Google is cleaning up its Chrome Web Store – the marketplace where you can browse for extensions and apps for its Chrome web browser. The company says it’s making changes to browser’s User Data Policy, which will now require developers to be more transparent about how they handle customer data, and which will require user consent when data is collected, among other things.
The changes come at a time when the Chrome Web Store has been targeted by malware makers, who have posted rogue extensions that do terrible things like spy on web users and collect their personal data. It also arrives in a post-Snowden era where governments, like those in the EU, are getting involved in passing user data privacy regulations and legislation.
In January, security firm Malwarebytes pointed to one rogue extension that was only pulled after a thousand downloads, as an example of the malware problem. The extension, which required elevated permissions, silently talked back to a remote server and would push ads to users after installation.
After removal, it was soon replaced by another that redirected users to a social networking site. The security firm also noted that it had seen an increase in “adware” companies using extensions to push things like free coupons, recipes, and videos, as well as those that would harvest users’ browsing habits then resell them to marketing companies for better ad targeting.
Malicious extensions, however, are not a new problem for Google. The Chrome Web Store has faced this issue for years. In the past, Google tried to address this by disallowing users from installing extensions that weren’t hosted on the Web Store directly. In theory, this would offer more protection as extensions could be pulled down or automatically disabled.
Now Google is asking developers to follow similar guidelines as Chrome has itself with regard to privacy protections for users.
According to a blog post, this includes the following new requirements for developers:
-
Be transparent about the handling of user data and disclose privacy practices
-
Post a privacy policy and use encryption, when handling personal or sensitive information
-
Ask users to consent to the collection of personal or sensitive data via a prominent disclosure, when the use of the data isn’t related to a prominent feature.
Yes, it’s somewhat concerning that extension developers didn’t already have to follow these basic guidelines.
The policy also prohibits collecting web browsing activity when it’s not required for an item’s main functionality. That’s an especially interesting change which could impact several businesses.
A number of companies today run networks of seemingly harmless browser extensions in order to collect browsing data for other purposes. For instance, web analytics firm SimilarWeb said in the past it had “hundreds” of plugins reaching tens of millions of end users. In some cases, those plugins would collect browsing data to offer information to users about things like web rankings or reach of the sites they’re on, but other plugins were not as obvious about their intentions. (Though it may be disclosed in those cases, most users don’t read privacy policies.)
Google says developers have until July 14, 2016 to comply with the new policy. Afterward, on July 15, those extensions and apps that violate the update User Data Policy will be removed from the Chrome Web Store.