Extensions are an amazing way to customize your Chrome experience, but some of them ask for a lot of data for no apparent reason. I talked with programmer Joe Flores and Meldium co-founder Boris Jabes to get insight into how permissions work, and see if it’s something you should be worried about or not.
Why Chrome Extensions Need Permissions
Chrome extensions use permissions to tell you exactly what data they’re accessing on web sites you visit. Extensions have 10 different permissions ranging from “your physical location” to “all data on your computer and the websites you visit.” They’re divided into three alert levels: High (access to everything online and on your computer), Medium (access to most data on web sites), and Low (access to very specific things like bookmarks, history, or location).
For example, an extension like Pocket needs access to “Your data on all websites,” and “your tabs and browsing activity.” This sounds like a lot, but since Pocket is a read-it-later service it needs those permissions just to operate. Without them, it couldn’t save the URL link from the site you’re on.
So, why do some extensions need broader access than others? Jabes notes that part of the issue is just the wording Chrome uses:
Chrome’s warnings when you install an extension are overly conservative in their text. For example, one of the extensions I use, ChromeReload, is a very simple tool that asks for “Your data on all websites” and “Your tabs and browsing activity.” All it needs is to attach a marker on each tab that keeps track of when it was last reloaded, but Chrome doesn’t provide a “polite” prompt for this.
Simply put, Chrome doesn’t offer any granularity with permissions requests—it’s an all-or-nothing approach for extension makers, and sometimes the broader permission requests are just easier to program for.
The sad truth here is that it’s pretty difficult to really track down why an extension needs the permissions it does. Sometimes it’s obvious—with an RSS Reader like Feedly, the extension can’t work without accessing “your data on all websites” because that’s the fundamental permission it’s built on. Every time you visit a site, a bit of JavaScript code runs, and Feedly does its business. In order for that to work properly, it needs to run on every web site. But other times, it isn’t so easy to tell.
When You Should Be Careful About What Extensions You Install
Chrome’s permissions warning are vague enough to cause alarm when you install pretty much any extension out there, so it’s good to pay attention to what you’re doing. For the most part, common sense rules here: if an extension is asking for unreasonable permissions that don’t make any sense, you probably don’t want to install it.
That said, pretty much any extension that asks for All data on your computer and the websites you visit is probably worth a very close look. These extensions aren’t inherently bad. Any extension, like the screenshot tool Lightshot, that accesses your hard drive needs this permission. But it’s worthwhile to pay closer attention to any extension that asks for data on your computer.
Thankfully, an extension that’s capable of really scraping your data is going to set off alarms. Flores notes:
Chrome will prompt you for “access to your data on all websites” which sounds really scary, but is technically BS—the sheer scale of most of the APIs required for the big boys (Facebook, Twitter, etc.) would result in a large, more unwieldy plugin that would set off alarm bells. No one would likely be able to cram enough code into a single plugin to manage to get “all” your information and still have a functioning plugin in only JavaScript.
While an extension might not gun for all your data, it’s certainly possible to grab specific information, like a password, so before you download anything it’s worth looking through an extension’s reviews to see what other people are saying. Chances are someone will notice an overreaching extension pretty quickly.
It’s not a perfect system, but for the most part, even extensions that request access to all your data on web sites are safe to use. It’s unfortunate that Chrome doesn’t allow for more specific permissions, but with a little common sense you shouldn’t run into trouble.
If you want to be extra careful, only install extensions from verified authors. You’ll see a little check mark on the extension’s Chrome Web Store page that verifies it’s official. Not every “good” extension has this verification though. For example, LastPass doesn’t have a verification, even though it’s a trustworthy extension. It’s not hard to get verified, but it at leasts helps you separate the official extensions from the unofficial ones.
If you have a little technical knowledge, you can also dig into an extension’s code to see what it’s doing, or install an extension like Extension Gallery to inspect the code easily. You can get a closer look at what code causes Chrome permission warnings on the developer site as well.