Last time I took apart the Google Chrome setup experience and came away disappointed that the Google Updater got left behind. This morning the Google Updater had another surprise. Well, it isn't so much a surprise as it is a departure from the norm and I'm curious what you all think about it.
The background.
The story actually starts a few days ago when there was a discussion on some mailing lists about the easiest way to crash Google Chrome. All you had to do was type ":%" into the address bar and the whole thing would blow up. However, this morning someone noted that the crash no longer happened but was baffled since nothing had changed. It turned out that Google Chrome had been updated silently.
The details.
It turned out that ZDNet Australia had already run down the story that included a couple nice quotes from a Google representative:
Google knows best
Without a manual check, Chrome will update itself automatically, Google said. "Google Chrome will automatically checks for updates approximately every five hours. If an update is available, it will be downloaded and applied at the next browser restart," Google said.
Google believes it's best if Chrome applies security updates not only without a description of what's changing, but also without an opportunity for users to decide whether to accept the patch.
"Users do not get a notification when they are updated ... When there are security fixes, it's crucial that we update our users as quickly as possible in order to keep them safe. Thus, it's important for us to not require user intervention," the company said in a statement.
My reflection.
Clearly fixing any security issues in the browser is paramount. But does the need for distributing security updates and bug fixes trump the user control over the software? The Google Chrome EULA grants Google the right to do just that. In fact, the update clause has its own top level number. Number 12:
12. Software updates
12.1 The Software which you use may automatically download and install updates from time to time from Google. These updates are designed to improve, enhance and further develop the Services and may take the form of bug fixes, enhanced functions, new software modules and completely new versions. You agree to receive such updates (and permit Google to deliver these to you) as part of your use of the Services.
But just because Google says, in an electronic document that most users never read, that they may push new software to your computer does that mean they should do so without informing the user?
I can tell you that no Microsoft legal representative I've talked with has ever allowed such a clause in a Microsoft product. By default, the user must always be notified that an update is available and/or required. The user must also accept the update before it can be applied. If the user chooses not to accept a required update then the product may choose not start but a silent update is never an option.
But I've argued (unsuccessfully) that updates should be automatic and silent by default. Of course, users should be provided the option to opt-out and require notification/approval of updates. And, of course, group policy should be respected so that businesses can manage their desktops.
Personally, I think that Google has gone a bit too far requiring silent and automatic updates. I think their current outlook will slow their adoption in enterprises (if that was even a goal for Google Chrome). Time will tell if anyone really complains about the updates. My prediction is there won't be unless Google silently updates to a bad/broken behavior.
My question.
So, what do you think about this automatic and silent update behavior?
If only IE had bothered to upgrade itself as aggressively, the Web wouldn't be held back and taken hostage by the broken legacy of IE6 and IE5.5, whose users are not savvy enough to confirm updates.
If you are selling software to the enterprise market you have to deal with the ones with the checkbook; IT. If you are selling eyeballs to advertisers, that that is Google's business model, you can go around the IT and be the IT department to everyone, in every enterprise. When offered to individuals, not IT, auto updates which rarely breaks something for five hours will win over something that asks keeps asking if they are going to be ok with the update. They don't know. When would you say no?
Undo is much more valuble. If what worked yesterday is broken now, show my what changed and let me undo until I'm fixed. The next auto update may be better, if not I'll undo that too.
I think it's great. What are the arguments against it?
This application will never be permitted in a responsible corporate environment. I'm a developer at a hedge fund, and environment changes need to be tested against in-house applications before roll-out.
In fact, it is just your post that let me know my Chrome installation is already upgraded. OMG, Google really does something I want (but may not be what enterprises want).
Yes, I feel really good unless Google delivers me a broken Chrome some day. :)
While I wish that users would keep their software up to date to avoid their computer becoming part of a bot net, I think the user should be in control, i.e. notified and have a chance to decline an update. This is even more important with the recent trend to ship additional products like browser toolbars etc. with security updates.
BTW there's one exception at Microsoft: the Windows Update client automatically updates itself without asking the user even if that option is selected (http://blogs.technet.com/mu/archive/2007/09/13/how-windows-update-keeps-itself-up-to-date.aspx)
I don't like anything to be installed silently on my machine!
