So, it’s been in the news that Google is going to remove extensions from the Chrome Web Store that don’t comply with their new privacy guidelines.

I guess I’d believe there’s good intentions behind this. That Google wants to protect users’ private data and all… but I’m afraid this won’t have a happy ending.

Since this is uneasily familiar, let’s start with a little story first.

Several years ago I developed a Chrome extension to solve a trivial problem I had. It was a pretty simple thing, so after using it myself for a while, I released the source code on Github and published it for free on the Chrome Web Store (I think it even wasn’t named like that back then). Maybe someone was trying to solve the same problem, right?

Immediately after, I forgot about the whole deal.

Fast forward two years. Out of nothing, I’ve got an email from someone offering to purchase my extension for a fairly irrational sum. Purchase… what? Who’d want to pay that much for a few dozen lines of JavaScript? Plus, it’s open source already!

Naivety at its finest. I checked back my little extension to see how it was going, and everything dawned altogether on me: it’s now a five-star app, has been featured in the media several times, it’s been included in pretty much every list of must-have Chrome extensions, and over the course of two years it slowly acquired hundreds of thousands of users.

It was flattering, but also revealing. They couldn’t care less about the functionality or the code… what they want is to purchase the userbase.

The offer smelled fishy at first, but now it was totally stinking. It was clear to me that they wanted to purchase the extension to do very bad stuff. It may be something annoying like filling it up with ads, or totally catastrophic like injecting a silent keylogger into it to steal all browsing private data.

Of course, I ignored the offer.

A few more years passed, through which I’ve received at least a dozen more offers for the extension, each one being incrementally fishy. A couple of them were explicitly criminal in their proposal.

And that’s where the new Google policy fails.

The new policy revolves too much around “telling your users” what you’re going to do with their data via “prominent disclosure” and a privacy policy.

If you ever managed a moderately busy website, you know how many views the Privacy Policy page gets: none. Apparently nobody read privacy policies. Not even lawyers.

The implementation for the “prominent disclosure” Google is asking for is totally up to the developer. If they fill the entire screen with something that looks like a confirmation dialog or a lengthy legal agreement, most people is going to blindly click through it.

But the main problem is… it’s too damn late. Literally years too late.

I ignored all those offers because of ethical reasons and nothing else.

I never profited from the extension, and neither had plans to do so, even though I still push minor compatibility updates to it from time to time. One single user was kind enough to look me up and send a few dollars as a token of appreciation. That was the entire “profit” for 5+ years.

I could have sold my accidentally established userbase for four figures, but I didn’t. Assuming I wasn’t going to get ripped off, of course.

But there’s people out there not giving a damn about ethical reasons, and others that actively create software to break into the privacy of their users, and steal their data. More than everyone is willing to admit. It’s not just the NSA.

Apparently there’s a whole business in creating (or acquiring) moderately big and established user bases, gain their trust, and then start profiting on them by using (at best) questionable methods.

That’s a problem endemic to all App Stores, including tightly controlled ones. Permission dialogs are hard to understand for people not knowledgeable enough, and even then, their descriptions are so generic and vague that you can’t exactly tell what the software is going to do with your data anyway. If some piece of software people already uses suddenly asks for more permissions on an update… yeah, whatever, just do it. There may be a good reason for it, right?

Privacy policies and “prominent disclosures” just mean adding more text that nobody is going to read or understand anyway.

Google is not aiming to tell legit developers to be more transparent. It’s trying to get shady (or downright illegal) ones to become legit by showing a confirmation dialog. Not going to work.

Or maybe it’s just a way to avoid liability?

I sincerely hope the actual method Google will use to detect offending extensions is reliable enough, like amazingly reliable… because the massive amount of sandboxing they already enforce on Chrome extensions doesn’t really work to solve this kind of problem.

Otherwise this will be just a marketing effort trying to make the Chrome Web Store to be perceived as a privacy heaven, when it’s been years of the exact opposite.