Privacy concern for extensions that rely on SpeechSynthesis with non-local voices

From time to time, I try extensions which speak selected text - this helps me to digest a large amount of text & relax my eyes at the same time. The majority of those extensions use SpeechSynthesis API, and I was under the impression the API use only system voices. I found an extension in google chrome store, which didn't ask for any extra permissions, so I thought that it is safe to use. Still, I decided to check what extension is doing with the text and discovered 2 issues:

  • it was sending selected text to remote service to detect language automatically (fortunately that service is well known, and even though I don't want it to get text that I'm working with, this is not a security breach, just a privacy concern)
  • it was using SpeechSynthesis API with Google voices, which I don't believe I ever installed on my OS

While the first problem can be solved by disabling automatic language detection, the second was more interesting - I wanted to check if using Google voices would result in text being sent over the internet. This might be not a concern for many, but I prefer to limit what information I share with various services. The reason why I install such an extension is to listen to text privately, not share what I read with anyone for any reason.

For a test, I turned off my internet connection and tried to use the extension - it stopped working. Then I found documentation by MDN with a link to live demo of the API. In one browser, I got just system voices, and in Chrome Canary I got both system and Google voices. As expected, system voices do not require a network connection. A quick search confirmed, that some voices can require a remote connection. Fortunately, there is a localService property that can help to detect which voices are safe to use from a privacy perspective.

Always check extensions that you're using. Even though they might not need special permissions, they can still be doing something that can violate your privacy or security, even unintentionally. If you're interested to learn more about other ways to protect your privacy, you might like my other article about this.

Thank you for reading!

Disclaimer: Any viewpoints and opinions expressed on this site do not, in any way, reflect those of my employer.

All content, unless otherwise indicated, is licensed under CC BY 4.0.
© 2019.