Google Chrome — Google — Are We Screwed?

⚠️ The bottom line

Chrome tags you with a permanent ID on install. If you sign in — which it pushes hard — every site you visit is linked to your real name and fed into Google's $265B advertising machine. Google spent 5 years promising to kill tracking cookies. The entire industry rejected their alternatives. In 2025 they gave up. The cookies are still there. Five years of your browsing data that could have been protected wasn't.

Legal jurisdiction

🇺🇸 United States (headquarters)

⚠CLOUD Act read more →

US govt can demand your data from this company even if stored overseas

⚠FISA §702 / PRISM read more →

NSA collects stored emails, photos, messages without individual warrants

●Geofence warrants read more →

Police can demand location data for everyone near a crime scene

Spying

3/4 HIGH

Is someone spying on me?

Data Sharing

3/4 HIGH

Who gets my data?

Security

2/4 MODERATE

Is it actually secure?

Honesty

4/4 EXTREME

Can I trust what they say?

11Contradictions

4Critical

6High

1Medium

9Sources

Findings by concern

Spying 3/4 HIGH 3 findings

⚠️ criticalfirmware analysis vs regulatory findings

Standard Safe Browsing checks a local list — relatively private. But Google pushes users toward Enhanced Safe Browsing, which sends every URL you visit to Google's servers in real time. It's presented as the recommended option during setup with a big blue button. Once you click it, Google receives a complete log of your browsing: every site, every page, every download. Google's own docs confirm Enhanced mode "sends URLs to Safe Browsing" and "temporarily links this data to your Google Account." The upgrade path from privacy to surveillance is designed as a one-click security improvement. Most users click the blue button.

What they claim: Chrome's Safe Browsing protects users from dangerous sites using a locally stored list, with an optional Enhanced mode for stronger protection.

What we found: Standard Safe Browsing checks URLs against a locally cached list — but Google pushes users toward Enhanced Safe Browsing, which sends every URL in real time to Google's servers. Enhanced mode is presented as the recommended option during Chrome setup. Once enabled, Google receives a complete log of browsing activity, downloads, and extension data. Google's own documentation confirms Enhanced mode "sends URLs to Safe Browsing for checking" and "temporarily links this data to your Google Account." The upgrade from local checking to real-time URL transmission is framed as a security improvement, not a surveillance expansion.

⚡ highfirmware analysis vs app permissions

Tracker scanners like Exodus report zero third-party trackers in Chrome — because Chrome doesn't need third-party trackers. The surveillance is first-party. Chrome assigns each installation a unique client ID, attaches an RLZ tracking parameter that records how you installed it, syncs your browsing history and passwords to Google's servers, and reports crash data including the URLs you were visiting. The Topics API (replacing third-party cookies) profiles your interests directly inside the browser. Chrome IS the tracker — and because it's first-party, no scanner will ever flag it.

What they claim: Chrome requests only the permissions needed for a web browser

What we found: Chrome Android requests 27 permissions including CAMERA, RECORD_AUDIO, ACCESS_FINE_LOCATION, READ_CONTACTS, GET_ACCOUNTS, NFC, and BLUETOOTH. Exodus reports zero trackers — but Chrome IS the tracker. All telemetry is first-party Google code, invisible to third-party analysis tools.

⚫ mediumpolicy claims vs app permissions

You sign in to Chrome for password sync. What you also get: your entire browsing history, autofill data, open tabs, and extensions uploaded to Google. Passwords are the bait. Total surveillance is the product.

What they claim: Chrome sync lets you 'access your bookmarks, passwords, and more on all your devices'

What we found: Signing into Chrome sync also enables browsing history sync, autofill data sync, extension sync, and open tab sync. The password manager is the hook — once you sign in for passwords, Google gets everything else. Most users don't realise sync means Google has a complete copy of their browsing life.

Data Sharing 3/4 HIGH 2 findings

⚠️ criticalpolicy claims vs firmware analysis

Chrome tags you with a permanent ID on install. If you sign in — which it pushes hard — every site you visit is linked to your real name and fed into Google's $265B advertising machine.

What they claim: Chrome is marketed as a 'fast, secure browser' that puts you 'in control'

What we found: Chrome assigns a unique client ID on installation that persists across sessions and is sent to Google with every sync, crash report, and usage metric. Combined with Google account sign-in (prompted aggressively), this creates a permanent identity linking all your browsing to your real name, email, and Google advertising profile.

