Let's guess what Google requires in 14 days or they kill our extension

Uh, yikes:<p>&gt; <i>As I looked at the permissions and what our extension actually needs to operate, I noticed a great opportunity to reduce our permissions requests. We do not need to request access to data on <a href="https:&#x2F;&#x2F;*&#x2F;*" rel="nofollow">https:&#x2F;&#x2F;*&#x2F;*</a> and <a href="http:&#x2F;&#x2F;*&#x2F;*" rel="nofollow">http:&#x2F;&#x2F;*&#x2F;*</a>. Instead, we can simply request data access for <a href="https:&#x2F;&#x2F;*.pushbullet.com&#x2F;*" rel="nofollow">https:&#x2F;&#x2F;*.pushbullet.com&#x2F;*</a>, <a href="http:&#x2F;&#x2F;*.pushbullet.com&#x2F;*" rel="nofollow">http:&#x2F;&#x2F;*.pushbullet.com&#x2F;*</a>, and <a href="http:&#x2F;&#x2F;localhost&#x2F;*" rel="nofollow">http:&#x2F;&#x2F;localhost&#x2F;*</a>. This is a huge reduction in the private data our extension could theoretically access. A big win!</i><p>While I agree with the larger part about the lack of transparency of what they want you to fix, this is an amazingly huge oversight, and the fact that the extension review process got an established, popular extension to go &quot;Wait, we don&#x27;t actually need to request access to every website ever&quot; is a point <i>in favor</i> of the review process - and, unfortunately, a (weak) argument in favor of the review process taking the attitude that they get lots of crap and don&#x27;t have the time to explain to all the authors of crap what they&#x27;re doing wrong. How did the extension ever ask for this <i>in the first place</i>?<p>Also why do you need <a href="http:&#x2F;&#x2F;localhost&#x2F;" rel="nofollow">http:&#x2F;&#x2F;localhost&#x2F;</a>? Is the extension running a web server on localhost with native code? If so, can you use the specific mechanism&#x2F;permission for communicating with native code via a subprocess (because it turns out communicating with a web server on localhost is very hard to do securely)? If not, what&#x27;s it for?<p>I&#x27;m sympathetic to the broader argument here, but given the provided information, all of this is consistent with an extension that <i>should</i> be kicked off the app store within 14 days.<p>(Among other things, if you have an approved extension with <a href="https:&#x2F;&#x2F;*&#x2F;*" rel="nofollow">https:&#x2F;&#x2F;*&#x2F;*</a> permissions and active users, malware authors will offer to buy your extension for a very high price. So it&#x27;s definitely in the public interest to make sure there are as few of those as possible and that they&#x27;re only in the hands of people who have the ability to understand why the friendly person offering them way too much money for their extension isn&#x27;t just being nice.)

For people focusing their comments on this particular extension + the permissions it asks for, please take a quick look at the numerous recent posts in the official forum for Chrome extension developers to see it&#x27;s not an isolated issue:<p><a href="https:&#x2F;&#x2F;groups.google.com&#x2F;a&#x2F;chromium.org&#x2F;forum&#x2F;#!forum&#x2F;chromium-extensions" rel="nofollow">https:&#x2F;&#x2F;groups.google.com&#x2F;a&#x2F;chromium.org&#x2F;forum&#x2F;#!forum&#x2F;chrom...</a><p>It&#x27;s a systematic issue that isn&#x27;t specific to anything Pushbullet is doing and it&#x27;s been like this before the pandemic:<p>- Reviews can take up to 3 weeks. This in alone would be crazy enough if you have an urgent bug to fix.<p>- Rejection emails are vague and don&#x27;t tell you what to fix.<p>- After you guess at what to fix, you&#x27;ve then got to join the up to 3 weeks review queue again.<p>- If you try too many times, your extension gets pulled.<p>- On top of this, they&#x27;ve recently disabled new Chrome Web Store paid items, and user reviews.<p>Can anyone from Google escalate this and help extension developers? I can&#x27;t speak for everyone but there&#x27;s lots of complaints in the forum and little action beyond &quot;we hear you and are looking to improve things&quot;.

Different extension developer here. The Chrome Extension store ecosystem has become a nightmare for developers over the past year. Some items:<p>- Extension review times have gone from 1 hour to a variable amount of time ranging from 1 minute to 3 weeks or longer (try to plan a release or spot fix an issue when you have no idea how long it will take for a deploy to reach users)<p>- User reviews of extensions have been disabled (how are you supposed to build an audience or build up trust without reviews?)<p>- Manifest v3 was announced (this was actually longer than a year ago) which will completely break many types of extensions. Over a year later, it is still on the horizon but the beta releases of it are buggy so it is hard to even try to adapt to it at this point.<p>- Persistent extension related bugs in Chrome are not being fixed and new regressions are being introduced breaking previously working extensions (which you then need to rush out a fix for but good luck with that when the reviewers may take weeks to approve the update)<p>- Chrome is exploring hiding extensions by default so they no longer will show up automatically by the omnibar when you install them (say hello to a huge amount of confused users who don&#x27;t know where your extension went)<p>I understand the Chrome team is trying to address a user trust and fraud issue with extensions and we are grateful for that. However, the Google extension team appears to be massively understaffed and are having huge issues managing and evolving the ecosystem.

