[Desktop] Add toggle to disable Web Speech API (uses Google servers to transcribe messages in Google Search, some XMPP projects)

[astrometrics]

Web Speech API support voice transcription by sending user's voice to a Google server... that's supported by Chrome and Firefox. As Brave is based on Chromium I guess it is wide open as well. Common implementation using this browser feature are: the microphone icon on google search, jitsi meet, openfire xmpp server and so on... Sending voice content to Google servers to be transcribed and also opening the possibility of Google storing voice patterns that could potentially correlate to voices on phones and other surveillance equipments is a gigantic security and privacy hole... Chrome and Firefox implemented this without anyone really considering the potentially nefarious effects... (or have them?) I'd like to suggest an option to block this API and others that use external services without anyone knowing. But the Web Speach API must have and option to be blocked (default= API disabled) in my opinion.

thanks

[astrometrics]

Please read https://wiki.mozilla.org/Web_Speech_API_-_Speech_Recognition about it...

[astrometrics]

Hi @BSClifton , I'm a newb in this project. This issue seems to be really important in terms of security and privacy, but nobody is reponding. Is it possible to talk about it with someone using IRC or something else? Could someone from Brave engage in this topic? thanks

[rebron]

cc: @jumde @fmarier Can you let me know what you think?

[fmarier]

@astrometrics Are you suggesting a new toggle in brave://settings/privacy to disable this API?

[astrometrics]

Hi, my first intention was to bring that to your attention, as Brave claims it's a privacy/security oriented browser, concepts I believe are important. Many users will start to use more and more this feature and a voice pattern x conversation content x IP x Fingerprinting database will be gathered at google servers; that kind of information will be crossed with Telco infos and so on. So that's the problem. A possible solution would be what @fmarier suggested. I believe that should be the standard type of solution for ANY service that uses known or unknown 3rd party external servers.

PS you guys took to long to respond, but thanks anyway

[astrometrics]

Please read the article I posted before... that's enough information I think.

[bsclifton]

@astrometrics our speech to text API is currently not working, so Brave doesn't have this problem at the moment. It's been a long standing problem actually (since at least March 2019; likely as long as our project has existed). https://github.com/brave/brave-browser/issues/3725 is the issue tracking this functionality not working

Given that it's not working... we could add a toggle for this and even default it to false. But flipping it to true wouldn't do anything. Our API key only allows for up to 60 minutes / month of transcription- so I guess a few users would be able to use it before the allotted resources are gobbled up. I'm guessing other major Chromium browsers either provide their own implementation (Microsoft) or just fork over the money to Google to pay for the API usage

Sorry it took so long to write a proper response ☹️ I did see this issue and intended to respond- but somewhere in my triage process I lost track of this issue

[astrometrics]

@bsclifton: thanks for the infos. So because the state of things are in an undefined middle, that is, currently the speech transcription API is not working (as far as I could understand), I would suggest for now to add an about:config type of setting with webspeech api disabled by default. Should the API capability be implemented in the future, then the new toggle in brave://settings/privacy could be implemented, which would be really just a front-end for the about:config setting.

[bsclifton]

Closing as a duplicate of https://github.com/brave/brave-browser/issues/10026 - somehow missed there was already an issue for this 😄