Running a Chromium-based browser, such as Google Chrome or Microsoft Edge? The chances are good it's quietly telling Google all about your CPU and GPU usage when you visit one of the search giant's websites.

The feature is, from what we can tell, for performance monitoring and not really for tracking - Google knows who you are and what you're doing anyway when you're logged into and using its sites - but it does raise some antitrust concerns in light of Europe's competition-fostering Digital Markets Act (DMA).

When visiting a *.google.com domain, the Google site can use the API to query the real-time CPU, GPU, and memory usage of your browser, as well as info about the processor you're using, so that whatever service is being provided - such as video-conferencing with Google Meet - could, for instance, be optimized and tweaked so that it doesn't overly tax your computer. The functionality is implemented as an API provided by an extension baked into Chromium - the browser brains primarily developed by Google and used in Chrome, Edge, Opera, Brave, and others.

Non-Chromium-based browsers - such as Mozilla's Firefox - don't have that extension, which puts them at a potential disadvantage. Without the API, they may offer a worse experience on Google sites than what's possible on the same hardware with Google's own browser, because they can't provide that live performance info.

There is, however, nothing technically stopping Moz or other browser-engine makers implementing a similar extension itself in Firefox, if they so chose.

Crucially though, websites that compete against Google can't access the Chromium API. This is where technical solutions start to look potentially iffy in the eyes of Europe's DMA.

Dutch developer Luca Casonato highlighted the extension's existence this week on social media, and his findings went viral - with millions of views. We understand at least some people have known about the code for a while now - indeed, it's all open source and can be found here in the preinstalled extension hangout_services.

That name should give you a clue to its origin. It was developed last decade to provide browser-side functionality to Google Hangouts - a product that got split into today's Google Meet and Chat. Part of that functionality is logging for Google, upon request, stats about your browser's use of your machine's compute resources when visiting a *.google.com domain - such as meet.google.com.

Casonato noted that the extension can't be disabled in Chrome, at least, and it doesn't show up in the extension panel. He observed it's also included in Microsoft Edge and Brave, both of which are Chromium based. We reached out to Casonato for more of his thoughts on this - though given the time differences between him in the Netherlands and your humble vulture in the US, we didn't immediately hear back.

Explanation

If you've read this far there's probably an obvious question on your mind: What's to say this API is malicious? We're not saying that, and neither is Casonato. Google isn't saying that either.

"Today, we primarily use this extension for two things: To improve the user experience by optimizing configurations for video and audio performance based on system capabilities [and] provide crash and performance issue reporting data to help Google services detect, debug, and mitigate user issues," a Google spokesperson told us on Thursday. 

"Both are important for the user experience and in both cases we follow robust data handling practices designed to safeguard user privacy," the spokesperson added. 

As we understand it, Google Meet today uses the old Hangouts extension to vary the quality of the video stream if the current resolution is proving too much for your PC. Other Google sites are welcome to use the thing, too.

That all said, the extension's existence could be harmful to competition as far as the EU is concerned - and that seems to be why Casonato pointed it out this week. 

"[This API] is a clear violation of the idea that browser vendors should not give preference to their websites over anyone else's," Casonato argued, citing the DMA's prohibition on self-preferencing under Article 6. 

DMA gatekeepers - of which Google is one - are required under the law to be impartial on-ramps to the world of the internet. Using a hidden API to give your services a performance edge may not fly under those rules. 

"Take for example Zoom - they are now at a disadvantage because they can not provide the same CPU debugging feature as Google Meet," Casonato asserted. 

Zoom are now at a disadvantage because they can not provide the same CPU debugging feature as Google Meet

Google told us it intends to comply with the Digital Markets Act. That's a smart idea, given it's already being investigated alongside Meta and Apple by the bloc's antitrust cops. European Commission officials kicked off a probe of the trio in March for what they called suspected failures to comply with DMA mandates. 

Meta and Apple have both since been charged with DMA violations, and the Commission is still working on its Google case. Whether this API will turn up the heat on the Chocolate Factory isn't clear - we asked European Commission officials for their take on whether the API would run afoul of the DMA and will update this story if we hear back. ®

https://www.theregister.com//2024/07/12/chromium_api_system_information/