Google doesn't have the best reputation when it comes to handling user data, but third-party Chrome extension developers are arguably even more insatiable. Unfortunately, the Chrome Web Store has a fairly lax attitude toward extension submissions, occasionally letting outright malware through.
By Oct. 15, though, Google wants third-party extension developers to be crystal-clear about what information they want from users, and how they intend to safeguard that data. If developers don't comply, Google will remove their extensions from the store.
This information, part of Google's Project Strobe initiative, comes from Alexandre Blondin and Swagateeka Panigrahy writing today (July 24) on the official Chromium Blog.
"We're requiring extensions to only request access to the least amount of data," the blog post explained. "We're requiring more extensions to post privacy policies."
Google launched Project Strobe last year as a wide-reaching initiative to limit how much data third-party developers could extract from Android and Chrome users. (Google itself doesn't seem to be under similar restrictions.)
The company posted an advisory on May 30 that third-party developers for the Chrome Web Store would have to ease up on their permissions and be explicit about data collection in cases where that wasn't possible. Today's official posting announced the Oct. 15 deadline.
Developers now have to explain — in great detail, and available to the public — why their extensions require each permission they request.
Previously, Google required privacy policies only from apps that handled "personal and sensitive user data."
While the company doesn't specify exactly what it means by that, it seems to include data like a user's name, location, email address, financial information and so forth.
Google will now also require privacy policies from any app that handles "user-provided content and personal communications." This applies to data like photos, conversations and so forth.
Google further mandates that any app that handles sensitive data must transmit it "via modern cryptography." Exactly what Google means by this will probably vary on a case-by-case basis, but in theory, it should mean that an external attacker should find it much harder to access your data via a man-in-the-middle attack.
Comply or die
Developers have until Oct. 15 to comply with these demands; otherwise, Google will remove their extensions from the Chrome Web Store.
It's not clear what will happen to extensions that have already been installed by users but fail to comply. The extensions might continue to work in limited forms, or they may cease to function entirely.
You don't really have to do anything special on your end. Just keep your version of Chrome up to date, and as always, be aware of what you install on your browser.
The Chrome Web Store is probably about to get a lot safer, but there's no substitute for good old-fashioned common sense online.