In a bid to ensure that the Chrome Web Store doesn’t host any malicious Chrome extensions, Google routinely updates the platform’s privacy policies. Back in October 2018, the company announced one such update which was aimed at making extensions more secure. As part of the update, Google introduced new user controls for host permissions, made changes to the extensions review process, added new code readability requirements, and made 2-Step Verification necessary for Chrome Web Store developer accounts. While such changes are great for keeping malicious extensions off the platform, they now seem to be affecting legit Chrome extensions like Pushbullet and Join.
“Your product violates the “Use of Permission” section of the policy, which requires that you:
- Request access to the narrowest permissions necessary to implement your product’s features or services.
- If more than one permission could be used to implement a feature, you must request those with the least access to data or functionality.
- Don’t attempt to “future proof” your product by requesting a permission that might benefit services or features that have not yet been implemented.”
Just submitted an updated extension for another review! This attempt removes our optional clipboard permissions (which disables feature they are needed for sadly) and limits our localhost request to only the port we need. Fingers crossed we hit the mark this time!
— Pushbullet (@pushbullet) May 13, 2020
Sadly though, the developer is left with no other option and has submitted another update with more changes to Pushbullet’s permissions requests. It’s also worth noting that even if the developer’s Google account isn’t suspended due to multiple submissions, they have less than 7 days to update the extension or it will be removed from the Chrome Web Store. When the developer shared this issue on Twitter, two Google developer advocates for Chrome developers had this to say:
Will take a proper read through this, but @DotProto may already have thoughts.
— Rowan Merewood (@rowan_m) May 13, 2020
Yeah, that’s where I’m still catching up. The changes you’ve made look good at first blush, so I’m a little lost on the follow-up rejection. I’m going to open an appeal to get a second opinion.
— Simeon.__proto__ (@DotProto) May 13, 2020
Similarly, Join’s developer also reached out to Google for clarification but received the same generic response. What’s even worse is that when the developer tried to justify Join’s permission requests to the company, he received the same responses over and over again. Despite several attempts, Google didn’t explain what exactly needed to be changed in the extension and said that it couldn’t “provide any additional information regarding the issue.”
While both the Join and PushBullet Chrome extensions may very well violate Google’s User Data Privacy guidelines, it’s inarguable that the company could have done a better job of communicating exactly how both are in violation, so that the developers can easily fix the issue. At the time of writing, there were no further updates from the developers regarding the matter. We’ll update this post as and when we learn more about the situation.