Google sets a date for Chrome extension privacy revamp

From January 18th, developers must be clear about how they're handling user data

Google has set a go-live date for a sweeping set of changes to Chrome's extension privacy rules. At its Chrome Dev 2020 Summit this week, the company set a January 18 deadline for developers to meet new data usage restrictions.

Like many other web browsers, Chrome allows third-party developers to publish their own programs that plug into the software and enhance its functionality. The company has seen developers repeatedly abuse security and privacy with these extensions, so it’s spent the last couple of years tightening its rules for extension development.

The latest changes give browser users more control over the permissions they provide browser extensions. Under the current model, granting permissions to Chrome extensions was an all-or-nothing affair. Once they had permission to gather certain information from your browsing sessions, extensions could interact with any site the user visited. 

Under the new rules, users can decide which websites the extension can access and save those settings on a per-domain basis.

The search giant also set a date for the introduction of new privacy rules announced last month. Starting on January 18, all extensions must display privacy cards explaining the data they collect.

Google will collect that information from developers via disclosure forms made available on the developer dashboard today. These forms highlight information types, including personally identifiable information (PII), health, and financial data. 

Developers must also explicitly state whether they collect authentication data, personal communications, web history, location data, the website content a user views, and the activity they engage in when on the site, such as mouse clicks and scrolling.

Developers must also use these forms to certify compliance with a new limited-use policy that Google added to its developer policy page last month. These rules restrict what developers can do with the data they collect.

This will ensure that developers only use data they collect for a single purpose, and only transfer it to third parties if necessary for that purpose, or to protect against malware. Humans won't be allowed to read that data without explicit user consent or unless data is anonymized. Notably, the new policies ban the use of data for advertising or assessing creditworthiness.

At issue, though, is how strict Google will be in enforcing those policies. Developers who haven’t filled out their privacy disclosure forms by January 18 won't necessarily have their extensions removed from the store. Instead, Google will display a warning to users before installation.

These rules stem from an existing Google initiative called Project Strobe, announced in May 2019. The project introduced rules requiring extensions to request access only to the data they needed. The rules also required extension developers to display privacy policies, but only when collecting certain types of sensitive data.

The developer disclosures will go live one day before Chrome 88’s release. That will include version 3 of the Manifest extension security framework, which will ban the use of remotely hosted code. Code run outside the extension can circumvent the company's malware detection tools.

Featured Resources

The ultimate law enforcement agency guide to going mobile

Best practices for implementing a mobile device program

Free download

The business value of Red Hat OpenShift

Platform cost savings, ROI, and the challenges and opportunities of Red Hat OpenShift

Free download

Managing security and risk across the IT supply chain: A practical approach

Best practices for IT supply chain security

Free download

Digital remote monitoring and dispatch services’ impact on edge computing and data centres

Seven trends redefining remote monitoring and field service dispatch service requirements

Free download

Recommended

Asus Chromebook CX1 (CX1100CN) review: A cut-price compromise
Laptops

Asus Chromebook CX1 (CX1100CN) review: A cut-price compromise

15 Oct 2021
Senators urge FTC to enforce child privacy laws
privacy

Senators urge FTC to enforce child privacy laws

8 Oct 2021
Google reveals five high-risk flaws in Chrome browser
vulnerability

Google reveals five high-risk flaws in Chrome browser

3 Sep 2021
Are you over-sharing online?
social media

Are you over-sharing online?

1 Sep 2021

Most Popular

Best Linux distros 2021
operating systems

Best Linux distros 2021

11 Oct 2021
Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans
Laptops

Apple MacBook Pro 15in vs Dell XPS 15: Clash of the titans

11 Oct 2021
Windows 11 has problems with Oracle VirtualBox
Microsoft Windows

Windows 11 has problems with Oracle VirtualBox

5 Oct 2021