Skip to main content

Google Chrome extensions will be required to minimize access to user data

Google Chrome extensions will be required to minimize access to user data

Share this story

Stock imagery of the Chrome logo.
Illustration by Alex Castro / The Verge

Google is putting a new pair of restrictions on Chrome extensions meant to make the browser add-ons more considerate of users’ privacy. The major change is that all extensions will now be required to use the “minimum set of permissions necessary” when asking for access to data. So if a task can be accomplished through multiple routes, the extension will be required to take the one that requires access to the least-sensitive amount of data.

On top of that, Google will also begin requiring more extensions to post privacy policies in the Chrome Web Store. This requirement is already in place for extensions that require “personal and sensitive user data,” but now it’s being expanded to extensions that need access to any kind of personal communication or content generated by the user.

Google has been limiting access over the past year to protect user data

Both policies will be implemented sometime this fall, with Google promising developers at least 90 days’ notice before they go into effect. Extensions that don’t come into compliance will be removed from the store and disabled within Chrome browsers.

In addition to the new Chrome extension policies, Google is announcing a similar data limitation policy for apps that tap into Google Drive. They’ll now be limited from “broadly accessing” content and instead be required to access only the specific files they need. Full-on backup services and other apps that require total access will still be allowed, but Google will vet them first.

The changes all stem from the somewhat widespread realization last summer that developers of Gmail apps have near-complete access to users’ emails. In the months since, Google has begun limiting developers’ access to user data across many of its platforms, including Gmail. While there haven’t been any major security breaches yet, Google is clearly aware of what can happen if an unscrupulous developer were to take advantage of generous data permissions — it’s pretty much the formula for Facebook’s Cambridge Analytica scandal — and it’s trying to clamp down on that access before anything goes wrong.