I think the interpretation that Google does this because it does not want to compromise the review process to malicious extension authors is a very generous one. As others pointed out, a motivated enough entity could very well be probing the system using multiple submissions (sure it gets your account banned, just use several accounts).<p>No what is really going on is that Google wants the ability to reject an app for any reason without actually having to give the reasons. To for example protect a business interest.<p>The only reason for not making a transparent decision process is because you want to keep the ability to make decisions that don&#x27;t follow the rules you set.<p>To the people saying that we should keep rules secret so that malware authors can&#x27;t work around the rules, I ask: the same argument applies to laws, but most people agree that we want transparency. So what makes this different in principle? (I understand that Google might not have an obligation, but you are saying that they do the right thing)

I think folks are drastically missing the forest for the trees here. This is just one minor example of the INSANE process that is now the Chrome Approval Process. I&#x27;ve seen extensions go for many months getting random rejections with no reason given.<p>This forces developers to GUESS as to what is wrong. Want to try and develop according to a roadmap or timeline- forget about it. There is no &quot;app store&quot; approval process that conducts itself in this way.<p>Fact is Chrome is 80% of the market so Google doesn&#x27;t worry about competition. If Google Chrome is broken- then the internet is broken. It harms new entrants trying to develop and innovation.<p>After the 2nd or 3rd rejection- have a HUMAN intervene. Explain what is wrong. Devs are more than happy to make the changes. But you can&#x27;t do this &quot;make you guess&quot; bullshit.<p>DOJ and EU need to get involved. Someone at Google with their wits about them and revamp the whole process. It&#x27;s a travesty against the developer community and should be fixed ASAP. Also from what I hear they need to start with new LEADERSHIP.

I&#x27;m in the same boat. My open source chrome extension[1] has just been taken down[2] after several years of no complaints because it apparently violated content policies related to nudity and pornography. Say what? Well, I guess you could view _any_ image using my extension, including nudes. Isn&#x27;t that the problem with most other extensions which could be used on porn sites, like editing cookies, etc? I&#x27;ve submitted it for re-review but I&#x27;m not holding much hopes.<p>[1] <a href="https:&#x2F;&#x2F;github.com&#x2F;extesy&#x2F;hoverzoom" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;extesy&#x2F;hoverzoom</a> [2] <a href="https:&#x2F;&#x2F;github.com&#x2F;extesy&#x2F;hoverzoom&#x2F;issues&#x2F;512" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;extesy&#x2F;hoverzoom&#x2F;issues&#x2F;512</a>

I&#x27;m also an extension developer, and Google has done this to me a few times too. We request permissions specifically for what we need, and our extension is unlisted and can only be installed from our website.<p>Google is a bully, and they use their size and the threat of permanently removing access to your Google Account (and family photos) to terrorize small players without cause.<p>How many people would Google need to hire to provide email support for extension review for extensions above a certain size? It can&#x27;t be a huge dent in their budget.

Chrome extension developer here.<p>Google ripped my Chrome extension off the app store about a month ago.<p>I got a similar cryptic message, and then I scrambled to fix it, like you&#x27;re doing now. Somehow my extension reappeared the next day.<p>Email me pat [at] trypigeon [dot] co and I can send you some of the things I did that maybe have helped.<p>Tweeting my support as well: <a href="https:&#x2F;&#x2F;twitter.com&#x2F;thepatwalls&#x2F;status&#x2F;1260638967793242113" rel="nofollow">https:&#x2F;&#x2F;twitter.com&#x2F;thepatwalls&#x2F;status&#x2F;1260638967793242113</a>

Does your browser extension really need to access localhost&#x2F;* - as in, port 80 on my local machine? That would make me very uncomfortable about installing the extension.<p>Would it be possible to restrict the extension to accessing a specific port or endpoint that is used by PushBullet?

lol.<p>We have the same problem, but on the Google Play Store.<p>We have an brand name app used by millions of people. We uploaded an update where the only change was a new Firebase library.<p>Google rejected the update for vague reasons (“violation of Google Play policies” but not telling us which one).<p>Appealing the rejection, the CSR just pasted the vague policy thing back at us. We asked for more information and they just closed the ticket.<p>So we took the exact build that was accepted, incremented the version number, and uploaded that. Rejected again.<p>And there’s no real human to talk to.<p>No idea what’s going on at Google.

