Google was downloading audio listeners onto computers without consent before the bug was fixed, Rick Falkvinge, founder of the Pirate Party has claimed.
The 'black box' code was downloaded to enable a feature that activates a search function when you say "Ok, Google," however the code appears to have enabled eavesdropping on conversations prior to this – in order to hear the phrase.
The software is able to transmit audio data back to Google, but Google claim the code was merely downloaded without consent and knowledge, not activated.
On Monday, Debian maintainer Michael Gilbert said that the bug has been fixed, and the latest version of the Chromium package will no longer download the Hotword code by default.
In response, some users questioned whether Google should be trusted as an upstream contributor to the Debian project following the incident, saying that the project needs stricter controls as the source for Google’s Chrome web browser.
Falkvinge wrote: "Chromium, the open-source version of Google Chrome, had abused its position as trusted upstream to insert lines of source code that bypassed [the] audit-then-build process, and which downloaded and installed a black box of unverifiable executable code directly onto computers, essentially rendering them compromised.
"We don’t know and can’t know what this black box does. But we see reports that the microphone has been activated, and that Chromium considers audio capture permitted."
A Google spokesperson said: "We're sure you'll be relieved to learn we're not listening to your conversations—nor do we want to.
"We're simply giving Chrome users the ability to search hands free at their computers by saying “OK Google” while on the Google homepage—and only if they choose to opt in to the feature"
Chromium is an open-source project from which Google Chrome draws its source code.
Debian user Yoshihito Yoshino first reported the bug in May, after noticing suspicious network activity from Chromium 43, the most recent stable release of the open source version of the Chrome browser.
"After upgrading chromium to 43, I noticed that when it is running and immediately after the machine is on-line it silently starts downloading 'Chrome Hotword Shared Module' extension, which contains a binary without source code," Yoshino wrote. "There seems no opt-out config."
Join our new commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies