Re: [crx] Google's New/Old Transparent Extension Policy - Question

[Jackie Han]

https://blog.chromium.org/2020/11/transparent-privacy-practices.html

I have a simple question. What does "collect" mean?

What I understand is that "collecting" means sending data to developer's server. For example, "tabs" permission can get the tab's url and title. If url and title are only used in user's browser locally for the functionality, and doesn't send these data to server. Thus I can say I don't collect any user data. Right?

On Thu, Nov 19, 2020 at 4:09 PM Charlie Sheleg <charlie...@gmail.com> wrote:

I understand now that Google has decided to brand certain extensions that don't meet its requirements. Does this finally mean that you're planning to give users a choice? Meaning, can a user decide whether he wants to download a certain extension although Google has branded it as "problematic" or do you intend to kickoff extensions that don't fill out your disclosure form?

"For developers who have not yet provided privacy disclosures by January 18, 2021, a notice will be shown on their Chrome Web Store listings to inform users that the developer hasn’t certified that they comply with the Limited Use policy yet. "

 

Thanks

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/c786deb1-f947-4343-9a79-30864c77ca76n%40chromium.org.

--

韩国恺(Jackie)

[Deco]

Correct - the term "collected data" specifically is implying the data being transported outside the local environment, that is a third party connection request. It still might be worthwhile mentioning specific functions are stored locally for the function of the extension, however this isn't subject to the same mandatory requirements spelled out in the Limited Use Policy.

Hope this helps,

Deco

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAAgdh1JJhKRK7oWxUPi7a6-6T1Gy3eP4bm%2BaBHxuTHKNTtEqAw%40mail.gmail.com.

[Jackie Han]

It still might be worthwhile mentioning specific functions are stored locally for the function of the extension, however this isn't subject to the same mandatory requirements spelled out in the Limited Use Policy.

Thanks for your supplement. Local data (chrome.storage, localstorage, indexeddb, cachestorage, websql) if only saved locally, and don't send to server, that means the extension don't "collect data".

--

韩国恺(Jackie)

[Jackie Han]

I just thought of another case. For example, a TODO extension , which doesn't require any extension permissions. All data comes from user input, and the todo data(no other data) is saved in the cloud(developer's server), thus users can use their data on other devices. Is this situation considered as collected user data? Need to declare "I only 'collect' your input data, what you input I don't care, may be your personal information".

--

韩国恺(Jackie)

[Deco]

Even though this data scope is limited in nature, it is still initiating a third party server request, and thus would be considered "collecting data". As such it would have to comply with the Limited Data Usage policy. Even though the scenario isn't collecting personal data, it still is the data of it's users. The data privacy declaration would simply be smaller in nature.

Thanks,

Deco

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAAgdh1K85h7-4W07cXH4kaG8BS-V5QYSQBv0TQNmuOgz-eQE3Q%40mail.gmail.com.

[Charlie Sheleg]

Also, what is the point of issuing a new policy, saying it will come into effect in January but not allowing to update extensions now unless you agree to it?

What if I need to update my extension's privacy policy as an Indie developer (which so happen to be the case) in order to comply with the new policy and I don't own a battery of lawyers like Google does.
Does this mean I can't update my extension until I raise enough capital to have my Privacy Policy reviewed by a law firm?

Why aren't you thinking of the little guys? We are not all Billionaires...

[Deco]

I am not a legal or developer who is representative of Google - please do not imply as so. I am merely here to assist users with questions.

Thanks,

Deco

On Thu, 19 Nov 2020 at 15:03, Charlie Sheleg <charlie...@gmail.com> wrote:

Also, what is the point of issuing a new policy, saying it will come into effect in January but now allowing to update extensions now unless you agree to it?

What if I need to update my extension's privacy policy as an Indie developer (which so happen to be the case) in order to comply with the new policy and I don't own a battery of lawyers like Google does.
Does this mean I can't update my extension until I raise enough capital to have my Privacy Policy reviewed by a law firm?

Why aren't you thinking of the little guys? We are not all Billionaires...

[Charlie Sheleg]

Decklin , sorry for the misunderstanding I was addressing a Google representative, not you. This why I initiated this thread in the first place, you just replied to a comment on it...

[Deco]

No problem, mistakes happen.

Regards,

Deco

[Jackie Han]

what is the point of issuing a new policy, saying it will come into effect in January but not allowing to update extensions now unless you agree to it?

You can update your extension, after checking the last 3 disclosures, since anyway you must agree. Temporarily ignore "What personal and sensitive data do you plan to collect" section, and update them when you prepare them. Of course, I don't represent google, just a suggestion.

