Google updated its Chromium platform in October to make Chrome users feel like their extensions were "safe, privacy-preserving and performant." Later it emerged that Google's changes would hamstring ad blockers, which made its motivations seem a bit less altruistic, but on Wednesday the company doubled down on the claim that it's not looking to remove ad blockers from Chrome.
Much of Google's blog post was devoted to its work on preventing abuse conducted by Chrome extensions. The company said it expanded its teams for the browser add-ons, fought to make the installation process less predatory and limited the data extensions can gather. These efforts purportedly led to an 89% decrease in malicious installs since early 2018, as well as the blocking of 1,800 malicious uploads per month.
The changes related to ad blocking are part of a larger update called Manifest V3. Here's how Google explained some of the changes it's making to Chromium's APIs--namely the Web Request and Declarative Net Request APIs--that are expected to affect ad-blocking tools:
"At a high level, this change means that an extension does not need access to all a user’s sensitive data in order to block content. With the current Web Request API, users grant permission for Chrome to pass all information about a network request - which can include things like emails, photos, or other private information - to the extension. In contrast, the Declarative Net Request API allows extensions to block content without requiring the user to grant access to any sensitive information. Additionally, because we are able to cut substantial overhead in the browser, the Declarative Net Request API can have significant, system-level performance benefits over Web Request."
Ad blockers could theoretically be updated to support the new Declarative Net Request API rather than relying on the existing Web Request API. Google's pitched that switch as a benefit for developers and users alike. The new API supports more rules, limits the data provided to extensions and is supposed to enable more dynamic blocking than its predecessor. It's certainly being portrayed as an improvement.
But the switch could leave Chrome users without strong ad-blocking options as developers attempt to move to the new API. That switch also incurs real costs for those developers, some of whom don't monetize their extensions, and could limit their ability to introduce new features instead. Wired reported that some devs are also worried that switching to the new API would give Google even more control.
Google explained in a separate blog post why it's not simply offering both APIs:
"In addition to the performance concerns raised above, the Chrome team strongly believes that users should not have to expose their emails, photos, social media, or any other sensitive data to an extension if the extension doesn’t actually need that access to perform its function. And historically, when extension developers are given the choice between capability and security, the vast majority of developers choose capability. We've seen this repeatedly on the extensions platform with event pages, optional permissions, and activeTab."
This almost feels like watching a fox point out all the ways a coyote's tried to steal a farmer's livestock. There's no doubt that malicious extension developers exist, and the driving force behind Silicon Valley's surveillance economy certainly knows how technology can be exploited to profit off the collection of personal information, but the hypocrisy is just a little unsettling.
We suspect this back-and-forth won't end until Manifest V3 is finalized and integrated in Chrome. In the meantime, Mozilla's been working to improve Firefox's privacy features, and a trio of browsers that rely on Chromium have announced their intent to continue supporting the Web Request API despite relying on the same base as Chrome.
