Google takes a stance against permission-grabbing Chrome extensions

Google also limits what types of third-party apps can access a user's Drive files.
Written by Catalin Cimpanu, Contributor

Google announced today new privacy protections for Chrome extensions, along with new rules for the Google Drive API and Drive third-party apps.

The new rules are part of what Google calls Project Strobe, an initiative to improve the privacy and security of users' data, which the company set in motion after discovering a serious bug in Google+ that exposed the personal details of over 500,000 users.

Project Strobe's main mission is to limit the amount of data third-parties can access about Google users via the company's many services, APIs, and tools.

No more permission-grabbing extensions

As part of this ongoing project, Google announced today two new rules it plans to enforce for Chrome extensions starting this fall.

The first rule is in regards to the permissions Chrome extensions ask from users during installation.

"We're requiring extensions to only request access to the appropriate data needed to implement their features," Google said. "If there is more than one permission that could be used to implement a feature, developers must use the permission with access to the least amount of data."

While Google has recommended this approach for developers when coding their extensions, the company is now making it a requirement for the entire Chrome Web Store.

The browser maker plans to scan all extensions and notify extension developers of any problems. They'll have 90 days to correct the permissions they ask from users or face having their extension removed from the Web Store and deactivated in users' browsers.

The idea is to put a stop to a trend with Chrome extension developers where malicious entities ask for a large number of permissions, which they either don't use or abuse for data harvesting or other malicious operations down the road.

Some Chrome extensions will now need privacy policies

Second, Google will also require that all Chrome extensions that handle "personal communications and user-provided content" list a privacy policy that describes how the extension developer handles and stores the collected data.

"Our policies have previously required any extension that handles personal and sensitive user data to post a privacy policy and handle that data securely," Google said. "Now, we're expanding this category to include extensions that handle user-provided content and personal communications."

Google said it would publish more details about these two new rules over the summer, so that extension developers can prepare roll out updates and prepare for any compliance reviews.

New Drive API rules

And last but not least, Google also announced new rules for the Google Drive API and Drive third-party apps.

The company said it plans to limit the types of apps that can have broad access to user data via Drive APIs. Only "some types" of apps will be allowed full access to a user's Drive account.

"[Third-party] Apps should move to a per-file user consent model, allowing users to more precisely determine what files an app is allowed to access," Google said.

Google didn't specify what are these app "types," but said it would notify impacted developers who will need to change their apps to comply with this new data access rule.

This rule is nearly identical to a new data access rule the company rolled out for Gmail last October when it limited what types of third-party apps can have access to a user's full email inbox.

Just like today's Drive announcement, last October's Gmail rule change was part of Project Strobe. Other privacy-focused changes in Google services that originated from Project Strobe include:

- Google restricts which Android apps can request Call Log and SMS permissions
- Longer Android app review process for unknown developers

All the Chromium-based browsers

More browser coverage:

Editorial standards