--

韩国恺(Jackie)

[Simeon Vincent]

…can a user decide whether he wants to download a certain extension although Google has branded it as "problematic" or do you intend to kickoff extensions that don't fill out your disclosure form? - Charlie

CWS is not relaxing any of our existing policies or practices. Per the User Data FAQ, "Starting March 2021, the Chrome Web Store team will reach out to developers with a warning to complete the disclosure requirement. Inaction after 30 days of the warning will result in the suspension of affected items and the deactivation of the existing user-base."

I have a simple question. What does "collect" mean? - Jackie

In short, we're referring to any data that an extension accesses.  I think the actual policy language and FAQ are clearer than the blog post here. The User Data Privacy section begins by stating that "You must be transparent in how you handle user data (e.g., information provided by a user or collected about a user or a user's use of the Product or Chrome Browser), including by disclosing the collection, use, and sharing of the data." A bit further down, the Prominent Disclosure Requirement in the Personal or Sensitive User Data sub-section states that:

If your Product handles personal or sensitive user data that is not closely related to functionality described prominently in the Product's Chrome Web Store page and user interface, then prior to the collection, it must:

• Prominently disclose how the user data will be used, and
• Obtain the user's affirmative consent for such use.

We also tried to directly address this question in the User Data FAQ.

Thanks for your supplement. Local data (chrome.storage, localstorage, indexeddb, cachestorage, websql) if only saved locally, and don't send to server, that means the extension don't "collect data". - Jackie

As discussed above the policy is broader than that and data storage should still be disclosed. While the prompt in CWS states "What personal and sensitive data do you plan to collect from users now or in the future?", I believe the intent of the form is broader than "collection".

Note that the 3 checkboxes at the bottom of the form require you to certify that you do not "Use or transfer user data for purposes that are unrelated to my item's single purpose" or "Use or transfer user data to determine creditworthiness or for lending purposes". The phrase "use or transfer" is more in line with the language used in the policy itself.

Also, what is the point of issuing a new policy, saying it will come into effect in January but not allowing to update extensions now unless you agree to it? - Charlie

While Jackie noted that only the certification checkboxes are required today, I'm currently trying to get confirmation on whether or not this behavior is intentional.

Cheers,

Simeon - @dotproto

Chrome Extensions DevRel

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CAAgdh1J%3DTdu3SVukyX9jygnGETw9nwgF-kwk8Y%3Dz3%2BLdLWyPGg%40mail.gmail.com.

[Jackie Han]

I made a diagram above to illustrate my point of view and understanding.

Deco and I think 'collecting user data' means to send data to developer's server.

We cannot confuse power with responsibility (namely extension functionality and user privacy) . For example, if I have weapons, then I have the ability to kill people, but it can't be said that people with weapons are murderers. I think most extension developers would like to disclose the details of how the extension works and how user data be used(although it will take our time). What developers really worry about is that these statements may mislead users.

I have read these two links

• https://developer.chrome.com/webstore/program_policies
• https://developer.chrome.com/webstore/user_data

What does "handle" mean in the User Data Policy? What are some common ways a Product handles personal or sensitive user data?
Generally, by "handle" we mean collecting, transmitting, using, or sharing user data.

The above statements use and explain the "handle" word. So I don't agree that Simeon use word "access" instead of "handle" for explanation, that is not the same meaning.

What does "collect" mean? 
In short, we're referring to any data that an extension accesses. - Simeon

Extensions need to 'access' some data to implement it's functionality. But if it only access data in browser and don't send data to server, that only means the extension access data in browser, it doesn't mean developers can access data and developers 'collect' data. Please don't let users confuse them. 

I hope CWS can let users clearly distinguish these.

[Simeon Vincent]

I think I originally misunderstood the question and provided an unintentionally misleading answer. My intent was to clarify the policy's use of "data handling", but I only realized after I responded that you were most likely referring to the use of the term "collect" in the data usage form in the privacy tab of the CWS developer dashboard. The requirements of the User Data Privacy policy and the CWS form are slightly different.

Jackie, I think the interpretation you and Deco discussed is most likely accurate. My main hesitation is that "collect" might be interpreted as including data stored locally on the user's device. For example, if your extension were to display a historical chart of when the user performed certain activities, the extension would need to gather and store that information somewhere. I think "collect" would be a fitting verb to describe that process. I'll have to look into and follow up on this.

More broadly, though, I'm glad we're having these conversations now. We do our best to anticipate the questions folks will ask or possible areas of confusion, but obviously there are gaps. I expect that we will iterate on our supplementary docs and possibly the CWS UI to make what we're asking for clearer. I anticipate that in the coming days I'll be sharing updates about and asking for feedback on revisions of these resources.

