Google sets a date for Chrome extension privacy revamp

From January 18th, developers must be clear about how they're handling user data

Google has set a go-live date for a sweeping set of changes to Chrome's extension privacy rules. At its Chrome Dev 2020 Summit this week, the company set a January 18 deadline for developers to meet new data usage restrictions.

Like many other web browsers, Chrome allows third-party developers to publish their own programs that plug into the software and enhance its functionality. The company has seen developers repeatedly abuse security and privacy with these extensions, so it’s spent the last couple of years tightening its rules for extension development.

The latest changes give browser users more control over the permissions they provide browser extensions. Under the current model, granting permissions to Chrome extensions was an all-or-nothing affair. Once they had permission to gather certain information from your browsing sessions, extensions could interact with any site the user visited. 

Under the new rules, users can decide which websites the extension can access and save those settings on a per-domain basis.

The search giant also set a date for the introduction of new privacy rules announced last month. Starting on January 18, all extensions must display privacy cards explaining the data they collect.

Google will collect that information from developers via disclosure forms made available on the developer dashboard today. These forms highlight information types, including personally identifiable information (PII), health, and financial data. 

Developers must also explicitly state whether they collect authentication data, personal communications, web history, location data, the website content a user views, and the activity they engage in when on the site, such as mouse clicks and scrolling.

Developers must also use these forms to certify compliance with a new limited-use policy that Google added to its developer policy page last month. These rules restrict what developers can do with the data they collect.

This will ensure that developers only use data they collect for a single purpose, and only transfer it to third parties if necessary for that purpose, or to protect against malware. Humans won't be allowed to read that data without explicit user consent or unless data is anonymized. Notably, the new policies ban the use of data for advertising or assessing creditworthiness.

At issue, though, is how strict Google will be in enforcing those policies. Developers who haven’t filled out their privacy disclosure forms by January 18 won't necessarily have their extensions removed from the store. Instead, Google will display a warning to users before installation.

These rules stem from an existing Google initiative called Project Strobe, announced in May 2019. The project introduced rules requiring extensions to request access only to the data they needed. The rules also required extension developers to display privacy policies, but only when collecting certain types of sensitive data.

The developer disclosures will go live one day before Chrome 88’s release. That will include version 3 of the Manifest extension security framework, which will ban the use of remotely hosted code. Code run outside the extension can circumvent the company's malware detection tools.

Featured Resources

B2B under quarantine

Key B2C e-commerce features B2B need to adopt to survive

Download now

The top three IT pains of the new reality and how to solve them

Driving more resiliency with unified operations and service management

Download now

The five essentials from your endpoint security partner

Empower your MSP business to operate efficiently

Download now

How fashion retailers are redesigning their digital future

Fashion retail guide

Download now

Recommended

Chrome vs Firefox vs Microsoft Edge
web browser

Chrome vs Firefox vs Microsoft Edge

7 Jul 2021
5 most secure smartphones
Mobile Phones

5 most secure smartphones

28 Jun 2021
Windows devices targeted by PuzzleMaker malware exploiting Chrome zero-day flaw
zero-day exploit

Windows devices targeted by PuzzleMaker malware exploiting Chrome zero-day flaw

9 Jun 2021
How to reduce your online footprint
privacy

How to reduce your online footprint

7 Jun 2021

Most Popular

The benefits of workload optimisation
Sponsored

The benefits of workload optimisation

16 Jul 2021
Samsung Galaxy S21 5G review: A rose-tinted experience
Mobile Phones

Samsung Galaxy S21 5G review: A rose-tinted experience

14 Jul 2021
RMIT to be first Australian university to implement AWS supercomputing facility
high-performance computing (HPC)

RMIT to be first Australian university to implement AWS supercomputing facility

28 Jul 2021