This article is more than 1 year old

Not wanting to share Facebook's fate, Google puts devs on data diet, tightens lid on cookie jar

Chrome extension creators and Drive app makers face pending API and policy limitations

Google on Thursday announced plans to tighten its requirements for developers of Chrome extensions and apps that utilize the Drive API as part of a previously announced re-evaluation of third-party access to Google user data.

The Chocolate Factory said that in the fall Chrome extensions will only be allowed to request the narrowest possible permissions to implement app functions, a change intended to preclude the sort of unrestrained data harvesting evident in Facebook's Cambridge Analytica scandal.

Concern about Facebook-scale victimization at the hands of disingenuous app devs led Google to enact Project Strobe, an audit of developer API access that put the final nail in the Google+ coffin last year.

The permission limitation, implemented as a Chrome Web Store policy, echoes similar measures that have been applied to Android and Gmail developers. For example, it will prevent a developer from creating a Chrome extension that declares the "bookmarks" permission in order to have access to the chrome.bookmarks API if the plug-in app has no legitimate need to access that data.

Google is also expanding the range of requested data that will require a privacy policy from extension developers. Previously, only developers whose extensions handled personal and sensitive data had to publish privacy policies. Now, those creating browser add-on code that handles user-provided content and personal communications have to publish privacy commitments.

Early next year, the Drive API will fall under the same rules applied to the Gmail API back in January. For developers with apps that utilize restricted scope APIs and also store data outside of Drive (e.g. Google Cloud, Firebase, or an external server), a security assessment will be required that "may cost between $15,000 and $75,000 (or more) depending on the complexity of the application."

A man shrugs at a laptop with a background of question marks

G Suite'n'sour: Google resets passwords after storing some unhashed creds for months, years


As with Gmail app developers, some small startups may not be able to afford the cost of compliance.

"Our top priority is to protect user data and keep it safe, while continuing to enable developers to build features that people want and need," explained Ben Smith, VP of engineering, in a blog post.

"As we continue the work of Project Strobe, we’ll also work with our developer partners to give them appropriate time to adjust and update their apps and services."

The Chrome Web Store policy changes and Drive API restrictions occur amid a related API rethink for the Chrome Extensions platform called Manifest v3. Google insists the goal is "to create stronger security, privacy, and performance guarantees." And certainly, its extension platform would benefit from all of those.

Among a variety of other changes Google has in mind, the biz is limiting the webRequest API – a move developers claim will limit content blocking capabilities. A replacement is planned, the declarativeNetRequest API, which will provide a way for apps to interface with Chrome without the arguably dangerous level of access to network requests enabled by the webRequest API.

It's a controversial modification because Google failed to get buy-in before previewing changes that affect its developer community. Also, it raises eyebrows when an ad company proposes changes that break ad blockers and privacy extensions without any commitment that these apps can be adapted to the new regime. ®

More about


Send us news

Other stories you might like