IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Google sets a date for Chrome extension privacy revamp

From January 18th, developers must be clear about how they're handling user data

Google has set a go-live date for a sweeping set of changes to Chrome's extension privacy rules. At its Chrome Dev 2020 Summit this week, the company set a January 18 deadline for developers to meet new data usage restrictions.

Like many other web browsers, Chrome allows third-party developers to publish their own programs that plug into the software and enhance its functionality. The company has seen developers repeatedly abuse security and privacy with these extensions, so it’s spent the last couple of years tightening its rules for extension development.

The latest changes give browser users more control over the permissions they provide browser extensions. Under the current model, granting permissions to Chrome extensions was an all-or-nothing affair. Once they had permission to gather certain information from your browsing sessions, extensions could interact with any site the user visited. 

Under the new rules, users can decide which websites the extension can access and save those settings on a per-domain basis.

The search giant also set a date for the introduction of new privacy rules announced last month. Starting on January 18, all extensions must display privacy cards explaining the data they collect.

Google will collect that information from developers via disclosure forms made available on the developer dashboard today. These forms highlight information types, including personally identifiable information (PII), health, and financial data. 

Developers must also explicitly state whether they collect authentication data, personal communications, web history, location data, the website content a user views, and the activity they engage in when on the site, such as mouse clicks and scrolling.

Developers must also use these forms to certify compliance with a new limited-use policy that Google added to its developer policy page last month. These rules restrict what developers can do with the data they collect.

This will ensure that developers only use data they collect for a single purpose, and only transfer it to third parties if necessary for that purpose, or to protect against malware. Humans won't be allowed to read that data without explicit user consent or unless data is anonymized. Notably, the new policies ban the use of data for advertising or assessing creditworthiness.

At issue, though, is how strict Google will be in enforcing those policies. Developers who haven’t filled out their privacy disclosure forms by January 18 won't necessarily have their extensions removed from the store. Instead, Google will display a warning to users before installation.

These rules stem from an existing Google initiative called Project Strobe, announced in May 2019. The project introduced rules requiring extensions to request access only to the data they needed. The rules also required extension developers to display privacy policies, but only when collecting certain types of sensitive data.

The developer disclosures will go live one day before Chrome 88’s release. That will include version 3 of the Manifest extension security framework, which will ban the use of remotely hosted code. Code run outside the extension can circumvent the company's malware detection tools.

Featured Resources

AI for customer service

IBM Watson Assistant solves customer problems the first time

View now

Solve cyber resilience challenges with storage solutions

Fundamental capabilities of cyber-resilient IT infrastructure

Free Download

IBM FlashSystem 5000 and 5200 for mid-market enterprises

Manage rapid data growth within limited IT budgets

Free download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

2023 Strategic roadmap for data security platform convergence
Whitepaper

2023 Strategic roadmap for data security platform convergence

21 Oct 2022
Data governance and privacy for data leaders
Whitepaper

Data governance and privacy for data leaders

20 Oct 2022
Home Office to collect foreign offenders' biometric data using smartwatch scheme
privacy

Home Office to collect foreign offenders' biometric data using smartwatch scheme

5 Aug 2022
UK safety tech sees another year of growth, amidst backlash
business transformation

UK safety tech sees another year of growth, amidst backlash

2 Aug 2022

Most Popular

How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

15 Nov 2022
The top 12 password-cracking techniques used by hackers
Security

The top 12 password-cracking techniques used by hackers

14 Nov 2022
Windows users now able to run Linux apps and distros natively
Microsoft Windows

Windows users now able to run Linux apps and distros natively

24 Nov 2022