Google announced its intention to make Chrome browser extensions more secure and provided a checklist for developers. Chrome is by far the most widely used web browser, and its extensions are both best and worst parts of it. Thanks to these add-ons, we can have new functions, improve the existing ones, use special features of certain web pages, perform searches of a specific type based on the content we visualize, totally modify the behavior of the page with scripts… The possibilities are immense, and this is the best part of these extensions.
The bitter side of Chrome extensions is also well known: they are a very popular element among cyber-criminals and other groups that, without going as far as criminality, do carry out activities where ethics seem to be conspicuous by their absence. The problem is that Google’s security controls often fail to detect malicious extensions, as is the case with Android apps, which means that we regularly hear about dangerous Chrome extensions that are removed from the store.
Obviously, Google is super aware of this problem, and has been working for years to improve the security of Chrome extensions. In this line of work, a new milestone has been announced today. According to the Google blog, developers will have to inform users about the data they collect, as well as the use their intentions about the data.
Google blog post explains how the company will make the Chrome extensions more secure
The blog post says, “Starting January 2021, the details page of each extension in Chrome Web Store will display information provided by the developer about the data collected by the extension, in clear and easy to understand language. The data collection disclosure is available to developers today. This information will have to be added by the developers of the Chrome extensions.”
Developers can start adding this information today, and the deadline is January 18, 2021. From that moment on, all Chrome extensions that do not have this information will display a warning alerting users of this circumstance. At the moment there is no other measures, but it makes sense to think that, in time, Google’s measures will be more strict, even to the point of blocking and/or eliminating Chrome extensions that do not comply with this new policy.
Chrome extensions must also comply with the following four points:
- Ensure that the use or transfer of user data is for the user’s primary benefit and in accordance with the stated purpose of the extension.
- Selling user data is forbidden. Google does not sell user data and neither can the extension developers.
- The use or transfer of user data for personalized advertising is prohibited.
- The use or transfer of user data for credit purposes or any form of credit scoring and to data brokers or other information resellers is prohibited.
In addition, Chrome extensions developers will not only have to declare what data their development will use, but they will have to certify that it complies with these four points.