Another happy PushBullet user here. Extremely useful for receiving text messages from my phone while on my laptop, especially for web apps that insist on sending security codes that way instead of TOTP.<p>This sort of behavior from Google really is infuriating. How they can just decide to boot an app from the Chrome Store that is installed by over a million users is mind-boggling.<p>It&#x27;s a pity that Chrome doesn&#x27;t allow extensions to be installed from the new Edge store, like Microsoft allow Edge to install extensions from the Chrome store. With both built on Chromium, that could&#x27;ve potentially been a workaround (though you may want to consider adding this extension to the Edge store anyway).<p>Hopefully someone from Google will see this and stop the madness or be able to provide more details on exactly what needs to be done, though I wouldn&#x27;t bet on it.

I got the same notification yesterday morning for my own open-source extension HabitLab ( <a href="https:&#x2F;&#x2F;habitlab.stanford.edu&#x2F;" rel="nofollow">https:&#x2F;&#x2F;habitlab.stanford.edu&#x2F;</a> ) - same vague request for &quot;you&#x27;re not using the minimal set of permissions&quot; without mentioning what permissions they want me to stop using (HabitLab is already using the minimal set of permissions for the features it implements - any removal of permissions would have to be done at the expense of reduced functionality). Emailing just results in them sending me a link to the policy. So this is definitely not an isolated case.

We spend a quite a bit on Google Ads yet they seem to refuse devoting even a few minutes of a knowledgable support staff’s time to our account—even when we’re trying to figure out how to give them more money. For 1-2 years our product shopping ads never displayed and we couldn’t get anyone to tell us why. One day, it just started working by itself (perhaps some engineer pushed a fix).<p>Contrast this with their sales strategy of aggressively making a human call me every quarter to try to up my budgets. I’m not sure why they are so against helping people succeed with their products...<p>It’s like they are allergic to manual human processes (unless it’s sales).

It is a common theme with Google, what they do makes sense, but communication is impossible.<p>I don&#x27;t know if it is an artifact of overusing machine learning &quot;our neural network trained on a variety of malware gives your app a score of 4.3, you have 15 days to get it down to 4.0&quot;. How is that calculated? No one knows, maybe you shouldn&#x27;t use the location permission if your icon is red and your domain is not in .org, or something like that.<p>Or maybe it is a form of security by obscurity. Or maybe they just don&#x27;t want to pay for people to support you. Who knows?

Slightly related, Google is also tightening up Android 11 location permissions (with good reason). In this blog post[0] they outline a process for getting approval that was supposed to be underway by the start of May.<p>So far I have not been able to locate this form nor have I been able to find any Android developers who have.<p>If anyone here knows where it is or what the deal is, please let me know.<p>[0] <a href="https:&#x2F;&#x2F;android-developers.googleblog.com&#x2F;2020&#x2F;02&#x2F;safer-location-access.html" rel="nofollow">https:&#x2F;&#x2F;android-developers.googleblog.com&#x2F;2020&#x2F;02&#x2F;safer-loca...</a>

Those rejection emails are most likely sent by an AI. If you reply back and ask them to specify exactly what is wrong, you&#x27;ll get the same generic email back. Ask again, and they&#x27;ll send the same generic response without any details or comments written by a human. They simply can&#x27;t specify the problem at all. That&#x27;s how you know you are talking with an AI, not a human.<p>The correct way to respond to those rejection emails is to ask for a &quot;human being&quot; (this is the keyword that works) to review the case. Also explain in the email why there isn&#x27;t anything more you can do (if you have done every possible fix already).<p>As a side note, when AI systems get more common, this will be a common nightmare for regular people. When an AI makes an incorrect decision regarding you, no-one can check the code why it happened because the code doesn&#x27;t exist. All we may have are some weighted matrices and neural network data as bunch of numbers.

Google are cutting the branch they are sitting on. I only use Chrome because certain extensions are not available on Firefox. During all these years, they&#x27;ve become impossible to deal with. I open Chrome with 10 tabs and after a couple of hours it&#x27;s using gigabytes of RAM. From a thin client, it became the thickest client in the visible universe. It&#x27;s time to consider options... not that there are many.

I just want to mention this is why I believe Google will never be able to compete with AWS, or otherwise be credible in the B2B space. You&#x27;re relying on automated systems which can take down your business on a whim, with no recourse.<p>Where I work uses Office 365, which is a horrible, horrible technology compared to Google Suite, but I can&#x27;t, in good faith, argue for switching to Google. It&#x27;s not a company I&#x27;d ever rely on in a business setting.

Consider yourself lucky that your extension wasn’t pulled after 1 day. I received a 7-day notice on a Sunday and complied same-day. My extension was pulled the next day, and I received an email stating that 7 days had elapsed.<p>I managed to get reinstated because I know people on Chrome’s accessibility team who promote my extension, but even with that assistance it was still months before I could push a new version without going into purgatory.<p>FWIW, I’ve had even more issues on Firefox. It’s like they’re in a competition with the App Store for “most opaque review process”.

