Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google Updates Chrome Web Store Policy, Requires Devs To Be More Transparent About User Data

Posted by msmash on from the bolstering-security dept.

An anonymous reader writes: On Friday, Google announced it is making changes to Chrome Web Store's User Data Policy to ensure developers are more transparent about how their extensions handle customer data. The company has notified developers and is giving them three months to comply with the changes. Come July 15, 2016, company says, extensions that violate the policy will be removed from the Chrome Web Store.The announcement comes amid a report that pointed out a rogue extension in the Chrome Web Store. The incident was one of many we have seen in the past few months. Following are the requirements that a developer must meet: 1. Be transparent about the handling of user data and disclose privacy practices. 2. Post a privacy policy and use encryption, when handling personal or sensitive information. 3. Ask users to consent to the collection of personal or sensitive data via a prominent disclosure, when the use of the data isn't related to a prominent feature.

13 comments

  1. And Android apps? by pz · · Score: 2

    How about Android apps? Sure, it's nice to know that something I've downloaded needs access to my camera, or my files, or my contacts, etc., but I'd like to have the transparency about exactly WHAT they will be doing with that access.

    In some cases, the nefarious intent is pretty clear. There are airline apps that want access to my camera. Not going to happen. There are car tuning apps that want access to my contacts. Not going to happen. There are music apps that want access to my location. Not going to happen.

    In other cases, though, there is a plausible case for access, but it might well be hiding nefarious intent. Although a published policy alone won't prevent nefarious intent, if there's enforcement behind it, it will certainly help.

    What I fear, though, is the equivalent of EULAs -- documents so large and complex that it becomes effectively impossible to read through them. We need the equivalent of simple language instructions. In my line of work, I occasionally have to write documents for public consumption that are strictly enforced to be short and understandable by people with reading skills of an 8 year old. Why can't we have EULAs, and by extension privacy and transparency documents, with the same requirements?

    --

    Put my fist through my alarm clock with its ding-dong death inside my ear. - The Blackjacks.
    1. Re:And Android apps? by ArylAkamov · · Score: 2

      Ever browse flashlight apps?

      Nearly all of them want access to your camera (Understandable, as it uses the led flash), microphone, contacts, GPS location, file system.

      Too bad most people don't bother to read what various "apps" want access to (Or don't care).

    2. Re:And Android apps? by tlhIngan · · Score: 2

      In other cases, though, there is a plausible case for access, but it might well be hiding nefarious intent. Although a published policy alone won't prevent nefarious intent, if there's enforcement behind it, it will certainly help.

      Actually, the main reason for the overreach is because the app is free, and the devs are making it up showing ads. It's a sad fact that Android users as a whole hate paying for apps (the app piracy rate rival's the PC, and we're talking 99 cent apps here, not Photoshop or Office).. Thus, as a dev, well, the only way is to sell ads. (Which is probably why Google's got you covered).

      And those ad networks are, generally speaking, going to try to rape your phone of its data. Like they did on iOS until Apple made the user painfully aware of that.

      As for other apps - an airline app may want camera access so you can quickly transfer a booking to your phone - you know, to show the gate agent your electronic ticket instead of a paper printout. This may require scanning in the information via a barcode, which requires the camera.

      And until the FTC started making noise about it, I'm sure some apps needed microphone access to see what you were watching on TV or listening to on the radio.

    3. Re:And Android apps? by Anonymous Coward · · Score: 0

      How about Android apps? Sure, it's nice to know that something I've downloaded needs access to my camera, or my files, or my contacts, etc., but I'd like to have the transparency about exactly WHAT they will be doing with that access.

      In some cases, the nefarious intent is pretty clear. There are airline apps that want access to my camera. Not going to happen. There are car tuning apps that want access to my contacts. Not going to happen. There are music apps that want access to my location. Not going to happen.

      In other cases, though, there is a plausible case for access, but it might well be hiding nefarious intent. Although a published policy alone won't prevent nefarious intent, if there's enforcement behind it, it will certainly help.

      What I fear, though, is the equivalent of EULAs -- documents so large and complex that it becomes effectively impossible to read through them. We need the equivalent of simple language instructions. In my line of work, I occasionally have to write documents for public consumption that are strictly enforced to be short and understandable by people with reading skills of an 8 year old. Why can't we have EULAs, and by extension privacy and transparency documents, with the same requirements?

      OK, here's a short boilerplate EULA:

      1) There is no warranty, even for the primary purpose of this product.

      2) All rights that are not your rights are our rights.

      3) You have no rights.

      4) Your data is owned by you. That way, it's harder for us to get in trouble.

      5) Your data is private, except for data we share with our internal corporate departmets, our friends, third-party marketing companies, law enforcement, and goverments.

      6) Your data will be retained for long enough for us to extract maximum profit from that data. After that period, it will be held for an additional time, in case any of the parties from (4) have additional uses for that data.

      7) Regardless of damages provided by this product, you can sue us for no more than $20 in a small claims court located nowhere near where you live.

      8) Class-action lawsuits are prohibited.

    4. Re:And Android apps? by Anonymous Coward · · Score: 0

      access to your camera (Understandable, as it uses the led flash)

      As a software developer, I don't find that understandable.
      Why do I need to give an app access to my camera to enable it to toggle the LED flash?
      Google made these permissions way too coarse, giving apps way more access than they need.
      And then they made it much worse by automatically giving app any right it wants from right groups it already had access to...

  2. Sergey says... by Anonymous Coward · · Score: 0

    "You be transparent so we don't have to."
    ---

    "Transparent" is such a cool buzzword, I feel cleaner, propper and more righteous just by saying it. Heck I don't think I'm going to shower for a few days.

    1. Re:Sergey says... by Anonymous Coward · · Score: 0

      I got no reason for the access I do,
      The user uses and the user's screwed.
      You throw your info into your device
      My name is Google and your data's mine!

      Sergey says, turn on the radio,
      Sergey says, turn on the video
      Sergey says, turn on the lights
      You give yourself up cause you love it!

      Something something APPS

  3. A Little Late, Dont'cha Think? by macs4all · · Score: 1

    With well over a MEELION Apps in the Play Store, don'tcha think that this great revelation by Google comes about FIVE YEARS too late?

  4. Let me FTFY... by tlambert · · Score: 1

    "extensions that Google somehow magically detects that they violate the policy will be removed from the Chrome Web Store"

    OK, FTFY... all better!

  5. Fuck you Google by Anonymous Coward · · Score: 0

    First, Google fucks the consumers, now they fuck the developers, soon, they'll fuck themselves.

  6. ya... by Anonymous Coward · · Score: 0

    like that'll help at all.

    google lets in so many bad actors it's almost safer to sideload from unknown sources if you're going for anything besides the most mainstream of 'apps' or extensions.

  7. ruling lossy compression illegal by Anonymous Coward · · Score: 0

    "files that can't be decompressed back to their exact originals"

    ruling lossy compression illegal (ex: jpeg, video, Adaptive Multi-Rate hence GSM / mobile phones)