Chrome extension devs must drop deceptive installation tactics

After announcing its intention to limit third-party developers’ access to Chrome’s webRequest API, which is used by many ad-blocking extensions to filter out content, Google has followed up with announcements for a few more changes meant “to create stronger security, privacy, and performance guarantees”:

  • Chrome extension developers must ditch any deceptive installation tactic they have been using
  • Extensions must only request access to the appropriate data needed to implement their features
  • Extensions that handle user-provided content and personal communications must post privacy policies
  • Apps that use Google Drive APIs will be limited from broadly accessing content or data in Drive.

Preventing deceptive installation tactics

Extensions must be marketed responsibly, Google says, and from July 1 onwards, extensions that use deceptive installation tactics will be removed from the Chrome Web Store.

Such tactics include:

  • Unclear or inconspicuous disclosures on marketing collateral preceding the Chrome Web Store item listing.
  • Misleading interactive elements as part of the distribution flow (e.g., misleading call-to-action buttons, forms that imply an outcome other than the installation of an extension).
  • Adjusting the Chrome Web Store item listing window with the effect of withholding or hiding extension metadata from the user.

Chrome extensions, Drive API, and permissions

The “minimum permissions” policy, to be introduced in fall of 2019, will require extensions to demand only the narrowest set of permissions necessary to provide their existing services or features.

“Developers may use minimally-scoped optional permissions to further enhance the capabilities of the extension, but must not require users to agree to additional permissions. When an update requires additional permissions, end users will be prompted to accept them or disable the extension. This prompt notifies users that something has changed and gives them control over whether or not to accept this new use,” Google explained.

Developers that fail to comply with the policy will be removed from the Chrome Web Store, and non-compliant extensions will be disabled in end-users’ browsers.

Also, developers of extensions that handle user-generated content and personal communications must now publish one. It should include an explanation of what information is collected, how that information is used, and the circumstances in which it is shared. (This change is also announced for fall of 2019.)

Finally, as it previously did for Gmail, Google is making it so that Drive users get more control over what data third-party apps can access in their Drive.

“With this updated policy, we’ll limit apps that use Google Drive APIs from broadly accessing content or data in Drive. This means we’ll restrict third-party access to specific files and be verifying public apps that require broader access, such as backup services,” Ben Smith, Google Fellow and VP of Engineering, explained.

These changes will go into effect early next year and Google will start notifying impacted developers in the next few months.