We went through the same problem at Superhuman (and as I write our latest extension update has been pending review for 2 weeks, so maybe we&#x27;re about to hit it again).<p>Simeon on the mailing list was quite re-assuring, and I would recommend reaching out to him, though there are limits to what he can help with.<p>That said we found that the review process is quite arbitrary, resubmitting may work simply because you get a different reviewer. (We&#x27;ve seen identical copies of the extension with different version numbers where one was approved and one rejected).<p>We&#x27;ve also observed that they use some kind of automated code-analysis to tell whether or not you&#x27;re making use of the permission; so you may want to check that it&#x27;s obvious from the code included in the extension bundle that you need the permissions you&#x27;re asking for.<p>We&#x27;ve also hypothesized that they apply different standards to extensions depending on the number of users – our staging extension (~50 users) usually gets approved quickly, but our production extension usually takes a while and is less likely to be approved. (This may just be luck of the draw coupled with arbitrariness though)

Google really sucks at customer service. Like they either don’t get it or they’re so far up their arses that they think fancy AI algorithms will magically fix it.<p>They are the most inhuman tech company I have dealt with out of the big 3 clouds.<p>I have a similar experience. I am trying to get an oauth consent screen approved. It’s a simple thing. It takes up to a week for someone on their side to reply and it’s mostly one vague sentence. They don’t give a full list of what needs to be done. I’ve been at it for more than a month. It’s like they really don’t give a shit about how much time you’re sinking to make things work with their services.<p>I have a love&#x2F;hate relationship with Google. On one side they know how to keep things reliable like google search, on the other side they need to stop doing a 100 million things and do 10 things really well and maintain it for eternity.<p>If someone eats Google’s Search lunch, they are done for.

Ironic reading this today. Got locked out of an old gsuite we manage for someone on Monday because I typed the recovery mail wrong 3 times...omg what a crazy battle to follow their recovery process.<p>Sent them sooo much proof, answers, cname changes, invoices, emails, etc etc, but still get the same canned response back.<p>The weird thing is I never got a single notification on the recovery mail that unauthorized access was attempted and that the account got locked.<p>Honestly I feel like such a dumb ass for making our company use gsuite now. I don&#x27;t think I&#x27;ll ever recommend a google product to anyone again.

This happened to me, too. After emailing customer support several times asking for clarification, and getting the same uninformative answer every time, I decided to take down the (free) extension (which had 20,000+ users) rather than risk having my developer account deactivated for uploading a rejected extension too many times.<p>I use Pushbullet every day, and would be gutted if it were killed for such a ridiculous reason as this.

the corporate gorilla beats its chest, demanding you comply!<p>But with what, it does not say ¯\_(-_-)_&#x2F;¯

&gt; The other opportunity is the tabs permission. This permission lets extensions see what tabs are open. Pushbullet uses this permission to avoid opening new tabs for websites that are already open when mirrored notifications are clicked. This is a small sacrifice to make to let go of a big permission. Let’s let it go!<p>No, that &quot;small sacrifice&quot; sounds super annoying! I don&#x27;t use Pushbullet, but if I did and this got removed in an update, I&#x27;d be pissed off! At least leave it behind an optional checkbox.

The fact that they were requesting <a href="https:&#x2F;&#x2F;*&#x2F;*" rel="nofollow">https:&#x2F;&#x2F;*&#x2F;*</a> and <a href="http:&#x2F;&#x2F;*&#x2F;*" rel="nofollow">http:&#x2F;&#x2F;*&#x2F;*</a> (i.e. full control over all your accounts) without it being absolutely necessary reflects terribly on them.<p>Still not clear why localhost (which can mean root access to the local machine since it may have localhost-only services that enable that) and cookies access is needed, also <a href="http:&#x2F;&#x2F;*.pushbullet.com" rel="nofollow">http:&#x2F;&#x2F;*.pushbullet.com</a> is unnecessary since they should always use HTTPS.<p>If they had properly implemented the extension they may not have this problem now.

We had a similar interaction with the Chrome Web Store out of the blue. After a few maddening rounds of requests for clarification and nonsensical canned responses, I finally just gave up and accused them of gaslighting me. Our extension was restored the next day, of course with no explanation for the ordeal.

If you are an engineer those type of stories should make you rethink your usage of Google Chrome. Chrome having so many users empower them to implement those type of nonsensical policies.<p>As said in other comments it is trivially easy to switch to Firefox (or any other browser you feel that fits your needs better).

This is scarily reminiscent of Facebook&#x27;s App Review process. We submitted 8 identical Apps that, functionally, are just webhooks for Messenger events. All required documentation, justification for the two permissions we needed, screen casts, and test login credentials were submitted for the reviewers.<p>3 were approved. 5 were rejected - all for different reasons.<p>Re-submitted the 5 with no changes; 2 more got approved. Two were rejected again. One was rejected with a firm reprimand for making an identical submission (must have hit the same reviewer).<p>Shuffled some words, re-recorded a couple videos - 2 more approvals, 1 rejection.<p>Re-submitted the last outlier without changes - Approved.<p>We are very weary of playing Facebook App Review whack-a-mole.

