Google Cracks Down on Rogue Browser Extensions

John Lister's picture

Google is cracking down on Chrome browser extensions that risk user privacy. The new policies err on the side of caution and follow a Washington Post investigation that claimed millions of users had data stolen by rogue browser extensions.

A browser extension, also called an "add-on" in some browsers, is a third-party tool that users can incorporate into their web browser. It's designed to add extended functions to the browser, which then make using the browser and web much easier.

Examples of extensions include: a password manager, which can remember user passwords and automatically fill login information into a page automatically;  another example is one that can take an article online and send it to a Kindle e-reader device, or quickly take a screenshot of part of a page.

Rogue Extensions Removed

While browser developers like Google and Mozilla do have policies to reduce associated privacy risks to users, the fact that an extension comes from an official "web store" (such as the Chrome Web Store or Mozilla's Addons page) doesn't guarantee it is safe.

Perhaps the biggest problem associated with extensions is their access level. For example, once an extension is downloaded, users are asked to confirm if they agree to allow the extension to "read and change ... browsing history". While most users may click "yes" simply to allow the extension to run based on promises from the developer, the rationale behind the access is usually not clear.

The Washington Post recently identified several extensions that were collecting and sharing data that didn't appear necessary for the stated purpose. The names include:

  • FairShare Unlock
  • Hover Zoom
  • Panel Measurement
  • SpeakIt!
  • SuperZoom

The extensions, which had an estimated total of four million users, have since been disabled. Google appears to have concluded it needs to make more fundamental changes to its browser extensions access, rather than play whack-a-mole with rogue developers. (Source:

Privacy Policies Become More Common

One change is that extensions must now be designed to only "request access to the least amount of data" needed to carry out their tasks. Previously that was merely a guideline.

The other big change is that more extensions will need to publish a privacy policy explaining what data they collect and how they use it. Until now, a privacy policy has only been needed if an extension handles data classes as sensitive or personal. Now any extension that accesses personal communications or any content the user provides will need a privacy policy as well. (Source:

What's Your Opinion?

Do you use browser extensions? Do you pay much attention to what data they can collect and how they use it? Do Google's new policies go far enough to reduce the risk of data misuse?

Rate this article: 
Average: 5 (6 votes)


Dennis Faas's picture

I think developers should be forced to not only list the reasons for data access, but provide concrete examples using a simplified table of "reasons" (categories) that are governed by Google.

If the data access reason doesn't fall into one of Google's pre-defined categories, then it should not be allowed. The data access categories should also be rated by number according to privacy risk. The average risk rating would then be displayed to the user before the extension is installed. High risk extensions should be color coded in red, while less risk extensions would be green or yellow. Associating a color code would force developers to create less-risky extensions or avoid being labeled as such.

For example, if a browser extension "needs access to contacts," then it should list exactly why it is needed and provide examples in every instance this will be used - perhaps in detail on the browser's privacy policy page. Since most browsers don't need access to contacts (as email programs should be the ones handling this information), this browser extension should be labeled as high risk and color coded in red.

This would make understanding extensions a lot easier without having to wade through pages of information in order to assess privacy risk to the user.

matt_2058's picture

I think you're right about the detail needed. Not only for chrome extensions, but all apps. Android or iOS. Paid or free. Providing company or 3rd party.

I want to know why access to my contacts is needed. How the info will be used. Who is using it.

My biggest complaint about all the usage agreements is the paragraph about the data being transferred to the new owner and the current agreement being void. What the developer is really saying: I'm going to collect data until I get enough to get the interest of a bigger fish to buy me out. At that point, forget our agreement because they have bought it all. At a very high price. Thanks for playing!