Google tells Chrome extension devs to declare their code's usage of personal data

Ad biz is serious about making others disclose information collection

Hot on the heels of Apple slapping privacy "nutrition labels" on app listing pages in its App Store, Google says it plans to require similar privacy disclosures from those offering Chrome extensions in its Chrome Web Store.

Starting in January, 2021, the Chrome Web Store listing pages for extensions will display developer-supplied information about whatever data the code supposedly collects, said Alexandre Blondin, product manager, and Mark Jaycox, senior policy advisor, in a blog post on Wednesday.

The disclosure requirement, which calls for "clear and easy to understand language," builds upon a data policy change last year, part of Project Strobe, that limited extensions to requesting the least amount of data possible in order to function and broadened the criteria for when a privacy policy is necessary.

Starting today, Chrome extension coders using Google's developer dashboard can fill out a data disclosure form that describes categories of sensitive or personal information gathered by their extension. These include: personally identifiable information, health information, financial and payment information, authentication information, personal communications, location, web history, usage activity, and website content.


Microsoft will adopt Google Chrome's controversial Manifest V3 in Edge


Per the company's newly added Limited Use Policy, the submission form requires that developers "certify" their disclosures and agree to: not sell user data to third parties; not use or transfer user data for purposes other than the extension's "single purpose"; and not to transfer, use, or sell user data to determine creditworthiness or for purposes related to lending.

These disclosures will be made visible on Chrome extension listing pages in the Chrome Web Store starting next year.

The Register asked Google whether certification violators might face legal consequences that differ from those violating privacy promises referred to using less formal terms. We've not heard back, but at the very least Google has the option to boot deceptive extensions from its store and to expel developers found to have violated commitments from its developer program.

The ad pipeline biz has had to conduct such purges on a fairly regular basis. Over the past ten years, abuse of Chrome extensions by ill-intentioned developers has been a persistent, unsolved problem.

The Chrome Web Store policy changes coincide with a related effort, Manifest v3, to revise Chrome extension APIs so they're less powerful – making them less suitable for abuse but also less useful for content blocking.

Google is still planning to activate Manifest v3 in a stable version of Chrome before the end of the year. Since Chrome 88 isn't slated to hit the stable release channel until January, that means Manifest v3 should arrive as a patch to Chrome 87, which debuted on Tuesday.

Thereafter, there's likely to be a deprecation period for Manifest v2 ranging from a few months to a year or more, after which extensions based on the outdated manifest spec will no longer function in the latest Chrome builds. ®

Other stories you might like

  • Will this be one of the world's first RISC-V laptops?
    A sneak peek at a notebook that could be revealed this year

    Pic As Apple and Qualcomm push for more Arm adoption in the notebook space, we have come across a photo of what could become one of the world's first laptops to use the open-source RISC-V instruction set architecture.

    In an interview with The Register, Calista Redmond, CEO of RISC-V International, signaled we will see a RISC-V laptop revealed sometime this year as the ISA's governing body works to garner more financial and development support from large companies.

    It turns out Philipp Tomsich, chair of RISC-V International's software committee, dangled a photo of what could likely be the laptop in question earlier this month in front of RISC-V Week attendees in Paris.

    Continue reading
  • Did hoodwink Americans with IRS facial-recognition tech, senators ask
    Biz tells us: Won't someone please think of the ... fraud we've stopped

    Democrat senators want the FTC to investigate "evidence of deceptive statements" made by regarding the facial-recognition technology it controversially built for Uncle Sam. made headlines this year when the IRS said US taxpayers would have to enroll in the startup's facial-recognition system to access their tax records in the future. After a public backlash, the IRS reconsidered its plans, and said taxpayers could choose non-biometric methods to verify their identity with the agency online.

    Just before the IRS controversy, said it uses one-to-one face comparisons. "Our one-to-one face match is comparable to taking a selfie to unlock a smartphone. does not use one-to-many facial recognition, which is more complex and problematic. Further, privacy is core to our mission and we do not sell the personal information of our users," it said in January.

    Continue reading
  • Meet Wizard Spider, the multimillion-dollar gang behind Conti, Ryuk malware
    Russia-linked crime-as-a-service crew is rich, professional – and investing in R&D

    Analysis Wizard Spider, the Russia-linked crew behind high-profile malware Conti, Ryuk and Trickbot, has grown over the past five years into a multimillion-dollar organization that has built a corporate-like operating model, a year-long study has found.

    In a technical report this week, the folks at Prodaft, which has been tracking the cybercrime gang since 2021, outlined its own findings on Wizard Spider, supplemented by info that leaked about the Conti operation in February after the crooks publicly sided with Russia during the illegal invasion of Ukraine.

    What Prodaft found was a gang sitting on assets worth hundreds of millions of dollars funneled from multiple sophisticated malware variants. Wizard Spider, we're told, runs as a business with a complex network of subgroups and teams that target specific types of software, and has associations with other well-known miscreants, including those behind REvil and Qbot (also known as Qakbot or Pinkslipbot).

    Continue reading

Biting the hand that feeds IT © 1998–2022