Google wants an AI agent to browse the web on your behalf. The catch? Every page it touches gets streamed straight to Google’s servers.
Chrome’s new Auto Browse feature, launched January 28, turns the world’s most popular browser into an autonomous agent. Tell it to find a cheap winter jacket, schedule a dentist appointment, or file an expense report, and Gemini 3 takes the wheel - clicking through menus, filling forms, and navigating sites while you watch from the sidelines.
It sounds convenient. It is convenient. But underneath the slick demo lies a fundamental shift in how Google collects your data, and a question the company keeps dodging: what happens to everything the agent sees?
How Auto Browse Works
Auto Browse lives in Chrome’s Gemini side panel, available to AI Pro and AI Ultra subscribers in the U.S. You type a task - “find flights to Denver under $400 for March” - and the agent goes to work. It opens tabs, reads page content, clicks buttons, fills out forms, and navigates across multiple sites to complete your request.
The system is built on Gemini 3 and draws heavily from Project Mariner, Google DeepMind’s experimental web agent framework. With Gemini 3’s multimodal capabilities, it can identify items in images, compare prices across stores, and even apply discount codes.
There are guardrails. Auto Browse is designed to pause before making purchases, posting on social media, or signing into accounts with your saved passwords. A detailed work log lets you review each step the agent takes. Google also deploys a separate “User Alignment Critic” model that checks whether the agent’s planned actions actually match what you asked for.
These are reasonable precautions. They’re also not the real problem.
The Privacy Problem Nobody’s Talking About
Here’s what matters: Auto Browse doesn’t run on your device. Every page the agent visits, every form it reads, every piece of content it processes gets streamed to Google’s cloud servers where Gemini does its thinking.
That means if Auto Browse is helping you compare health insurance plans, Google’s servers see your medical information. If it’s filing your expense reports, Google sees your financial data. If it’s scheduling appointments, Google sees your calendar, your contacts, your availability.
This goes beyond what Chrome already collects. Regular browsing sends URLs and some metadata to Google depending on your settings. Auto Browse sends page content - the actual text, images, and data on every page the agent touches.
According to Google’s own documentation, Gemini collects and processes “page content and the URL from your current tab and any other tabs you’ve shared with it.” Page content may be temporarily logged to your account and retained in Gemini Apps Activity data.
And when asked whether this content would be used to train future AI models? Google declined to say.
That non-answer says more than any press release.
The Security Risks Are Real
Google acknowledges the biggest threat facing Auto Browse and every other agentic browser: indirect prompt injection. A malicious website, a compromised ad, or even a cleverly worded product review could trick the agent into performing unintended actions - initiating transactions, leaking data, or navigating to phishing sites.
Google’s defenses include origin isolation through “Agent Origin Sets” that limit what sites the agent can access, plus the User Alignment Critic model that validates actions using only metadata rather than raw web content. These are genuine engineering efforts. They’re also untested at scale against adversarial actors who now have a powerful new attack surface: a single AI agent that can access your email, passwords, payment methods, and browsing history simultaneously.
Security researchers have flagged agentic browsing as a fundamentally new category of risk. When one interface can access emails, calendars, passwords, and payment flows, a single vulnerability becomes a skeleton key.
Auto Browse Wants to Shop for You, Too
The timing of Auto Browse isn’t coincidental. Google simultaneously launched the Universal Commerce Protocol (UCP), an open standard for AI agents to make purchases on behalf of users. Co-developed with Shopify, Etsy, Wayfair, Target, Walmart, and more than 20 other partners, UCP creates a standardized way for agents to discover products, manage carts, and complete checkout - all without the user ever visiting a retailer’s website directly.
The feature even includes Direct AI Checkout within Google AI Mode and the Gemini app, where purchases happen entirely within Google’s interface.
Connect the dots: Google builds an agent that browses for you, streams everything it sees to its servers, and simultaneously creates a protocol that lets that agent buy things on your behalf. The company that already dominates digital advertising now wants to be the intermediary for your actual purchases, with full visibility into your browsing, shopping behavior, financial information, and buying decisions.
This isn’t just a browser feature. It’s an expansion of Google’s data collection apparatus into a domain it couldn’t previously reach - the moment-to-moment content of every page you interact with, processed through its AI, with a direct pipeline to commerce.
What You Can Do
Don’t use Auto Browse for anything sensitive. Banking, medical records, tax documents, private communications - keep these out of the agent’s reach. There’s no way to guarantee that page content won’t be retained or used for training.
Check your Gemini Apps Activity settings. Go to myactivity.google.com and review what Google stores from your Gemini interactions. You can disable activity saving, but Google’s documentation is vague about what’s still collected regardless of this setting.
Consider a different browser. Brave offers its Leo AI assistant with conversations stored locally and optional on-device processing. Firefox is building AI features through its AI Runtime that prioritizes on-device processing. Neither streams your page content to external servers by default.
Use Auto Browse’s work log. If you do use the feature, review the detailed step-by-step log of what the agent did. At minimum, you’ll know what pages Google’s servers processed.
Be skeptical of “open” standards from surveillance companies. The Universal Commerce Protocol sounds great in theory - open, interoperable, supported by major retailers. But when the company proposing the standard is also the company that processes the transactions, hosts the AI, and runs the browser, “open” means something different than it does coming from, say, the W3C.
The Bigger Picture
Chrome Auto Browse is a genuinely impressive piece of technology. Having an AI agent handle the tedious parts of web browsing - comparing prices, filling forms, managing subscriptions - is the kind of practical AI application that actually saves time.
But Google has a track record of turning useful features into data collection mechanisms. Chrome itself was once just a fast browser. Then it became an advertising platform. Then it tried to replace third-party cookies with its own tracking system. Each step was individually defensible and collectively corrosive to privacy.
Auto Browse follows the same pattern. The feature is useful. The data implications are enormous. And Google won’t say what it plans to do with everything the agent sees.
When the world’s largest advertising company asks to watch an AI browse the web on your behalf and won’t tell you what it does with the data, you’re not the user. You’re the product.