Google sets a date for Chrome extension privacy revamp

From January 18th, developers must be clear about how they're handling user data

Google has set a go-live date for a sweeping set of changes to Chrome's extension privacy rules. At its Chrome Dev 2020 Summit this week, the company set a January 18 deadline for developers to meet new data usage restrictions.

Like many other web browsers, Chrome allows third-party developers to publish their own programs that plug into the software and enhance its functionality. The company has seen developers repeatedly abuse security and privacy with these extensions, so it’s spent the last couple of years tightening its rules for extension development.

The latest changes give browser users more control over the permissions they provide browser extensions. Under the current model, granting permissions to Chrome extensions was an all-or-nothing affair. Once they had permission to gather certain information from your browsing sessions, extensions could interact with any site the user visited. 

Under the new rules, users can decide which websites the extension can access and save those settings on a per-domain basis.

The search giant also set a date for the introduction of new privacy rules announced last month. Starting on January 18, all extensions must display privacy cards explaining the data they collect.

Google will collect that information from developers via disclosure forms made available on the developer dashboard today. These forms highlight information types, including personally identifiable information (PII), health, and financial data. 

Developers must also explicitly state whether they collect authentication data, personal communications, web history, location data, the website content a user views, and the activity they engage in when on the site, such as mouse clicks and scrolling.

Developers must also use these forms to certify compliance with a new limited-use policy that Google added to its developer policy page last month. These rules restrict what developers can do with the data they collect.

This will ensure that developers only use data they collect for a single purpose, and only transfer it to third parties if necessary for that purpose, or to protect against malware. Humans won't be allowed to read that data without explicit user consent or unless data is anonymized. Notably, the new policies ban the use of data for advertising or assessing creditworthiness.

At issue, though, is how strict Google will be in enforcing those policies. Developers who haven’t filled out their privacy disclosure forms by January 18 won't necessarily have their extensions removed from the store. Instead, Google will display a warning to users before installation.

These rules stem from an existing Google initiative called Project Strobe, announced in May 2019. The project introduced rules requiring extensions to request access only to the data they needed. The rules also required extension developers to display privacy policies, but only when collecting certain types of sensitive data.

The developer disclosures will go live one day before Chrome 88’s release. That will include version 3 of the Manifest extension security framework, which will ban the use of remotely hosted code. Code run outside the extension can circumvent the company's malware detection tools.

Featured Resources

Become a digital service provider

How to transform your business from network core to edge

Download now

Optimal business results with the cloud

Evaluating the best approaches to hybrid cloud adoption

Download now

Virtualisation that enables choices, not compromises

Harness the virtualisation technology that's right for your hybrid infrastructure

Download now

Email security threat report 2020

Four key trends from spear fishing to credentials theft

Download now

Recommended

United Nations suffers potential data breach
data breaches

United Nations suffers potential data breach

11 Jan 2021
Biden team signals president-elect may target Section 230 and data privacy
Policy & legislation

Biden team signals president-elect may target Section 230 and data privacy

4 Dec 2020
Web inventor Tim Berners-Lee launches Solid privacy platform for enterprises
privacy

Web inventor Tim Berners-Lee launches Solid privacy platform for enterprises

9 Nov 2020
Chrome vs Firefox vs Microsoft Edge
web browser

Chrome vs Firefox vs Microsoft Edge

3 Nov 2020

Most Popular

How to recover deleted emails in Gmail
email delivery

How to recover deleted emails in Gmail

6 Jan 2021
What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021
150,000 arrest records accidentally deleted from police database
data management

150,000 arrest records accidentally deleted from police database

15 Jan 2021