⚡ highpolicy claims vs firmware analysis

Chrome's tracking protection blocks competitors' trackers while protecting Google's own. The fox is guarding the henhouse. Firefox, Safari, and Brave all block more by default.

What they claim: Chrome offers 'Enhanced Tracking Protection' in its privacy settings

What we found: Chrome blocks fewer trackers than Firefox, Safari, or Brave by default. Google's business model depends on advertising — blocking trackers would undermine their own revenue. Chrome's tracking protection is designed to protect Google's tracking while limiting competitors' tracking.

Security 2/4 MODERATE 1 finding

⚡ highfirmware analysis vs firmware analysis

Chrome had 8 zero-days exploited in the wild in 2025 alone. One of them (CVSS 9.8) could expose every password you saved. The most attacked browser in the world is also the one holding all your data.

What they claim: Chrome auto-updates to keep you secure against the latest threats

What we found: Chrome had at least 8 actively exploited zero-day vulnerabilities in 2025 and 4 already in 2026. CVE-2025-14372 (Password Manager use-after-free, CVSS 9.8) could expose saved passwords. The constant stream of critical vulnerabilities means the browser holding all your data is under continuous active attack.

Honesty 4/4 EXTREME 5 findings

⚠️ criticalpolicy claims vs firmware analysis

Google spent 5 years promising to kill tracking cookies. The entire industry rejected their alternatives. In 2025 they gave up. The cookies are still there. Five years of your browsing data that could have been protected wasn't.

What they claim: Chrome's Privacy Sandbox was announced as a 'privacy-first' replacement for third-party cookies

What we found: After 5 years of promises, Google fully abandoned the plan to remove third-party cookies in October 2025. FLoC was rejected by the entire industry (EFF, DuckDuckGo, Brave, Vivaldi, Mozilla, WordPress). Its replacement Topics API was also deprecated. The Privacy Sandbox was a delay tactic that kept third-party cookies alive for 5 extra years while Google built alternatives that still track you.

⚠️ criticalpolicy claims vs regulatory findings

Google's own employees called Incognito mode 'effectively a lie.' You thought you were browsing privately. Google was still collecting everything. They paid $5B to settle the lawsuit.

What they claim: Chrome's Incognito mode promises that 'other people who use this device won't see your activity'

What we found: Google settled a $5B class action lawsuit after internal emails showed employees called Incognito mode 'effectively a lie.' Google continued collecting browsing data in Incognito mode through Safe Browsing, search suggestions, and other services. Billions of data records were ordered deleted.

⚡ highfirmware analysis vs regulatory findings

A federal court ruled Google's search monopoly is illegal. The DOJ wanted to force a Chrome sale. Chrome stays for now, but its 67.7% market share means Google's tracking defaults are forced on 3.83 billion people.

What they claim: Chrome is the most widely used browser with 67.7% global market share

What we found: The DOJ found Google holds an illegal search monopoly (August 2024). The DOJ proposed forcing Google to sell Chrome (November 2024). The court ruled Chrome stays but exclusive default deals are banned (September 2025). Chrome's dominance means Google's privacy defaults are the internet's defaults — 3.83 billion users affected.

⚡ highpolicy vs app permissions

Google Chrome quietly installs a 4-gigabyte AI model on your computer without asking. No notification, no opt-in, no mention in update notes. You find out when your hard drive fills up. For managed environments — schools, businesses, healthcare — this means unaudited AI capabilities appearing on devices that are supposed to be locked down.

What they claim: Google states Chrome respects user preferences and provides transparency about features and data usage

What we found: Chrome silently downloads and installs Gemini Nano, a 4GB AI model, on user devices without consent, notification, or opt-in. No disclosure in update notes. Users discover it only by checking storage.

⚡ highmarketing vs third party research

Google updated reCAPTCHA so it only works if your Android phone runs Google Play Services. If you use a privacy-focused phone like GrapheneOS, you can't pass the "I'm not a robot" check on banking sites, social media, or online shops. iPhones work fine. Your choice: let Google track you, or get locked out of the web. Brave's CEO called it what it is — deciding which devices deserve internet access.

