Cockup or conspiracy? Popular privacy extension ClearURLs removed from Chrome web store

Developer appeals decision, saying 'the reasons are ridiculous'

The Chrome browser extension ClearURLs has been removed from the Chrome Web Store, for reasons its developer describes as "ridiculous."

Google’s Chrome team emailed ClearURLs developer Kevin Roebert yesterday to tell him (translated from German): “Your item had to be removed from the Chrome Web Store,” citing three violations of its terms.

These were “inaccurate description – missing information”, on the basis that the donate, badges, logging and export/import of sessions are not mentioned; “use of permissions”, on the basis that the Clipboard/Write permission is not required; and “keyword spam”, on the basis that there is irrelevant information about the extension in the description.

In typical Google fashion, it appears that although the extension has been available for a long time, the discovery of these violations meant that it was instantly removed and its page now returns a 404 "not found" error. It is still available for other browsers including Firefox, Microsoft Edge, and for Chrome via manual download from GitHub or GitLab.

404 is “all we know” says what used to be the page for the Chrome ClearURLs extension

404 is “all we know” - says what used to be the page for the Chrome ClearURLs extension

Roebert said: "The reasons for this are ridiculous and probably only pretended because ClearURLs damages Google's business model. ClearURLs has made it to its mission to prevent tracking via URLs and that's how Google makes money."

He said that he made corrections to meet the requirements and appealed against the block. The clipboard permissions are needed for a right-click context menu option, he said, and he does not understand what was wrong with the description.

A user signing in to a Google Workspace account has to agree separately to the Core Services under their organisation’s terms, and Additional Services under Google’s terms. Which is used when? It’s complicated.

Dutch government: Did we say 10 'high data protection risks' in Google Workspace block adoption? Make that 8


It is not clear whether Google is really concerned about the functionality of the extension, or whether this is just another example of seemingly arbitrary violations being discovered, communicated badly, and blocking happening by default and without notice.

The duke of URL

The issue does expose an aspect of today's web which perhaps gets too little attention, and which is disguised by Google and others. The idea of the URL (Uniform Resource Locator) is that it identifies the address of a web location, but the existence of URL arguments means it can be more than that, and it is easy for developers to generate URLs that include tracking information that is used for analytics rather than navigation, or to power things such as affiliate links and advertising fees.

Another related matter is hidden redirects. In the early days of web search, the blue links returned simply included the URL of the destination, but most search engines quickly changed that to make the link target their own servers, in order to capture analytic data about the search before redirecting the user to the final destination. The user may not be aware of this, since hovering the mouse over the link shows a different URL from the real one.

One of the functions of ClearURLs is to "support redirecting to the destination, without tracking services as middleman" and to "prevent Google from rewriting the search results to include tracking elements."

A quick experiment with Firefox proved this to be the case.

Using the Inspect Element context menu option (part of Firefox, not ClearURLs) shows that without the extension, a Google search result targets a redirect service on Google's server, including various arguments alongside the destination URL, whereas with ClearURLs installed, the link is direct.

In Firefox the actual link for a Google search result is a redirect to Google’s own server.

In Firefox the actual link for a Google search result is a redirect to Google's own server

Enable ClearURLs in Firefox, and the link becomes a plain URL with no analytics for Google.

Enable ClearURLs in Firefox, and the link becomes a plain URL with no analytics for Google

This is a deep rabbit-hole though; in Chrome itself we found that the same search yielded a direct link with or without ClearURLs with the analytics metadata inserted into a ping attribute, meaning that Google gets posted the data when the user clicks, so the company gets the data either way. In Firefox, the ping attribute is disabled by default.

In Chrome, Google gets its analytics from the ping attribute – making ClearURLs ineffective for this case.

In Chrome, Google gets its analytics from the ping attribute – making ClearURLs ineffective for this case

The depressing news is that Mozilla apparently intends to enable ping in future, without any option to disable it, telling Bleeping Computer that it is "a matter of improving the user experience by giving websites a better way to implement hyperlink auditing without the performance downsides of the other existing methods."

Apple also takes this view, and has said that: "Just turning off the Ping attribute or the Beacon API doesn't solve the privacy implications of link click analytics. Instead, it creates an incentive for websites to adopt tracking techniques that hurt the user experience."

What this means is that for this extension to really harm Google's business model, it has to do more than simply cleaning the URLs. The extension also leaves untouched another common use of tracking URLs, which is in email links.

A private matter?

Google's developer terms for its Chrome Web Store states that “Google retains the right to refuse to include a Product on the Web Store.”

It would be entitled to block an extension because it harms its business model – though that is not what has been said to Roebert. The issue is complex because Google also claims to be concerned about privacy, saying for example that “people want assurances that their identity and information are safe as they browse the web”, and introducing many changes to Chrome on this basis.

In a post last year on privacy practices for Chrome extensions, the company said that “protecting users and their data is a fundamental aspect of the work we do on Chrome.”

Blocking an extension that has an obvious privacy benefit sits uncomfortably with such statements, though a quick read of Google’s monster privacy policy shows that while it cheerfully supports technology that blocks others from tracking data, it reserves the right to collect data for itself - and it looks unlikely that ClearURLs, as things stand, does much to prevent it.

The Register has asked Google to comment. ®

Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022