Now I see the true strategy behind this since (if you click into my post on this matter) Chrome installs outside of the Program Files folder! This is to avaid the UAC feature and enable silent updates without running as admin! This is DANGEROUS!
(Hey your blog looks just like mine!)
Cheers,
/Magnus
Part of me wants to be able to turn this off, but it has one key benefit that hasn't been mentioned so far (assuming that new versions get pushed to EVERYONE at once).
There's only ever one version! it's called current!
Development gets easier, for Google. (they only ever have to work on one version at a time)
Development gets easier, for developers creating web sites (no need to detect and account for browser version)
Support is easier. (You never have to ask what version someone is using, just get them to reboot and you will know.)
Imagine if there was (and only ever had been) a single (auto self updating) version of IE. How much time and effort would that have saved you? the world?
I like this, it is way better than the stupid Windows Defender and Outlooks AntiSpam rules that I have to choose to install..
(That is, I choose to let windows update download its things, but I want to select what an when to install, but defender things, and antispam updates, no way, I want those to go in un-noticed, just as my anitvirus software updates itself..)
I may be a little grouchy this morning, but I actually don't hate this. A large contributing factor to the mess that exists with bot networks, trojans, etc is that users apparently can't be trusted to update their machines promptly. If they can't be trusted to do it themselves, then do it for them (and make it painless).
My opinion: Never do automatic, silent updates without asking the user. Ask right upon first startup, explain the available options and recommend automatic updates. That let's the user in control. Doing it silently and not letting the user know is not trustworthy.
At least I think that this is dangerous way to go. Placing Chrome outside the normal application shields and making it writable to anything that runs in user mode is irresponsible.
To silent update without first informing about it, I would call irresponsible as well.
However, its all things together that worries me. They circumvent safeguards that MS sets up and by doing so the open up parts of the system for attacks.
I think automatic and silent updates are the way to go. If Google starts pushing ads, other products etc. (which I don't think they will) I'm out of here.
I received a warning from Symantec Endpoint Protection (SEP) that chrome.exe had changed since last time I ran it.
I hadn't received any notifications from chrome so I wondered about it and eventually found your description - thanks! Great info on the install procedure too.
Btw. SEP is not on friendly terms with Google Chrome. SEP will block a system call from chrome.exe, causing a crash see eg. http://sonicko.com/online-marketing/google-chrome-crashes-and-burns/.
If one of the premis for chrome is to break away from microsofts great hold then Why do they do the same as microsoft in the area of support only for xp or vista & linux . if they were realy interested in that! they would scurry along and come up with a patch for ALL windows users .
Well, I think that automatic updates are not evil per se. But I agree with rob saying that it have to be an opt-in option to user.
If Google, or anybody else, wants to have only 1 current version of it's software it can be without silent auto updates. It's sufficient that a not opt-in installation block himself on opening when a new update is available, saying that to use the software you've to update it first.
It's radical but it's clear and clean.
If a user opted-in the auto update, the software have to notify the user that an update occurred and let user know what the update is all about.
If really Google wants to not be evil, I think that this kind of behavior begins to brake this tagline...
BTW i continue to use it ;) [it's way more fast on my machine that others]
I was surprised to see keyboard shortcuts for Yahoo mail suddenly working. Initially they were not. Looked around for 'Get updates automatically' setting and could not find one! All I can say is thank god Adobe Acrobat and Apple Quicktime don't do this or we will go crazy everytime we use these software.
While I don't have an opinion that covers all software, it makes sense to me that Google would automatically update their own web browser. The web browser is for viewing web pages, and how often do you get to prevent a web page from updating?
True, some sites offer the previous version for a while, or a preview of the next version, but you still can't run an arbitrarily old version.
Just didn't see this viewpoint mentioned yet.
Don't mean to pick on your new adventures or anything, but I see similar functionality in Live Mesh. When I run Live Mesh, I'm given an option to update, but no clear option to turn off update checks or sticking to a particular version which I originally downloaded.
What’s the point of providing users with an option to update without providing them all the details and information required to judge for themselves whether or not it’s in their best interest?