A little bit meta here but these words are true even today :<p>Suddenly, 20% meant half-assed. Google Labs was shut down. App Engine fees were raised. APIs that had been free for years were deprecated or provided for a fee. As the trappings of entrepreneurship were dismantled, derisive talk of the “old Google” and its feeble attempts at competing with Facebook surfaced to justify a “new Google” that promised “more wood behind fewer arrows.”<p>…The old Google made a fortune on ads because they had good content. It was like TV used to be: make the best show and you get the most ad revenue from commercials. The new Google seems more focused on the commercials themselves.<p>— James Whittaker, Why I left Google

Have been through a similar experience.<p>Developing extensions for Google Chrome is a particular form of masochism. They really don&#x27;t seem to care. And things took a turn for the worst last December when the approval process went from hours to weeks.<p>Check out the Chrome Google group for a sample of the lost souls who hitched their wagon to the Chrome platform and now cry futilely into the abyss for support: <a href="https:&#x2F;&#x2F;groups.google.com&#x2F;a&#x2F;chromium.org&#x2F;forum&#x2F;#!forum&#x2F;chromium-extensions" rel="nofollow">https:&#x2F;&#x2F;groups.google.com&#x2F;a&#x2F;chromium.org&#x2F;forum&#x2F;#!forum&#x2F;chrom...</a>

This is a good extension but here is a cool hack I&#x27;ve discovered that let&#x27;s you do this anywhere without any chrome extensions:<p>- Create a new whatsgroupp called &#x27;ping self&#x27; and add your friend to it.<p>- Then kick your friend out from this group<p>- Open web.whatsapp.com and now you can access your messages, files, photos across any device anywhere, anytime! (telegram also does this and allows file up to 1gb)

Thanks for posting this publicly. I’m all for the general idea of reigning in unnecessary data collection&#x2F;prioritizing user privacy, but sometimes you just need certain features to make things work!

I am the proud recipient of <i>many</i> Apple rejection notices from the App Store (I have been releasing iOS apps since 2012). I have not had an app pulled, but I have had many rejections to submitted apps (the latest were received yesterday).<p>In all of the notices, Apple is usually quite explicit in what the problem is, including attaching screengrabs, and they will respond, if I ask them for further clarification.

I went through the same hell a year ago [0]. My extension [1] now has 60k users (covid added 10k users in 1 month) and I&#x27;m also afraid that any insignificant update would trigger this hell.<p>I&#x27;ll contact PushBullet with a possible way forward (PB, if you&#x27;re reading this -- contact me). Anyone else in this situation: my email is in my profile.<p>[0] <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=20186915" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=20186915</a><p>[1] <a href="https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;dictation-for-gmail&#x2F;eggdmhdpffgikgakkfojgiledkekfdce?hl=en-US" rel="nofollow">https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;dictation-for-gmai...</a>

Any reason that Google doesn&#x27;t give reasons and ways to comply?<p>I haven&#x27;t ever had to deal with a Google person regarding Android development, but when I built stuff for Blackberry (miss that company), they always provided nice and detailed feedback. Blackberry famously let legal influence design, so I would be surprised if it was a cover your ass thing.

Google has 70% market share. If Chrome is broken- innovation nd the internet is broken.<p>If we really want to fix this. 1. Use Survey Monkey to collect info from other developers having issues (which is like all of them). 2. Isolate instances of severe delays, inability to innovate, harm to business, negligence etc. 3. Send to DOJ and EU Antitrust

I’m surprised Google et al. haven’t been forced to make more contractual disclosures at the time of a user submitting an extension or app.<p>Absent blaring warnings like “you understand that if you build any type of business on this platform we reserve the right to destroy it at any time for any reason”, it’s pretty hard to see how users had any ability to understand the implicit and explicit contracts they were entering into.<p>This isn’t much different than “Nathan for You” style hiding of onerous terms deep in hilariously small fine print, and judges tend not to look fondly on such games.

This is concerning. Shouldn’t Google’s store have a dedicated support rep for extensions above a certain threshold?

I wonder why the cookies permission is requested. It&#x27;s not needed to communicate with .pushbullet.com, as in that case the normal cookies which have been set by Pushbullet will be sent along in the extension&#x27;s requests to .pushbullet.com. It is only needed to access 3rd party cookies.

If Douglas Adams were still around, he&#x27;d put &quot;Get actual assistance from a human at Google&quot; on the list of &quot;Recreational Impossibilities&quot; in the Hitchhiker&#x27;s Guide, right after &quot;Get the Brantisvogan Civil Service to acknowledge a change of address card&quot;.

What kind of people make these decision at Google? Engineers? Or did they automate everything with &quot;machine learning&quot;?

Another long-term PushBullet customer here.<p>Anyone at Google who is listening- this kind of behavior <i>kills</i> my desire to continue using your products dead. I <i>need</i> functionality, of the type PushBullet has provided for years, to do my work. The recent nerfing of ublock origin has already had me feeling iffy on things. Behavior like this is simply unacceptable. If you want people to use your services, you need to have some way to communicate. Period. &quot;If you use our tools, we can kill your livelihood at any time for any reason and tough shit if you want a why&quot; doesn&#x27;t exactly inspire, you know?

