad blockers that want to update their filtering lists, perhaps in response to pivots by platforms like Google’s YouTube and ad servers, will have to do so through the Chrome Web Store’s review process. Ad-blocking coders see it as an intentional gatekeeping and slowing.
Google said before the initial May push toward V3 that 85 percent of actively maintained extensions in its store had Manifest V3 versions ready. Raymond Hill wrote on uBlock Origin’s GitHub page Friday that there will not be a full version of uBlock Origin that works with Manifest V3, but instead a “Lite” version that is “a pared-down version of uBO with a best effort at converting filter lists used by uBO into a Manifest V3-compliant approach.”
Google is redesigning Chrome malware detections to include password-protected executable files that users can upload for deep scanning, a change the browser maker says will allow it to detect more malicious threats.
Google has long allowed users to switch on the Enhanced Mode of its Safe Browsing, a Chrome feature that warns users when they’re downloading a file that’s believed to be unsafe, either because of suspicious characteristics or because it’s in a list of known malware. With Enhanced Mode turned on, Google will prompt users to upload suspicious files that aren’t allowed or blocked by its detection engine. Under the new changes, Google will prompt these users to provide any password needed to open the file.
Beware of password-protected archives
In a post published Wednesday, Jasika Bawa, Lily Chen, and Daniel Rubery of the Chrome Security team wrote:
Not all deep scans can be conducted automatically. A current trend in cookie theft malware distribution is packaging malicious software in an encrypted archive—a .zip, .7z, or .rar file, protected by a password—which hides file contents from Safe Browsing and other antivirus detection scans. In order to combat this evasion technique, we have introduced two protection mechanisms depending on the mode of Safe Browsing selected by the user in Chrome.
Attackers often make the passwords to encrypted archives available in places like the page from which the file was downloaded, or in the download file name. For Enhanced Protection users, downloads of suspicious encrypted archives will now prompt the user to enter the file’s password and send it along with the file to Safe Browsing so that the file can be opened and a deep scan may be performed. Uploaded files and file passwords are deleted a short time after they’re scanned, and all collected data is only used by Safe Browsing to provide better download protections.
Enlarge/ Enter a file password to send an encrypted file for a malware scan
Google
For those who use Standard Protection mode which is the default in Chrome, we still wanted to be able to provide some level of protection. In Standard Protection mode, downloading a suspicious encrypted archive will also trigger a prompt to enter the file’s password, but in this case, both the file and the password stay on the local device and only the metadata of the archive contents are checked with Safe Browsing. As such, in this mode, users are still protected as long as Safe Browsing had previously seen and categorized the malware.
Sending Google an executable casually downloaded from a site advertising a screensaver or media player is likely to generate little if any hesitancy. For more sensitive files such as a password-protected work archive, however, there is likely to be more pushback. Despite the assurances the file and password will be deleted promptly, things sometimes go wrong and aren’t discovered for months or years, if at all. People using Chrome with Enhanced Mode turned on should exercise caution.
A second change Google is making to Safe Browsing is a two-tiered notification system when users are downloading files. They are:
Suspicious files, meaning those Google’s file-vetting engine have given a lower-confidence verdict, with unknown risk of user harm
Dangerous files, or those with a high confidence verdict that they pose a high risk of user harm
The new tiers are highlighted by iconography, color, and text in an attempt to make it easier for users to easily distinguish between the differing levels of risk. “Overall, these improvements in clarity and consistency have resulted in significant changes in user behavior, including fewer warnings bypassed, warnings heeded more quickly, and all in all, better protection from malicious downloads,” the Google authors wrote.
Previously, Safe Browsing notifications looked like this:
Enlarge/ Differentiation between suspicious and dangerous warnings.
Google
Over the past year, Chrome hasn’t budged on its continued support of third-party cookies, a decision that allows companies large and small to track users of that browser as they navigate from website to website to website. Google’s alternative to tracking cookies, known as the Privacy Sandbox, has also received low marks from privacy advocates because it tracks user interests based on their browser usage.
That said, Chrome has long been a leader in introducing protections, such as a security sandbox that cordons off risky code so it can’t mingle with sensitive data and operating system functions. Those who stick with Chrome should at a minimum keep Standard Mode Safe Browsing on. Users with the experience required to judiciously choose which files to send to Google should consider turning on Enhanced Mode.
