It turns out that Google Chrome comes pre-installed with a hidden API that only Google can access, and the same goes for Chromium-based browsers such as Edge and Brave.

Luca Casonato , developer of JavaScript Registry (JSR) and Deno , has pointed out that Google's official web browser, Google Chrome, comes pre-installed with an API that only Google-related websites can access.

According to Casonato, Google Chrome gives all Google-related sites full access to information such as CPU usage, GPU usage, and memory usage on the system and on tabs. It also gives them access to more detailed processor information and a back channel for logging. Casonato points out that the APIs that enable this are not open to other websites and are only used by Google on its own sites.

So, Google Chrome gives all *.google.com sites full access to system / tab CPU usage, GPU usage, and memory usage. It also gives access to detailed processor information, and provides a logging backchannel.

This API is not exposed to other sites - only to *.google.com.

— Luca Casonato 🏳 (@lcasdev) July 9, 2024

'This is interesting because it clearly violates the notion that browser vendors should not favour their own websites over others. The Digital Markets Act (DMA) explicitly prohibits this and requires browser vendors to act as gatekeepers on the internet and provide the same functionality to everyone.'

This is interesting because it is a clear violation of the idea that browser vendors should not give preference to their websites over anyone elses.

The DMA codifies this idea into law: browser vendors, as gatekeepers of the internet, must give the same capabilities to everyone.

— Luca Casonato 🏳 (@lcasdev) July 9, 2024

'Depending on how the DMA is interpreted, disclosing information only on Google's relevant websites could be considered a violation of the law. For example, this feature puts Zoom at a disadvantage because it cannot provide the same CPU debugging capabilities as Google Meet,' he said, suggesting that the DMA may be violated.

Depending on how you interpret the DMA, this additional exposure of information only to Google properties may be considered a violation of the DMA.

Take for example Zoom - they are now at a disadvantage because they cannot provide the same CPU debugging feature as Google Meet.

— Luca Casonato 🏳 (@lcasdev) July 9, 2024

According to Casonato, the API is implemented as a built-in Chrome extension that cannot be disabled by users, and does not appear in the extension panel . However, the source code of the API itself can be checked here . Casonato also mentioned that 'it is unclear whether the same extension is installed in other Chromium browsers (web browsers based on the same Chromium as Chrome).'

For those interested: this is done through a built-in Chrome extension that cannot be disabled, and does not show up in the extensions panel. Source code is here: https://t.co/AlckJdpioC

It is unclear whether the same extension also ships in other Chromium derived browsers.

— Luca Casonato 🏳 (@lcasdev) July 9, 2024

Subsequent investigation revealed that the problematic extension was pre-installed in Microsoft Edge, allowing Google-related websites to read information such as CPU, GPU, and memory usage.

Update: in Microsoft Edge this capability is also available exclusively to *.google.com domains

— Luca Casonato 🏳 (@lcasdev) July 9, 2024

Brave, known as a web browser that takes security and privacy into consideration, has also been revealed to have pre-installed extensions, just like Chrome and Edge.

And for everyone that keeps saying 'Use Brave!!!'

Brave also has the same behaviour as Chrome and Edge here. The extension that allows Google to retrieve this information exclusively from *.google.com is also pre-installed in Brave.

— Luca Casonato 🏳 (@lcasdev) July 9, 2024

The existence of this extension has also been discussed on the Internet message board Hacker News.

Google Chrome has an API accessible only from *.google.com | Hacker News
https://news.ycombinator.com/item?id=40918052

The API in question is called 'hangout_services,' so we can guess that it was developed for 'Google Hangouts, ' which was discontinued in 2022 and replaced by Google Chat. One user said, 'For those who have forgotten, Google Hangouts was the first application that allowed video calling on a browser based on WebRTC . This API retrieves CPU, GPU, and memory usage and hardware details that apps don't normally get, and sends them to the app. My guess is that Google will respond to this uproar by removing the API, since Google Hangouts is already an obsolete product. Even if the server-side code still uses this API, it can definitely be removed. The Chrome team probably monitors WebRTC performance on multiple websites on its own.' Another user pointed out, 'This is the API currently being used by Google Meet. If you open the 'Troubleshooting' panel at meet.google.com in Chrome, you'll see a real-time system-wide CPU usage report,' referring to the API being still in use.

On the other hand, some people say that it's okay if the API is removed because Google Meet works fine even in Firefox, which does not implement the problematic API. A user who used to work at Google said, 'I can assure you that they would not rename old code to match a rebranding that was done for show. It's not out of laziness, it's just because it has zero value and is risky,' referring to the reason why the API was not named to match Google Chat, the service it was migrating to.

Another former Google employee speculated that the API may have helped Google gain knowledge of the foundations of WebRTC, saying, 'I think the API helped make WebRTC a reality sooner. Unless I'm missing something, the API has been collecting data since 2008, whereas the first version of WebRTC was released in 2011.'