As someone else said, Chrome is built for home users, not for corporate use, at least for now. So there is some merit to silent updates. As an admin, I don't like things happening on my machine that I don't know about, so, I killed the googleupdate.exe and removed it from the autorun list. Problem solved.
Though I really like Chrome, I would never allow it's use in my environment in it's current state. However, since it's open-source, if some corp DID want to use it, it could easily be customized for any environment.
So, like many things, it depends on your needs.
Call me old fashioned ... I don't like my systems doing anything that changes the environment without asking me first.
I work in a variety of environments [development / testing & at customer sites] and NONE of them would allow an app like this in to their environments.
I think its sneaky, invasive, and downright devious! BUUUTT... they are completely within their rights to do so. The purpose of a EULA is to bar against being sued later when a user says "hey, you can't do that". Then Google would say "listen, it says right here in regular 12 point font that we would do it, and you clicked this little box indicating that you're ok with that".
I'm not saying its right, but its allowed.
I'm against any kind of sneaky activity. An option to disable this automatic update should had been given, at least.
Provided there is an option to switch to prompting first behaviour if you want that, then I'm fine with it as a default.
At some point Google will put out a buggy update and everyone will howl. Also some users will have a dilemma if they haven't restarted their browser by then....
@Magnus Mårtensson:
This behavior isn't dangerous because it's a per-user installation. The application installs to a location that doesn't require admin privileges, so there's no elevation to be had.
Even if a virus or something happened to get in via this vector, it doesn't have permissions to do anything meaningful (linux argument), so the concern is void.
Like Magnus said, I don't allow anything to be installed silently on my machine, except virus definitions.
It's debatable whether or not one-sided EULA's are even legal (check the late Ed Foster's Gripelog), buuut, I let my firewall decide what gets through & what doesn't. I only allow Chrome to update when I know there's an actual update. Otherwise, the installer is blocked.
And
From what I read some like the Automatic Update, others (like me) don't. A simple solution would be to allow the user to choose, we all like to have a choice right?
I would really prefer to know exactly is being downloaded and installed onto my own, rather precious PC. I also hate the fact that there is a Google Update service doing its own thing in the background of Windows taking away my choices and control of my own computer not to mention using resources and bandwidth.
One aspect of Google Chrome is the speed. It is faster than Firefox 3.0 and about 6 times faster than IE with our application (http://www.taskwriter.com). See the graphs: http://www.taskwriter.com/blog/how-good-chrome-really-is.
Why not, don't have any problem with it.
Personally, I trust Google a lot more than MS, so I don't find it impossible to allow Chrome to add some improvs without asking. However, if its a big update, going into a few hundred KBs or even MBs, I would like to be informed.
Hmm. If it was from a company other than Google then Chrome would be off my pc as soon as I discovered Google Updater running.
The question is, how much do you trust Google?
Actually, I think its great, especially for those of us who are not knowledgeable enough to decide when to accept an update or not. Perhaps an "un do" option may be in order in case it is absolutely needed.
Even disabling the service on startup does not keep Chrome from launching google updater. With services disabled and the updater not even in any windows startup folders it still launches itself every couple hours and stays in memory unless you end the task each time. That says spyware to me, not that I suspect google of doing anything actually harmful to my PC; but, I like controlling which programs are in use when, especially when it throws up a firewall alert as it tries to connect to the internet and what happens if you don't allow the communication? it launches itself again, and again stacking google update programs in your memory until it is either allowed or each process is killed. No option to switch behavior that I can find.
As long as updates don't include additional software that was never requested and Google sticks to security and chrome improvements, there's no problem.
I just think that Google Chrome is the best browser and people should stop arguing about it.
The user actually does have a choice .. they can install and use it or uninstall and not use it. It is 'free' software after all, and their are lots of other options to choose from.
no it doesn't or the update is as bad as the original
One of the in-house apps of my workplace works under this method - everytime someone runs the program, the latest version appears.
And this has worked perfectly for the past 10 years.
And with hundreds of instances of the app at any one time, it's important that everything works perfectly. If something is wrong, an update can be rolled out in minutes, allowing anyone needing the newer version to simply run another instance.
It's primarily down to code discipline. From obvious things like coding properly, debugging and comments. Comments make the world go round! Comment the faulty code, explain why and the changes made. That way you can a) revert if theres a problem, b) prevent similar errors and c) keep the other programmers in the loop incase they notice patterns with data feeds, etc.
I'd hazard Google are already pretty up-to-scratch with running-updates for inhouse systems. Having hundreds (thousands?) of servers crunching away, any updates will need to happen with virtually no intervention.
Maybe more experienced than Microsoft in this field?
WAKE UP PEOPLE!
Its not just an upgrade silly! its an upload! Yes Google is supplying all your activities to the US government, they have a database, with all of you featuring in it, they have an image of your profile if you use a web cam, your eyes from your photos, your voice from your IM chat and all linked to your IP address.
When you hear that crunching noise since your chrome install, your hard disk is actually being scanned, you will notice that this doesn't show on you CPU usage, and you don't notice the silent upload which takes place while you are browsing the web.
People should write to their MP's and demand an explanation for your privacy theft, your government knows it's happening but won't make a move until you do.
It won't be long until you are arrested for something that you didn't do because someone else put something on your pc or borrowed your IP address.
For most people, yes, i know how it is to provide them support, and auto-update is great. But I am tech-savvy, and I want to be in control of my own macine.
Moreover, I live in a country where 8KB/s internet connections are common, and internet is expensive (often not 24hrs cable but dialup over phone). So an update is *never* silent for us. Even if the internet is on 24 hours, you definitely notice the internet pathetically slowing down if a background process is downloading something that big.
I download at 2mins/MB, and internet connection is a precious resource that I need to be in control of.
I still remember, "Don't be Evil".
Imagine if Microsoft (the big bad wolf) does this at the moment. I'm betting all my money that people all over the net will curse and swear at Microsoft, hoping that it'll die a terrible death.
But, hey, it's Google, the good guy, remember? That makes it okay....... I guess :)
@Tim, you might want to see a psych. You may have some issues. If you have doubts about what Chrome is doing, download the source and see for yourself...
http://dev.chromium.org/getting-involved
you know, thats what really draws me to google chrome, because it's so light weight and no fuss, it's purely web-browsing experience. now if they could just work on all the bugs...
I'd like to take a moment to remind you all that if there's an option to opt-out of updates, then many people will opt-out for no reason other than superstition and paranoia. This will lead to chrome's user reviews being skewed by people who cannot get an unsupported version to run correctly. Consider how many people rant about IE being unstable and insecure, and ask yourself, how many of those are actually patched and up-to-date? How many of the people who make snide remarks about linux have used it in the last 5 years?
If the same type of thing is allowed here with chrome, then many people will have bad things to say about chrome simply because they're refusing to patch, and having the typical problems that come with not patching.
And, to sum up a question that the OP made, i'd like to point out the invalidity of the question.
"But just because Google says, in an electronic document that most users never read, that they may push new software to your computer does that mean they should do so without informing the user?"
NO, they shouldn't do it without informing the user, but they DID inform the user, upon installing the software, in the EULA that they were sure to provide, and some users were too lazy to read.
But YES, putting it in the EULA in plain text gives them the right to do all of this, it's a legal agreement, and just because people are too lazy to read them doesn't mean that it's shady behavior.
Imagine for a moment, if you turned in a resume` for a job, and the employer hired you without reading it, and then later tried to reprimand you because you didn't have training on the standard machinery for the trade. If you didn't lie in your resume`, and the employer didn't bother reading it, then did you lie/scam?
Would it be fair for the employer to reprimand you?
In summary, all i have to say is, Seriously? google rolls out this nice new peice of software, and doesn't lie to us like some companies have been known to do, and all you can do is complain about how you can't use unstable/unsupported/insecure versions?
wake up, see what google's doing here, and if you don't like it, don't use it, just be glad they aren't lying to us.
Wow. I really didn't expect such negative responses for the updater.
I have to say that I absolutely love it. For example, the bookmark bar is something I use a lot. One update made it so the bar disappeared after you loaded a website in the tab. This annoyed me a little but it must have annoyed a lot of other people because another update put it back to the old way. The fact was I didn't have to touch a single button and the problem sorted itself out. Magic!