Cheers,

Simeon - @dotproto

Chrome Extensions DevRel

[geng...@gmail.com]

On Fri, Nov 20, 2020, Simeon Vincent wrote:

Jackie, I think the interpretation you and Deco discussed is most likely accurate. My main hesitation is that "collect" might be interpreted as including data stored locally on the user's device. For example, if your extension were to display a historical chart of when the user performed certain activities, the extension would need to gather and store that information somewhere. I think "collect" would be a fitting verb to describe that process. I'll have to look into and follow up on this.

More broadly, though, I'm glad we're having these conversations now. We do our best to anticipate the questions folks will ask or possible areas of confusion, but obviously there are gaps. I expect that we will iterate on our supplementary docs and possibly the CWS UI to make what we're asking for clearer. I anticipate that in the coming days I'll be sharing updates about and asking for feedback on revisions of these resources.

 Hi, Simeon. I'm still waiting for your follow-up.

While waiting for Simeon's reply, let me rephrase the questions discussed earlier into more practical ones.

Question 1

If my extension has code like this:

// Using "activeTab" permission.

chrome.browserAction.onClicked.addListener((tab) => {

  // Handle(?) the URL of the active tab.

  if (tab.url.startsWith("https://example.com/")) {

    chrome.tabs.executeScript({file: "example.com.js"});

  }

});

Do I have to check one or more boxes in the data usage form. If so, which one(s)?

Question 2

If my extension has code like this:

function addTodoItem(todoItem) {

  // todoItem is created by the user.

  chrome.storage.sync.set({[Date.now()]: todoItem});

}

Do I have to check one or more boxes in the data usage form. If so, which one(s)?

Thanks,

Mitaka

[hrg...@gmail.com]

The whole point of being transparent about the use of personal data, is that users know if any of their personal data is revealed to somebody else.

The only possible way that personal data can be revealed to somebody else is by sending that data away from the user's computer, period.

If you don't send the data anywhere outside the user's computer, then that data is not being "collected".

That's the only reasonable interpretation of the verb "to collect" in the context of user privacy.

In the case of chrome.storage.sync, even though the data is technically being sent outside the user's computer, that transmission process is handled by the browser, not by your extension. So, you are not collecting anything.

[geng...@gmail.com]

If you don't send the data anywhere outside the user's computer, then that data is not being "collected".

That's the only reasonable interpretation of the verb "to collect" in the context of user privacy.

Well, that's a view shared by (perhaps) a lot of extension authors including myself, but I'm not sure if the CWS team shares that view as you can see from Simeon's previous posts on this thread or the official documentations. That's why, once again, I'd like to ask someone from the CWS team for clarification on whether the new disclosure requirement applies to the following cases:

• a one-off access to user data (like tab.url)
• storing user data locally
• storing user data using chrome.storage.sync API

And one more question.

The User Data FAQ says:

"Starting March 2021, the Chrome Web Store team will reach out to developers with a warning to complete the disclosure requirement. Inaction after 30 days of the warning will result in the suspension of affected items and the deactivation of the existing user-base."

If I leave the form unchecked because I think I don't "collect" user data at all, can the CWS team understand my intention and exclude me from the list of developers that don't complete the requirement? Or should I leave the disclosure section unchecked and check all the three boxes in the certification section?

 

[geng...@gmail.com]

Simeon, please answer my questions. The first deadline (January 18, 2021 according to this blog post), after which extensions that have not yet completed the disclosure requirement will be displayed as such, is less than a week away.

On Fri, Nov 20, 2020, Simeon Vincent wrote:

[Jackie Han]

Thanks for the reminder. I have a question, for some old extensions, I don't have a new version to publish. So I only check these items in the privacy panel on the dev dashboard and save them. Is this Ok? Don't click the 'submit' button, right?

--

韩国恺(Jackie)

[Simeon Vincent]

Jackie, you will need to publish your extension in order for the privacy disclosure to get picked up.

geng…@, I'll do my best to answer your questions. Again, I am not a lawyer and my comments should not be taken as legal advice. 

1. a one-off access to user data (like tab.url)
   

1. This does not require a disclosure. 
2. storing user data locally
   This does not require a disclosure.

1. storing user data using chrome.storage.sync API
   

1. This requires a disclosure because the information is leaving the user's device.

Cheers,

Simeon - @dotproto

Chrome Extensions DevRel

[geng...@gmail.com]

Hi, Simeon. Thank you for your answer.

And what about my second question? Can I leave the form ("disclosure" and "certification" sections) unchecked if I don't collect user data?

Also (sorry if I ask too much), could you take a look at this thread ("New Privacy Selections and User Generated Content") and comment on it?

Mitaka

[Jackie Han]

Q: storing user data using chrome.storage.sync API
A: This requires a disclosure because the information is leaving the user's device.

But privacy and security are guaranteed by Google, right?

I usually use it to save the user settings of the extension, and do not contain user privacy information.

--

韩国恺(Jackie)