Announcement: Privacy tab added to the developer dashboard

[Simeon Vincent]

Greetings extensions developers,

In July of 2019, we announced a set of updates to the Chrome Web Store Developer Program Policies as part of Project Strobe. These policies are designed to protect and secure the privacy of our end-users. In order to help developers follow this policy, we are launching a Privacy Tab in the Chrome Web Store's new developer dashboard on February 6th.

The Privacy Tab

This new section of the Chrome Web Store developer dashboard collects information about what permissions an extension uses and why. This data, in turn, helps reviewers make an informed decision about whether the permissions used abide by our user data policy.

Once this new section is live, developers must use the Privacy tab to describe the single purpose of their extension. Developers must also justify the permissions declared in the extension's manifest. Justifications should fully disclose how the permission is used by the extension and what functionality it facilitates. Failure to sufficiently or accurately disclose a permission's use may result in enforcement action against the extension.

With this change we hope to improve the communication between extension developers and Chrome Web Store reviewers, thereby streamlining the process of reviewing and publishing extensions.

If you have any questions about this change, please reply to this thread and I'll do my best to answer.

Cheers,

Simeon - @dotproto
Extensions Developer Advocate

[Rami Sabik]

Hi Simeon, this is a very amazing step.

I hope it speeds up the review process, the unusual long review time is affecting the user experience, and hurting businesses at some point.

I hope to take keep this into consideration.

Thank for all your efforts.

[Anton Bershanskiy]

Greetings Simeon,

These are great news!

Will these permission descriptions be available to the extension users (e.g., displayed in the extension page in Chrome Web Store)? As an extension user, I would to see this information when I'm choosing to install an extension.

Sincerely,

Anton.

[Akshay S Murthy]

That's a welcome move Simeon! This can definitely improve communication between developers and reviewers.

I have a question though. As much as we try to "fully disclose how the permission is used by the extension and what functionality it facilitates", there are always cases where it is hard to understand / appreciate it for someone who is not familiar with the domain of the extension. In such cases, I would think it's only fair for the review team to get in touch with the developer instead out right rejecting the extension. Is that how things will happen?

Thanks

[Cicero Inc]

So when does the Legacy Developer Dashboard go away given this change isn't present there? How much longer is the new dashboard in "beta"?

[Ben Tucker]

Hey Simeon, 

I have a few questions around how this will increase review times. 

When the project strobe blog article was released, it states that developers need to disclose/describe the permissions we are requesting in an about page and/or on the CWS listing itself. 

Questions about this:

1.) Are users going to have access to the privacy tab descriptions? If they do, would this still be required in the listing, I feel this would be almost overkill. (situational i know)

2.) How will this make reviews faster if support already has the permission descriptions that developers are required to have on the actual store listing? Does this not feel like just an additive step?

[Simeon Vincent]

Will these permission descriptions be available to the extension users (e.g., displayed in the extension page in Chrome Web Store)? As an extension user, I would to see this information when I'm choosing to install an extension. - Anton Bershanskiy

We are not currently planning to publicly expose this data, but I don't think anything is set in stone. I'd welcome more thoughts on the pros and cons of exposing this information in web store listings.

… there are always cases where it is hard to understand / appreciate it for someone who is not familiar with the domain of the extension. In such cases, I would think it's only fair for the review team to get in touch with the developer instead out right rejecting the extension. Is that how things will happen? - Akshay

Unfortunately I haven't had a chance to talk to the review team about how they plan to use this information or handle rejections related to insufficient or inaccurate disclosure. I'm hoping to learn more about this in the next few days.

More generally, though, we're exploring ways to improve developer communications (e.g. rejection emails) in order to make them more intelligible and actionable.

So when does the Legacy Developer Dashboard go away given this change isn't present there? How much longer is the new dashboard in "beta"? - Cicero Inc

While I don't think we have an exact date, it's coming soon. There will be a transition period where the new dashboard is the default and users can fall back to the old dashboard if necessary.

1.) Are users going to have access to the privacy tab descriptions? If they do, would this still be required in the listing, I feel this would be almost overkill. (situational i know) - Ben Tucker

As previously mentioned we're not currently planning to expose this data to end users. That said, we're also planning to update our developer guidance to include this information in the Privacy tab rather than the item's description. The reason we called out the listing description in the past was that we didn't have any other way for developers to share additional information with review. Now that we have a formal mechanism for this, that approach is no longer necessary.

2.) How will this make reviews faster if support already has the permission descriptions that developers are required to have on the actual store listing? Does this not feel like just an additive step?

I can't guarantee that it will make reviews faster. That said, in my own experience working with devs on their rejections I've seen cases where it was difficult to tell how or why a given permission was used or what the developer's intent was. This becomes especially important as we increase enforcement of the Use of Permissions policy.

I've spent more time than I care to admit turning a CRX file this way and that in order to figure out what a developer is trying to do and if that's the right approach, so I can only imagine what this experience is like for actual reviewers. I expect this data will help reviewers get to the core of what they're after faster. 

Cheers,

Simeon - @dotproto

Extensions Developer Advocate

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/25dc4953-ddfa-42a2-894c-a8aafd91ff9e%40chromium.org.

[afkplus]

So, how are we supposed to save this form? I filled it out, but there isn't a Save button anywhere on the page. Please assist.

[SoerenM]

While a previous draft/version is under review you can't make any changes there...

[Simeon Vincent]

SoerenM got to the core issue. I admit this is a confusing user experience; there's an issue on the team's backlog to address it.

Simeon - @dotproto

Extensions Developer Advocate

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/61eb8c08-c869-424d-b15b-09a0076db942%40chromium.org.

[Guilherme Dellagustin]

Hello Simeon,

That is very good news to absolutely everyone, it will make the lives of reviewers, developers and users better.

Some comments:

1. for manifest v3, consider enhancing the manifest definition to include the information we today have to fill in the form, this way the information can be source controlled and versioned together with the extension code in a structured way
2. please consider allowing for multi-line text, at least for the permissions, having to explain in a single line is not at all handy
3. please consider splitting the explanation for host permissions, as it has many subcategories (cookies, webRequests, permissions, content_scripts, etc...)
4. Regarding showing this information to the user: I am in favor of showing this information to the user both at the chrome webstore for static permissions, and also somehow at the permission pop-up shown to the user when requesting optional permissions at runtime - this is tricky, it would require internationalization (i18n) of this information
5. This ship is sailed, but next time you implement something like this where a new process becomes mandatory, please allow developers a grace period to adapt. I understand you released this new tab on the web store at the same time you made the fields mandatory. In the world of software, this is a non-backwards compatible change, and it is a big deal. Imagine developers that have a lot of extensions and want to continue to ship bug fixes to their users, you simply forced them to stop what they were doing to fill the forms, without time to plan and prioritize this activities, project managers are throwing darts at your picture at this very moment (I know it was most likely not your decision, but I think you get what I am trying to say here).
   In my opinion, you should have released the new privacy tab first, and only make the fields mandatory one or two months afterwards.
6. This is the kind of news I expected you to have announced on the ugly, but efficient, yellow notification boxes on the top of the classic Developer Control Panel

Best Regards,

Guilherme.