Google puts a new pair of restrictions on Chrome extensions that are meant to make browser add-ons more responsive to user privacy. The most important change is that all extensions are now required to use the "minimum set of required permissions" when requesting access to data. So if a task can be completed over multiple routes, the extension must be the one that requires access to the least sensitive amount of data.
In addition, Google will also require more extensions for placing privacy policies in the Chrome Web Store. This requirement already applies to extensions that require "personal and sensitive user data", but now it is extended to extensions that require access to any form of personal communication or content generated by the user.
Both policies will be implemented sometime in the fall, with Google promising developers at least 90 days in advance before they take effect. Extensions that do not meet the requirements are removed from the store and disabled in Chrome browsers.
In addition to the new policy for Chrome extensions, Google announces a similar data limitation policy for apps that use Google Drive. They will now be restricted from & # 39; widely accessible & # 39; content and only need to open the specific files they need. Full backup services and other apps that require full access are still allowed, but Google will investigate them first.
The changes all stem from the somewhat widespread realization last summer that Gmail app developers have virtually full access to user emails. In the following months, Google began limiting developers' access to user data on many of its platforms, including Gmail. Although no major vulnerabilities have yet been identified, Google is clearly aware of what could happen if an unscrupulous developer benefits from generous data permissions – it is almost the formula for Facebook's Cambridge Analytica scandal – and is trying to curb that access before something goes wrong.