From a comment by Baeocystin:<p>&quot;If you use our tools, we can kill your livelihood at any time for any reason and tough shit if you want a why&quot;<p>It has always been thus with proprietary tools and platforms.<p>Back in 2011 I switched careers from developing software on proprietary stacks - at the time C# 4.0, Silverlight, and MS Windows - to developing on open source stacks, starting with Ruby on Rails and JavaScript.<p>A short time after I switched away from Silverlight, I found a bug in the open source XML library my team was using. I then submitted a PR to fix it, which was merged (with some revision :)) after a few days. The experience was a revelation after the combination of magic 8 ball and years-long wait times for non-critical bug fixes on Visual Studio.<p>It looks like the younger generation is busy rediscovering the vulnerability and helplessness of proprietary systems themselves.

As a daily Pushbullet user, thank you for posting this! It&#x27;s maddening that the best way to escalate a Google customer service issue is social media.

We tried to create an android app and we never were able to got it submitted. We never figured out why and just gave up.<p>I’ll never again try to create a business around an environment outside our control. Both Google and Apple are complete black boxes.

The lesson here:<p>Building a business off someone else’s platform is easier because it provides a built-in distribution channel.<p>However, when you don’t own your distribution, it means your business can be shut down by the decision of one person at X company.<p>It turns out, all decisions have trade-offs.<p>If you want to have a real business, don’t do the above, or only do the above while getting started.<p>Developers hate having to deal with distribution. Platforms exploit this by creating these fantasy worlds where developers don’t have to think about it.<p>This is a mirage. You have not created an “easier” business. You’ve simply sold your soul to the devil.

The fact that this team realized so simply that they shouldn&#x27;t be reading data on every site the user visits while the extension is installed is deserving of a vague response from google. Sad really.

I wonder if they got caught up in google removing &quot;creepware&quot; recently and notification mirroring might count. &quot;CreepRank algorithm can identify apps with features that can be abused to extract SMS messages from a device, spoof another user&#x27;s identity in IM&#x2F;SMS chats.&quot;<p><a href="https:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;google-removed-813-creepware-apps-from-the-android-play-store&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.zdnet.com&#x2F;article&#x2F;google-removed-813-creepware-a...</a>

&gt; clipboardRead<p>I bet that this is it. Clipboard data is <i>extremely</i> sensitive, as it can often contain passwords.

As much as we can criticise Google&#x27;s handling of this situation, the fact that the developer was able to reduce permissions from accessing data on _all websites_ down to _their website_, as well as tighten up a few other permissions, shows that Google is correct that the extension is asking for more than it needs.<p>I hope the developer finds another load of permissions they can tighten up, resubmits, and is approved. As long as it results in permissions being more correct this is a very positive thing for users because for every PushBullet there&#x27;s hundreds of attempts at malicious Chrome extensions that are abusing permissions.

I went to look at what pushbullet does since I&#x27;m not familiar with it--in this day and age, &quot;bullet&quot; is a fearsome term so I wanted to make sure that wasn&#x27;t the cause of google&#x27;s alarm.<p>The personal information security concern I had is that it seems that pushbullet shovels all sorts of data from Chrome to the pushbullet server and then routes it to, pushbullet says, my other devices while respecting my privacy. While I don&#x27;t doubt that pushbullet is an honest broker of my data, it&#x27;s doing all this outside of google&#x27;s purview. For somebody to spy on my data, they wouldn&#x27;t need to break into google&#x27;s ecosystem, they&#x27;d just need to break into pushbullet&#x27;s.<p>I&#x27;m not disagreeing with all the other comments here about big bad google, I already think they are bigger and badder than everybody else here does.<p>And I&#x27;m not at all sure that what I&#x27;m pointing out has anything to do with google&#x27;s motivation here (I liked the comment that said that this app is a threat to their walled garden), I&#x27;m just pointing out my impression to try to be helpful to OP in figuring this out.

I&#x27;ve been using Pushbullet in FF and on my iOS devices for years, but need to find a replacement as the app was removed[1] from the App Store.<p>[1]<a href="https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;PushBullet&#x2F;comments&#x2F;eirc1m&#x2F;not_available_on_ios&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;PushBullet&#x2F;comments&#x2F;eirc1m&#x2F;not_avai...</a>

This is awful. I&#x27;m going to send GCP support a message with the small hope that someone can flag it up to the right team.

Just remove access to <a href="http:&#x2F;&#x2F;localhost" rel="nofollow">http:&#x2F;&#x2F;localhost</a>. This is a huge overreach in permissions, and honestly as a user I would feel violated by that. I have shitloads of things that I can lauch myself on localhost on custom ports, and no-thank-you I do not need to open them to some app.