In contrast to this, I love iTunes but I hate updating the software. Updates happen infrequently but frequently enough to annoy. I open the program to listen to music, get an update message, click yes, wait for the update to download and install (which takes time), wait to restart iTunes, then I can finally listen to music. It's not the worst thing in the world but it's not exactly fun either.
The fact is Chrome simply works. I spend less time waiting for updates to download and more time just browsing the web. Isn't that a step in the right direction?
Without forced updates, you end up with crap like Internet Explorer 5 and 6.
I updated Google Earth and it installed Chrome without asking. Google is becoming too spammy.
Silent software upgrades are certainly welcome, especially in non-commercial setting. I don't think most users understand the bug-fix or update enough to make a call anyway. It's in Google's interest to make sure they don't breach privacy in anyway and beyond that its adding value. Just because Microsoft does it does not make it a requirement.
I started chrome and zonealarm told me it had "changed". I did not approve a "change". It has been blocked from any network contact.
Done.
If you subscribe to a mailing lists the (if it's reputable) you opt in, so you are choosing to commit to receiving downloads. So if you want anything else that requires regular downloads, you should also have that option. Like many many people around the world I'm on a limited monthly download, not very fast, broadband plan, and I need to count every megabyte (yes megabyte, not even gigs). Chrome doesn't even have the courtesy to tell you the size of the downloads you are forced to receive. So sadly, as soon as I realised what it was doing, I uninstalled it.
Fortunately I have a security agent on my PC that blocks these kinds of silent upgrades. I value Chrome for one particular feature, which may actually be a bug, and I don't want Google taking it away with an "upgrade." For everything else I use Firefox.
On WinXP googleupdate is in Sheduled Tasks, runs when PC idles for 10 min. Disabling it is no problem, if you have to.
My virus software picked up on the fact that the Chrome binary had changed. Without any notification of the update how do I know if the change is a genuine one or as a result of a malicious act?
I agree with those who don't want some unknown (or even some known) process deciding what to download over the Internet and when. I understand that some folks like automatic updaters and I'm fine with having that as an option, but it needs to be something that I can disable or the software will never be installed on my computer.
Not everybody has broadband. My dial-up connection gives me maybe 5kbit/sec and bandwidth is very precious to me. If Google decides to start downloading a 13MB update in the background, believe me, I will notice. If I have no other way to gain control over the process, I will force-quit the application and uninstall it immediately. As someone remarked earlier, there are no silent downloads on a low-bandwidth connection.
I am greatly in favor of automatic updating, and I don't think it should even be an option in standard browsers.
The internet is about interconnectivity. When some people have an outdated or vulnerable browser, it slows the development of innovative websites for everyone. Moreover, it also increases the risk of everyone catching viruses because vulnerable browsers can be exploited to attack other websites and networks. By allowing quick, automated updates, Google can keep the internet progressing and help reduce the risk of viruses and hackers.
I understand what Beerslayer says about dialup users. However, Chrome updates are usually very small and nowhere near 13MB in size. I understand what others have said about secure corporate environments. I'm sure managed IT environments could find a way to work around the automatic updates just like they find ways to work around other features they don't like. (In fact, I know there are ways to modify Chrome's pref file to change this update.)
I've found Chrome to have the least intrusive update system of any software I've other used. It just works, period. I don't need to deal with nagging dialog boxes, I don't need to restart my computer, I don't need to decide whether a particular update is worth it... In fact, I don't even notice when an update is happening. That sort of seamlessness is the way computers should work. Please, Google, don't change a thing!
As a question of principle, I don't like not to have the control over what goes in and out of my computers.
Moreover upgrading something that works flawlessly may only cause a nonzero probability of something not working flawlessly anymore.
That's the reason why I disable the automatic update feature of Chrome. Otherwise, Chrome is a truly fantastic browser.
I was doing some fast paced, aggressive browsing (in a hurry type opening 10 windows at once to an already crowded 25+ open tabs) and google crashed or I crashed google several times.
Unlike Firefox I wasn't able to get (after the crashes) my windows to open back up. So i had to go extensively digging through the history and wasted a lot of time getting going again.
