When you’re not on the known-safe-site list or recent cache, info about your web URL will be headed to some remote server, but Google says it won’t be able to see your web history. Google does all of its URL checking against hashes, rather than the plain-text URL. Previously, Google offered an opt-in “enhanced protection” mode for safe browsing, which offered more up-to-date malicious site blocking in exchange for “sharing more security-related data” with Google, but the company thinks this new real-time mode is privacy-preserving enough to roll out to everyone by default. The “Enhanced” mode is still sticking around since that allows for “deep scans for suspicious files and extra protection from suspicious Chrome extensions.”
Google’s diagram of how the whole process works.
Credit: Google
Google’s diagram of how the whole process works. Credit: Google
Interestingly, the privacy scheme involves a relay server that will be run by a third party. Google says, “In order to preserve user privacy, we have partnered with Fastly, an edge cloud platform that provides content delivery, edge compute, security, and observability services, to operate an Oblivious HTTP (OHTTP) privacy server between Chrome and Safe Browsing.”
For now, Google’s remote checks, when they happen, will mean some latency while your safety check completes, but Google says it’s “in the process of introducing an asynchronous mechanism, which will allow the site to load while the real-time check is in progress. This will improve the user experience, as the real-time check won’t block page load.”
The feature should be live in the latest Chrome release for desktop, Android, and iOS. If you don’t want it, you can turn it off in the “Privacy and security” section of the Chrome settings.