LONG term Pushbullet user here, big proponent of their services. I use it on Firefox myself so this doesn&#x27;t affect me personally but still there are few services I will strongly advocate for. Pushbullet is one of them. Google, if you&#x27;re listening this is going to make a lot of users very unhappy.

I went through this on a side project and just let them kill off my public listing for now. I had the same thought process in terms of what I could change however my extension made use of InboxSDK and had access to GMail and I&#x27;m still concerned it might not make it through review...<p>Anyone else using InboxSDK in a Chrome extension and didn&#x27;t get killed off by this change?<p>My extension hooks up the address book from a SaaS project (school information system) to GMail so faculty&#x2F;staff can quickly look up parent contact information or send to special group email addresses that broadcast out to part or all of the school. The people using it were very happy to have it but I could conceivably go back to a private chrome extension if that is still allowed.

This is just completely disingenuous from Google.<p>&gt; - Request access to the narrowest permissions necessary to implement your product’s features or services.<p>&gt; - If more than one permission could be used to implement a feature, you must request those with the least access to data or functionality.<p>&gt; - Don&#x27;t attempt to &quot;future proof&quot; your product by requesting a permission that might benefit services or features that have not yet been implemented.<p>My first thought was &quot;oh it would be NICE if G actually enforced these&quot;. But the truth is that they&#x27;re not. One glance at the Android Play store, and it&#x27;s abundantly clear that Google is letting shitty apps request whatever unnecessary permissions left and right.<p>Literally the top flash light app requires &quot;full network access&quot;, GPS precise and approx location, &quot;view network connections&quot; and &quot;receive data from internet&quot;.<p>It&#x27;s complete bullshit, Google isn&#x27;t policing these permissions at all, but just using it as an arbitrarily enforced rule.<p>It&#x27;s pretty clear what the incentives are. Android already has a flashlight, but this one has ads, harvests and sells your data, and uses Google Play Billing Service. Win for Google. On the other hand, there&#x27;s PushBullet, which gives users more control and this is key, <i>the option to use a platform that is not controlled by Google</i>. It has nothing to do with user privacy.<p>And the whole nice thing about these permissions is that they are <i>granular</i>, this means it should be trivial to point out which one is wrong or better and why, like an error message. That is not &quot;gaming the system&quot;, it&#x27;s literally what these permissions are for.<p>This is also <i>clearly</i> not an automated scanning process that PushBullet accidentally got hit by. Because it would have to have been a <i>very</i> slow running process, given the heaping amounts of trash in the Play Store. And then it just happened to pick PushBullet instead of the Flashlight app that has 50 times more downloads??

&gt; Once you have made these changes you may submit and publish a new draft in the Chrome Web Store Developer Dashboard.<p>&gt; Your draft will then be reviewed for policy compliance. If the outcome of the review is successful, your existing store listing will get replaced by the approved draft. However, if the new draft fails to comply with our policies, both the draft and the existing store listing will be removed. Please note that the rectification window expires the moment a new draft is submitted. After this point, you will not be able to make iterative changes regardless of the days remaining in the warning period.<p>Holy fuck, that&#x27;s insane. You get one shot; if you miss, game over.

Counterpoint: there is a team within Google that got it right at least once. We have live import&#x2F;export integration with Google Sheets and this requires additional OAuth scopes. The request for justification they sent was polite, specific about the scopes of concern (and why), and with no hard deadline. Our response was handled politely and promptly.<p>I realise the GCP API team may not be dealing with as big of a swamp as a consumer-facing apps group, but it was nevertheless one of those few occasions when Google left me with an impression other than overwhelming hubris. It was more like talking to AWS service teams, or Cisco TAC when you have a CCIE on staff.

You are the victim of an algorithm. No people and no accountability, thats how they roll.

I&#x27;d been in a similar issue on the Android store and found that the best solution was to try to game whatever bot is flagging you. Support was completely unable to provide clarity and getting escalated by internal Google employees just led to more unhelpful emails from higher levels of support.<p>I was positive that I was in compliance but I could also see that a bot was flagging something. So I kept tweaking code and resubmitting. Eventually what worked was taking the offending code block and hiding it at the server level.<p>It&#x27;s such a face palm. I literally call out to the server to run some logic that should be completely safe to run in the app.

2020 and our browser privacy handling is like MS-DOS.<p>Why the hell I can&#x27;t disable all extensions when I enter my bank account or insurance page? As far as I know Firefox containers are close but still no fine grained control over extensions.

I haven&#x27;t used Pushbullet in depth but on first glance it doesn&#x27;t seem like a browser extension at all. It looks more like a standalone chat app <i>that happens to be running in the browser</i>. It has nothing to do with enhancing the browsing experience, except for a share-link feature?<p>Google might not want to make Chrome the browser into an OS.<p>If i were Google i would also be skeptical when such standalone apps wants to read my browser cookies or access my <a href="http:&#x2F;&#x2F;localhost" rel="nofollow">http:&#x2F;&#x2F;localhost</a>. Actually i think cookies is the violating permission here.

