Google Chrome prepares AI ‘agents’

It’s the digital security training team at Freedom of the Press Foundation (FPF), with security news that keeps you, your sources, and your devices safe. If someone shared this newsletter with you, please subscribe here.

Chrome prepares to deploy AI ‘agents’ — alongside new risks

Google released a new blog post unpacking defenses it is planning for AI features in its Chrome browser. The company is preparing AI “agents” that would be able to browse for you and automate actions, for example, to make online purchases on your behalf. The problem is, when someone sends an AI an instruction, the AI may respond by retrieving data from a potentially untrusted source, in this case, the content in the browser. Websites can therefore inject malicious prompts, or statements embedded in websites designed to fool an AI into taking alternative actions. Google’s solution: the “user alignment critic.” It’s essentially another model designed to check that the agent is complying with the user’s instructions.

Prompt injection is not new, and it’s become something of a meme to fool AI tools with direct prompts to “ignore all previous instructions” before redirecting AI-automated bots. But as more companies deploy the technology in places where it didn’t exist in the past, tech firms are in a hurry to figure out how to defend against more oblique exploits to subvert an AI’s rules.

What you can do

• As our friends at Signal note, the risk with an agent is that it needs access to a lot of sensitive information in order to fulfill instructions. For example, if you ask an AI service to conduct a shopping task for you, at a minimum, this means it needs access to your name, credit card or bank information, a home address, and phone number. Google says, “When you use the Gemini in Chrome feature, Gemini collects and processes page content and the URL from your current tab and any other tabs you’ve shared with it.” Depending on the sensitivity of the task — say, when speaking with your sources or doing research on a personal health challenge — this may be an unacceptable risk.
• You don’t need to use these new features, but if you choose to, you can keep them contained to a dedicated Chrome profile specifically for this purpose. Think of a Chrome profile as a space to segment out multiple use cases for Chrome, such as work and personal use.

Updates from our team

• Planning to travel for the holidays? My colleague Davis Erin Anderson wrote up an advice column to help you minimize risk to your devices when you’re out and about. Read her new post.
• We won’t post a new digital security digest for two weeks while on holiday break. So we’ll see you next year! But our team will still be tackling security incidents, so don’t hesitate to contact us.

Our team is always ready to assist journalists with digital security concerns. Reach out here, and stay safe and secure out there.

Best,
Martin

–

Martin Shelton
Deputy Director of Digital Security
Freedom of the Press Foundation