I began to wonder if i needed updates or why (all of the sudden google was crashing so much on me... I guess it's their tool and they just let us play with it. I'd like the option to decide. I LOVE firefox 3.5, but I liked the workings of firefox version's 1 - 2 especially their bookmarking and longer tab designs far more than the current firefox. If it weren't for security vulnerabilities i'd far prefer to use it.
Take IE6 to IE 7 & 8. I lost the ability to hover over a picture and snag it without having to right click / which is sometimes disabled on some sights with code so then I have to get all criminal and find a hack around it. I mean sometimes the old products just work better. I'm behind (3) firewalls of sorts and a robust AV/Malware protection setup. If I want to use an older "riskier" browser who cares?
If they want to update the unknowing, hazardous users out there automatically that's fine, but I'd like a heads up.
It may be a finite or useless point to argue, but google sometimes acts more imperialistic than M$. And while at heart I LOVE google. I have a growing distrust for all their data gathering and heavy handedness. I'll take them 3:1 over the EMPIRE everyday, but lets just hope LUKE doesn't grow up to take over the world with HAN & LEAH> while we mop up the remains of the declining/crumbling empire!!
=OR= at least let me know so I can move over to or at least open my windows up in Firefox as a back up so I don't keep losing my work while you tweak something in the background google.
Thanks to the silent update, I no longer have access to the recent bookmark bar which was a feature I used very often. I can agree to silently getting security updates, but functional changes should still get user approval. Besides, I don't have endless diskspace, I should only have things installed when I know I have the space to do it.
I demand that I know what software is doing on my machine. For that reason alone, Chrome is gone, and I will return to Firefox as my only browser. I certainly enjoyed Chrome and recently promoted it to my default browser, but when the "New Tab Page" changed without my knowledge or permission from something I actually switched for... to something less useful to me, it became clear that Chrome is not a tool I can use, but a tool for Google to use me. Google, I wish you luck, but I am not interested in any software that I have no control over. Usually, we call those things viruses, trojans, or other nasty names.
I agree, this is really great unless there is no broken updates. But I am really surprising about the changes made to the browser silently("how the users know certain feature added to browser, which he indeed required such one").
I think its lame if it updates in the background without asking first. Lets say Im playing Multiplayer game over the internet, and think that Im playing a clan war.. Well, if durning that clan war the chrome starts to update without any considering that the connection is already in use by anyway, it will cause my game to lagg and annoy so much that I could actually lag out. And btw, Im using chrome while Im typing this. Chrome is great for those who want faster browser with basic things. But for me.. well, I just see way too many GOOGLE advertisement and other ADs too than F-Fox with AD-Block
I was really disappointed to notice just now a little window in the bottom right of my screen announcing that Chrome has updated itself. At first, I thought it was a normal auto-update detection, despite the fact that I see no way to configure Chrome to check for updates like most software. To my horror, it said it had _already installed_ the update. So, not only did it assume I wanted an automatic update check, it went further and assumed I wanted to use my Internet bandwidth to download it. Google and their hype machine can go to hell. Chrome's leaving my PC immediately.
FireFox was always my main browser anyway. I only had Chrome installed to check compatibility when I was doing some web development. Well, like I said, screw Google. If someone isn't using FireFox, IE, or Opera then I don't care about them anymore.
The argument against it: I don't use Chrome for weeks, but it takes over my system several times a day (often) to tweak itself. Why can't it wait until I launch the application? I'm using MY system for other things!
I should be able to opt out of the group collective update as well.
I'll be deleting Chrome soon, I didn't see any magical speed improvements either.
There's no such feature for Linux :) Have fun letting MS/Apple/Google control your computer.
Rob, Matthew and anyone in between that I didn't read:
Seen any Black Helicopters lately?
“Paranoia runs deep, into your life it will creep…”
I have to say this is one of the best features in google chrome, and I do hope every browser adopts this in very near future. If this was the standard in all browsers we wouldn't have to wait years for things like CSS3 and HTML5 to become standards, everyone would have an updated browser allowing us to take advantage of these awesome features, that currently take forever to be a mainstream adoption, instantly.
Just my 0.02$ as a web developer!
Well, today the Google updated itself and iniciated a windows restart (it's clear to me from the event logs). Without no alerts! My unsaved work for previous 5-10 minutes are gone. So I'm just changing to firefox until they fix this very annoying behavior...