Enlarge/ Google, like most of us, has a hard time letting go of cookies. Most of us just haven’t created a complex set of APIs and brokered deals across regulation and industry to hold onto the essential essence of cookies.
Getty Images
Google has an announcement today: It’s not going to do something it has thought about, and tinkered with, for quite some time.
Most people who just use the Chrome browser, rather than develop for it or try to serve ads to it, are not going to know what “A new path for Privacy Sandbox on the web” could possibly mean. The very short version is that Google had a “path,” first announced in January 2020, to turn off third-party (i.e., tracking) cookies in the most-used browser on Earth, bringing it in line with Safari, Firefox, and many other browsers. Google has proposed several alternatives to the cookies that follow you from page to page, constantly pitching you on that space heater you looked at three days ago. Each of these alternatives has met varying amounts of resistance from privacy and open web advocates, trade regulators, and the advertising industry.
So rather than turn off third-party cookies by default and implement new solutions inside the Privacy Sandbox, Chrome will “introduce a new experience” that lets users choose their tracking preferences when they update or first use Chrome. Google will also keep working on its Privacy Sandbox APIs but in a way that recognizes the “impact on publishers, advertisers, and everyone involved in online advertising.” Google also did not fail to mention it was “discussing this new path with regulators.”
Why today? What does it really mean? Let’s journey through more than four and a half years of Google’s moves to replace third-party cookies, without deeply endangering its standing as the world’s largest advertising provider.
2017–2022: FLoC or “What if machines tracked you, not cookies?”
Google’s big moves toward a standstill likely started at Apple headquarters. Its operating system updates in the fall of 2017 implemented a 24-hour time limit on ad-targeting cookies in Safari, the default browser on Macs and iOS devices. A “Coalition of Major Advertising Trade Associations” issued a sternly worded letter opposing this change, stating it would “drive a wedge between brands and their customers” and make advertising “more generic and less timely and useful.”
By the summer of 2019, Firefox was ready to simply block tracking cookies by default. Google, which makes the vast majority of its money through online advertising, made a different, broader argument against dropping third-party cookies. To paraphrase: Trackers will track, and if we don’t give them a proper way to do it, they’ll do it the dirty way by fingerprinting browsers based on version numbers, fonts, screen size, and other identifiers. Google said it had some machine learning that could figure out when it was good to share your browsing habits. For example:
New technologies like Federated Learning show that it’s possible for your browser to avoid revealing that you are a member of a group that likes Beyoncé and sweater vests until it can be sure that group contains thousands of other people.
In January 2020, Google shifted its argument from “along with” to “instead of” third-party cookies. Chrome Engineering Director Justin Schuh wrote, “Building a more private Web: A path towards making third party cookies obsolete,” suggesting that broad support for Chrome’s privacy sandbox tools would allow for dropping third-party cookies entirely. Privacy advocate Ben Adida described the move as “delivering teeth” and “a big deal.” Feedback from the W3C and other parties, Schuh wrote at that time, “gives us confidence that solutions in this space can work.”
Google’s explanatory graphic for FLoC, or Federated Learning of Cohorts.
Google
As Google developed its replacement for third-party cookies, the path grew trickier and the space more perilous. The Electronic Frontier Foundation described Google’s FLoC, or the “Federated Learning of Cohorts” that would let Chrome machine-learn your profile for sites and ads, as “A Terrible Idea.” The EFF was joined by Mozilla, Apple, WordPress, DuckDuckGo, and lots of browsers based on Chrome’s core Chromium code in being either opposed or non-committal to FLoC. Google pushed back testing FLOC until late 2022 and third-party cookie removal (and thereby FLoC implementation) until mid-2023.
By early 2022, FLoC didn’t have a path forward. Google pivoted to a Topics API, which would give users a bit more control over which topics (“Rock Music,” “Auto & Vehicles”) would be transmitted to potential advertisers. It would certainly improve over third-party cookies, which are largely inscrutable in naming and offer the user only one privacy policy: block them, or delete them all and lose lots of logins.
