Not wanting to share Facebook's fate, Google puts devs on data diet, tightens lid on cookie jar

Chrome extension creators and Drive app makers face pending API and policy limitations


Google on Thursday announced plans to tighten its requirements for developers of Chrome extensions and apps that utilize the Drive API as part of a previously announced re-evaluation of third-party access to Google user data.

The Chocolate Factory said that in the fall Chrome extensions will only be allowed to request the narrowest possible permissions to implement app functions, a change intended to preclude the sort of unrestrained data harvesting evident in Facebook's Cambridge Analytica scandal.

Concern about Facebook-scale victimization at the hands of disingenuous app devs led Google to enact Project Strobe, an audit of developer API access that put the final nail in the Google+ coffin last year.

The permission limitation, implemented as a Chrome Web Store policy, echoes similar measures that have been applied to Android and Gmail developers. For example, it will prevent a developer from creating a Chrome extension that declares the "bookmarks" permission in order to have access to the chrome.bookmarks API if the plug-in app has no legitimate need to access that data.

Google is also expanding the range of requested data that will require a privacy policy from extension developers. Previously, only developers whose extensions handled personal and sensitive data had to publish privacy policies. Now, those creating browser add-on code that handles user-provided content and personal communications have to publish privacy commitments.

Early next year, the Drive API will fall under the same rules applied to the Gmail API back in January. For developers with apps that utilize restricted scope APIs and also store data outside of Drive (e.g. Google Cloud, Firebase, or an external server), a security assessment will be required that "may cost between $15,000 and $75,000 (or more) depending on the complexity of the application."

A man shrugs at a laptop with a background of question marks

G Suite'n'sour: Google resets passwords after storing some unhashed creds for months, years

READ MORE

As with Gmail app developers, some small startups may not be able to afford the cost of compliance.

"Our top priority is to protect user data and keep it safe, while continuing to enable developers to build features that people want and need," explained Ben Smith, VP of engineering, in a blog post.

"As we continue the work of Project Strobe, we’ll also work with our developer partners to give them appropriate time to adjust and update their apps and services."

The Chrome Web Store policy changes and Drive API restrictions occur amid a related API rethink for the Chrome Extensions platform called Manifest v3. Google insists the goal is "to create stronger security, privacy, and performance guarantees." And certainly, its extension platform would benefit from all of those.

Among a variety of other changes Google has in mind, the biz is limiting the webRequest API – a move developers claim will limit content blocking capabilities. A replacement is planned, the declarativeNetRequest API, which will provide a way for apps to interface with Chrome without the arguably dangerous level of access to network requests enabled by the webRequest API.

It's a controversial modification because Google failed to get buy-in before previewing changes that affect its developer community. Also, it raises eyebrows when an ad company proposes changes that break ad blockers and privacy extensions without any commitment that these apps can be adapted to the new regime. ®

Broader topics


Other stories you might like

  • FTC urged to probe Apple, Google for enabling ‘intense system of surveillance’
    Ad tracking poses a privacy and security risk in post-Roe America, lawmakers warn

    Democrat lawmakers want the FTC to investigate Apple and Google's online ad trackers, which they say amount to unfair and deceptive business practices and pose a privacy and security risk to people using the tech giants' mobile devices.

    US Senators Ron Wyden (D-OR), Elizabeth Warren (D-MA), and Cory Booker (D-NJ) and House Representative Sara Jacobs (D-CA) requested on Friday that the watchdog launch a probe into Apple and Google, hours before the US Supreme Court overturned Roe v. Wade, clearing the way for individual states to ban access to abortions. 

    In the days leading up to the court's action, some of these same lawmakers had also introduced data privacy bills, including a proposal that would make it illegal for data brokers to sell sensitive location and health information of individuals' medical treatment.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google has more reasons why it doesn't like antitrust law that affects Google
    It'll ruin Gmail, claims web ads giant

    Google has a fresh list of reasons why it opposes tech antitrust legislation making its way through Congress but, like others who've expressed discontent, the ad giant's complaints leave out mention of portions of the proposed law that address said gripes.

    The law bill in question is S.2992, the Senate version of the American Innovation and Choice Online Act (AICOA), which is closer than ever to getting votes in the House and Senate, which could see it advanced to President Biden's desk.

    AICOA prohibits tech companies above a certain size from favoring their own products and services over their competitors. It applies to businesses considered "critical trading partners," meaning the company controls access to a platform through which business users reach their customers. Google, Apple, Amazon, and Meta in one way or another seemingly fall under the scope of this US legislation. 

    Continue reading
  • Brave roasts DuckDuckGo over Bing privacy exception
    Search biz hits back at 'misleading' claims, saga lifts lid on Microsoft's web tracking advice

    Brave CEO Brendan Eich took aim at rival DuckDuckGo on Wednesday by challenging the web search engine's efforts to brush off revelations that its Android, iOS, and macOS browsers gave, to a degree, Microsoft Bing and LinkedIn trackers a pass versus other trackers.

    Eich drew attention to one of DuckDuckGo's defenses for exempting Microsoft's Bing and LinkedIn domains, a condition of its search contract with Microsoft: that its browsers blocked third-party cookies anyway.

    "For non-search tracker blocking (e.g. in our browser), we block most third-party trackers," explained DuckDuckGo CEO Gabriel Weinberg last month. "Unfortunately our Microsoft search syndication agreement prevents us from doing more to Microsoft-owned properties. However, we have been continually pushing and expect to be doing more soon."

    Continue reading
  • Makers of ad blockers and browser privacy extensions fear the end is near
    Overhaul of Chrome add-ons set for January, Google says it's for all our own good

    Special report Seven months from now, assuming all goes as planned, Google Chrome will drop support for its legacy extension platform, known as Manifest v2 (Mv2). This is significant if you use a browser extension to, for instance, filter out certain kinds of content and safeguard your privacy.

    Google's Chrome Web Store is supposed to stop accepting Mv2 extension submissions sometime this month. As of January 2023, Chrome will stop running extensions created using Mv2, with limited exceptions for enterprise versions of Chrome operating under corporate policy. And by June 2023, even enterprise versions of Chrome will prevent Mv2 extensions from running.

    The anticipated result will be fewer extensions and less innovation, according to several extension developers.

    Continue reading
  • Google: How we tackled this iPhone, Android spyware
    Watching people's every move and collecting their info – not on our watch, says web ads giant

    Spyware developed by Italian firm RCS Labs was used to target cellphones in Italy and Kazakhstan — in some cases with an assist from the victims' cellular network providers, according to Google's Threat Analysis Group (TAG).

    RCS Labs customers include law-enforcement agencies worldwide, according to the vendor's website. It's one of more than 30 outfits Google researchers are tracking that sell exploits or surveillance capabilities to government-backed groups. And we're told this particular spyware runs on both iOS and Android phones.

    We understand this particular campaign of espionage involving RCS's spyware was documented last week by Lookout, which dubbed the toolkit "Hermit." We're told it is potentially capable of spying on the victims' chat apps, camera and microphone, contacts book and calendars, browser, and clipboard, and beam that info back to base. It's said that Italian authorities have used this tool in tackling corruption cases, and the Kazakh government has had its hands on it, too.

    Continue reading

Biting the hand that feeds IT © 1998–2022