This article was published on July 24, 2019

Google will remove shady data-stealing Chrome extensions starting October 15


Google will remove shady data-stealing Chrome extensions starting October 15

Google is making good on its “root-and-branch review” of third-party developer access to user data.

The company has now said its new requirements for Minimum Permission and updated User Data policy will be enforced starting October 15, 2019 — in other words, Chrome will no longer support sketchy extensions that gather data on your browsing activity.

Back in May, the internet giant had annouced it would begin cracking down on Chrome extensions that abuse your personal information.

To that effect, it had urged all developers to post privacy policies and rework their Chrome extensions to request only minimum permissions without compromising their functionality.

Once the revised data policy goes into effect, extensions that don’t meet the criteria will be removed from the Chrome Web Store. New submissions that don’t comply will also be rejected.

The development follows Google’s newly annouced plans last month to limit content-blocking Chrome extensions that collect sensitive data with a Declarative Net Request API.

The ongoing privacy protections are part of a broader security effort that Google calls Project Strobe. The audit was put in place last October to improve user privacy and security on Google and Android devices by reviewing third-party developer access to your data.

Strobe, for example, was pivotal in detecting a serious bug in the now defunct Google+ that exposed personal details of over 500,000 users. The initiative is also meant to tighten its policies by offering you more controls over what data third-party apps can access in Gmail, Drive, and other Google services.

But Google also clearly recognizes that the open nature of its platform and giving third-parties access to your data — browsing activity, location, microphone, etc. — can open the door to potential abuse.

Indeed, research last week from security researcher Sam Jadali and The Washington Post uncovered a massive data leak called DataSpii (pronounced data-spy) perpetrated by shady Chrome and Firefox extensions installed on as many four million users’ browsers.

These add-ons collected browsing activity — including personally identifiable information — and shared it with an unnamed third-party data broker that passed it on to an analytics firm called Nacho Analytics, which then sold the collected data to its subscription members in near real-time.

The initiatives, therefore, will go a long way towards addressing concerns associated with exposing your data to rogue parties.

For now, the same rule of caution applies: review your extension permissions, consider uninstalling extensions you rarely use, or switch to other software alternatives that that don’t require invasive access to your browser activity.

If you want to figure out whether your installed Chrome extensions are secure, Lifehacker has a handy guide to walk you through it.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Also tagged with