On January 15, 2021, Google announced they are “Limiting Private API availability in Chromium” on March 15 2021. On this day, Chromium Browser users will no longer have access to features found in Google Chrome.
Chromium is an open-source browser developed by Google in 2008. Google’s Chrome browser is based on Chromium, as are other popular browsers such as Microsoft’s Edge, Opera, Brave, and Vivaldi. As of this writing, the browser market share across all platforms¹:
- Chrome 63.63%
- Safari 19.37%
- Firefox 3.65%
- Samsung Internet 3.49%
- Edge 3.24%
- Opera 2.16%
Google Chrome is the dominant browser, and Chromium, as the foundation of three others in the top six browsers, has almost 70% market share. Chromium is an important open-source project.
While Chromium is the foundation for many browser, it can also be installed as a stand-alone browser itself.
An API, Application Programming Interface, is a mechanism for software applications to talk to each other. GEO Location is a commonly used API. For example, an application passes a physical address to a GEO Location API, which then returns the latitude and longitude of that address. Many companies provide Geo Location API Services; some are free to access, and others require a paid subscription.
Before accessing an API, there is usually a registration process. Upon approval, the developer receives API Keys. There are various techniques for authenticating and access APIs. For simplicity, API Keys are similar to passwords; they are codes that allow accessing and are kept private. Each call to an API is authenticated using the API Keys, and access is denied without an active, valid set.
API Keys are used to identify the user making the API call. They are also used to track API usage, control rate limits, and control permission levels. An API Key with basic access may be allowed one hundred API calls an hour, while premium access is unlimited. Often, free subscriptions to an API have throttled rate limits and minimal features, while paid subscriptions have higher limits and more robust features.
Google API Permissions
The open-source Chromium source code includes calls to Google APIs. There are twenty-one Google APIs that provide a variety of functionality, most notably Google Sync. Sync offers the ability to synchronize bookmarks, preferences, extensions, and other browser settings with Chromium and Google Chrome running on other computers and devices.
To access Google APIs and enable features like Google Sync in Chromium, developers need to obtain API keys from Google. According to Chromium’s API documentation:
Note that the keys you have now acquired are not for distribution purposes and must not be shared with other users.” ²
“Many of the Google APIs used by Chromium code are specific to Google Chrome and not intended for use in derived products. ²
This documentation is clear that APIs keys should not be distributed with Chromium, and the Google APIs are intended for Google Chrome only, but, API keys are widely shared. For example, when installing Chromium on Ubuntu, the Google Sync is available.
The Wayback Machine’s first capture of the Chromium API page, on September 23, 2012, does not mention API restrictions, but they do appear shortly after on December 28 of the same year. While there is grumbling online regarding Google’s recent decision to limit API access, they have not changed their rules, as some are claiming.
Google left a lot of ticked off Linux programmers when it changed its API rules for Chromium” ³ - Stephen J Vaughan-Nichols, ZDNET
While Google may be guilty of recently deciding to enforce their rules, they have not changed them. Or have they?
Eric Hameleers, a contributor to Slackware, recently shared a 2013 e-mail he received from Google providing him “official permission” to use the API Keys in a way that is against published terms and conditions:
Note that the public Terms of Service do not allow distribution of the API
keys in any form. To make this work for you, on behalf of Google Chrome
Team I am providing you with….
Official permission to include Google API keys in your packages and to
distribute these packages. ⁴
Google had one set of public rules and another private.
After the January 15 announcement, Fedora maintainers took early action and quickly removed API keys from Chromium in their repository. As a result, Google API features do not work. Using Fedora’s version of Chromium, the user login page displays “Google API keys are missing,” and the Sync option is not available.
Ubuntu’s 20.10 version of Chromium still includes API Keys; therefore the Sync option is available. After March 15, I expect Chromium will look more like Fedora’s current version.
Major browsers based on Chromium have already replaced Google Sync with their sync service. I expect these browsers are also not using any of the other twenty Google APIs.
Google’s March 15 restrictions will mostly impact people using the Chromium browser itself. Given that many Chromium users are privacy-sensitive, a small percentage is likely using Google Chrome features anyway. The developers maintaining Chromium for a Linux distribution are the ones most displaced. They’ve been supporting Chromium, with Google’s APIs, for a decade on a secret handshake, and woke up on January 15 to Google pulling the rug out from beneath them.
What’s next for Chromium users?
If you are using the Google features in Chromium, why not use Google Chrome? If you like the Google Chrome features, but don’t like Google, give Firefox, Brave, or Opera a try. There are many browsers available for the FOSS and privacy-minded individual; just “Google it.” Did I say that?!
³ “Google should really open source Chromium”, Stephen J Vaughan-Nichols, ZDNET. (https://www.zdnet.com/article/google-should-really-open-source-chromium/)
⁴ “Google muzzles all Chromium browsers on 15 March 2021”, Eric Hameleers. Alien Pastures. (https://alien.slackbook.org/blog/google-muzzles-all-chromium-browsers-on-15-march-2021/)