Google sets a date for Chrome extension privacy revamp

From January 18th, developers must be clear about how they're handling user data

Google has set a go-live date for a sweeping set of changes to Chrome's extension privacy rules. At its Chrome Dev 2020 Summit this week, the company set a January 18 deadline for developers to meet new data usage restrictions.

Like many other web browsers, Chrome allows third-party developers to publish their own programs that plug into the software and enhance its functionality. The company has seen developers repeatedly abuse security and privacy with these extensions, so it’s spent the last couple of years tightening its rules for extension development.

The latest changes give browser users more control over the permissions they provide browser extensions. Under the current model, granting permissions to Chrome extensions was an all-or-nothing affair. Once they had permission to gather certain information from your browsing sessions, extensions could interact with any site the user visited. 

Under the new rules, users can decide which websites the extension can access and save those settings on a per-domain basis.

The search giant also set a date for the introduction of new privacy rules announced last month. Starting on January 18, all extensions must display privacy cards explaining the data they collect.

Google will collect that information from developers via disclosure forms made available on the developer dashboard today. These forms highlight information types, including personally identifiable information (PII), health, and financial data. 

Developers must also explicitly state whether they collect authentication data, personal communications, web history, location data, the website content a user views, and the activity they engage in when on the site, such as mouse clicks and scrolling.

Developers must also use these forms to certify compliance with a new limited-use policy that Google added to its developer policy page last month. These rules restrict what developers can do with the data they collect.

This will ensure that developers only use data they collect for a single purpose, and only transfer it to third parties if necessary for that purpose, or to protect against malware. Humans won't be allowed to read that data without explicit user consent or unless data is anonymized. Notably, the new policies ban the use of data for advertising or assessing creditworthiness.

At issue, though, is how strict Google will be in enforcing those policies. Developers who haven’t filled out their privacy disclosure forms by January 18 won't necessarily have their extensions removed from the store. Instead, Google will display a warning to users before installation.

These rules stem from an existing Google initiative called Project Strobe, announced in May 2019. The project introduced rules requiring extensions to request access only to the data they needed. The rules also required extension developers to display privacy policies, but only when collecting certain types of sensitive data.

The developer disclosures will go live one day before Chrome 88’s release. That will include version 3 of the Manifest extension security framework, which will ban the use of remotely hosted code. Code run outside the extension can circumvent the company's malware detection tools.

Featured Resources

Choosing a collaboration platform

Eight questions every IT leader should ask

Download now

Performance benchmark: PostgreSQL/ MongoDB

Helping developers choose a database

Download now

Customer service vs. customer experience

Three-step guide to modern customer experience

Download now

Taking a proactive approach to cyber security

A complete guide to penetration testing

Download now

Recommended

Acer Chromebook 714 review: Unfussy, affordable and effective
Laptops

Acer Chromebook 714 review: Unfussy, affordable and effective

19 Mar 2021
Apple launches its privacy-label database
iOS

Apple launches its privacy-label database

12 Mar 2021
What is customer identity and access management? 
identity and access management (IAM)

What is customer identity and access management? 

9 Mar 2021
Virginia passes consumer data protection law
data protection

Virginia passes consumer data protection law

3 Mar 2021

Most Popular

Microsoft is submerging servers in boiling liquid to prevent Teams outages
data centres

Microsoft is submerging servers in boiling liquid to prevent Teams outages

7 Apr 2021
How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

8 Apr 2021
UK exploring plans to launch its own digital currency
digital currency

UK exploring plans to launch its own digital currency

19 Apr 2021