What they claim: Google claims reCAPTCHA protects all users from bots and abuse

What we found: In May 2026, Google updated reCAPTCHA to require Play Services v25.41.30+, locking out every de-Googled Android device (GrapheneOS, /e/OS, LineageOS). The new QR-code verification needs a cryptographic handshake that only works with Play Services installed. iOS users face no equivalent restriction. Privacy advocates including Brave CEO Brendan Eich called it a strategy to entrench Google services. Users must choose: accept Google tracking or lose access to banking, social media, and e-commerce sites using reCAPTCHA. The move echoes Google's abandoned Web Environment Integrity proposal from 2023, which would have let tech companies decide which devices deserve web access.

Latest Risks & Threats

New developments that compound existing privacy concerns. 2 active threats · 1 emerging risk.

RISK Built-in on-device AI for content generation 🤖 Ai Announced 2026-05-28

Chrome adding on-device AI APIs for content generation, moderation, and enhancement. Enables websites to run AI models locally through browser APIs — expanding Chrome from a renderer to an AI execution platform with access to page content.

Sources

Build new features using built-in AI in Chrome

THREAT Google publishes exploit code affecting millions of Chromium users ⚠️ Security Announced 2026-05-22

Google published working exploit code for a Chromium vulnerability before many downstream browsers (Edge, Brave, Opera, Vivaldi) had patched. Millions of users on Chromium-based browsers were exposed to a known, weaponised exploit with public proof-of-concept.

Sources

Google publishes exploit code threatening millions of Chromium users (2026-05-22)

THREAT Privacy Sandbox Replaces Cookies with Google-Controlled Tracking ⚠️ Privacy Launched 2024-01-04

Google killed third-party cookies in Chrome and replaced them with "Privacy Sandbox" — Topics API, Attribution Reporting, and Protected Audiences. Instead of thousands of companies tracking you with cookies, now one company controls all the tracking: Google. The browser with 65% market share decided it would be the sole gatekeeper of ad targeting. Privacy groups called it a monopoly play disguised as a privacy feature. The UK CMA forced Google to make concessions. Google then reversed course and kept cookies anyway — while also keeping Privacy Sandbox.

Sources

EFF: How to Turn Off Google Privacy Sandbox Ad Tracking (2023-09-01)
The Verge: Google Reverses Course on Killing Third-Party Cookies (2024-07-22)

What happened to real people

Documented incidents involving Google products and user data.

Jorge Molina jailed 6 days for murder via geofence warrant based on Google Sensorvault location data. Lost job, car, reputation. Charges never filed. [source]

PRISM participant since 2009. NSA collects stored communications. FBI conducts warrantless 'backdoor searches' of American data using names and email addresses. [source]

Google received 180 geofence warrants per week by 2019. Each warrant searches tens of millions of accounts. Supreme Court hearing constitutionality (Chatrie v. United States). [source]

What your data is worth to governments

Google complied with 235,000 government data requests in H1 2024. That's +530% over 10 years. Google has been a confirmed PRISM participant since 2009. Under this programme, the NSA collects stored communications. The company is legally prohibited from telling you. Jurisdiction: US (CLOUD Act, FISA Section 702, Patriot Act).

Documented: Jorge Molina jailed 6 days for murder via geofence warrant based on Google Sensorvault location data. Lost job, car, reputation. Charges never filed.

Documented: PRISM participant since 2009. NSA collects stored communications. FBI conducts warrantless 'backdoor searches' of American data using names and email addresses.

What is PRISM? · What is the CLOUD Act? · Transparency report

Sources

CA AG: $93M settlement regarding Google's location-privacy practices (2023-09-14)
EFF: Why Privacy Badger Opts You Out of Google's Privacy Sandbox (2024-07-22)
Exodus Privacy: Chrome app (2024-01-01)
Google: How Chrome Safe Browsing keeps your browsing data private (confirms real-time URL sending)
Hacker News: Google to delete billions of records in Incognito settlement (2024-04-02)
Google Chrome silently installs a 4 GB AI model on your device without consent (2026-05-06)
Malwarebytes: Chrome silent 4GB AI download problem(link unavailable) (2026-05-01)
PrivacySavvy: Google's New reCAPTCHA QR System Locks Out Privacy-Focused Android Users (2026-05-10)
The Coders Blog: Google Breaks reCAPTCHA for De-Googled Android Users (2026-05-10)