I understand that with many spam-related heuristics, a company like Google chooses not to share exactly why a site or e-mail server is blacklisted -- because an actual spammer can evade that metric and still get away with everything.<p>But I don&#x27;t believe that thinking applies whatsoever to apps or extensions. There are far fewer of them and parties need to work together. It&#x27;s unfathomable to me why Google doesn&#x27;t point out which specific permissions a reviewer has flagged as suspect, or given an option for the developer to give the justification specific to each option.

These folks also do the same thing for Adsense on sites. For a site, I am running for a long time. 10+ years. And earned multiples of 100ks worth of revenue from it.<p>They sent a vague email, regarding violation and suspended Ad serving. Never ever had any issue before.<p>I can only suspect that their policies have changed because of the current pandemic. But isn&#x27;t it disingenuous, in that case. Similar to laying off an employee, and cooking up a shady reason for it.<p>They will only make me kill the business, which in turn will stop payments (reduce significantly) to AWS. Thereby enabling more slow down.<p>Very very unhappy with them.

&gt; This may also result in the suspension of related Google services associated with your Google account.<p>Get all your emails off gmail ASAP, pushbullet developers. It may be more than your extension that gets nuked.

I have made an extension and am getting the exact same complaint whenever I submit updates. Luckily, old versions are still up though.<p>Link: <a href="https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;mnjggcdmjocbbbhaepdhchncahnbgone" rel="nofollow">https:&#x2F;&#x2F;chrome.google.com&#x2F;webstore&#x2F;detail&#x2F;mnjggcdmjocbbbhaep...</a><p>It only has access to 2 domains, it doesn&#x27;t have the tabs permission and it uses optional permissions for everything else.<p>I think it is just an automated issue due to covid-19, and I guess I might just have to wait until then.

If Google doesn&#x27;t want extensions to have a certain permission, why don&#x27;t they just kill it globally in Chrome?<p>And if some apps can have permission X but others can&#x27;t, there should be clear guidelines.

A bit late to this thread but this is happening to my chrome extension right now. No idea why, I have 10,000+ users and the chrome support team just keeps emailing me the same statement with different items highlighted in bold, saying it doesn&#x27;t work and the description isn&#x27;t accruate.<p>a) It does work<p>b) The description is accurate<p>I have no idea what they want me to do and I don&#x27;t have time to try and guess.<p>I don&#x27;t get paid for my extension, so I&#x27;m just going to redirect everyone to the FireFox version now. The Chrome store will be poorer without it and that&#x27;s on them.

Is that why universal cut &amp; paste has been flakey? I am dropping all Google stuff. They recently killed my Alexa Skill on Android (Samsung S9). With everything google deleted or permissions denied on my phone, they still hijack the word &quot;contact.&quot; Try saying, &quot;Alexa launch Contact Ski Man.&quot; Still works with Alexa on iPhone, but how do you use a smartphone without back button? We have reached the point where it is time to throw the baby out with the dirty water. Say, &quot;Hey FireFox!&quot;

I have an app that was falsely flagged as malvertising by Google Ad Manager. Also got a generic message with no insight into the specific problem.<p>It was only because I had a point of contact at Google with actual influence that I was able to resolve the issue (and they did, miraculously). If you don&#x27;t know a human, Google&#x27;s automated systems can more or less destroy your app or business for Google product users, which is pretty much everybody. G is a big, multi-headed beast. Not evil, but worse - indifferent.

It seems like everyone in here suggesting a switch to Firefox is missing the point. The Pushbullet team has already stated that having this Chrome extension pulled might mean the end of Pushbullet. So I&#x27;m going to trust that they know their own business well enough to make that statement.<p>I actually already use Firefox and their Firefox extension. But it won&#x27;t matter that I&#x27;m savvy enough to do this if losing enough users from having the Chrome extension killed is enough to kill the larger business.

My guess is &#x27;cookies&#x27;. You really shouldn&#x27;t need access to (say) the user&#x27;s Google cookies. I don&#x27;t expect Google likes extensions doing that without good reason.

I too have deGoogled as much as I can, but I’m hesitant to jump on the hate wagon for this one.<p>Consider the counter factual - what if google was highly specific about the changes required? Clarifing the boundaries of what’s allow is prone to abuse. This is the same reason why the search algorithms are not explicitly published, but only the spirit is explained.<p>I would say this is the best solution when there are no perfect solutions.<p>Perhaps the 14 day period could be longer, but that’s another point of contention.

Don&#x27;t they call this a &quot;marketplace&quot;? If so,the Regulator is the FTC not the FCC.<p>If they walk like a duck and call it a duck then talk to the duck hunting authority?

Similar story published around the same time as this one... (<a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=23183742" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=23183742</a>) <a href="https:&#x2F;&#x2F;joaoapps.com&#x2F;join-chrome-extension-in-jeopardy-google-wont-tell-me-why&#x2F;" rel="nofollow">https:&#x2F;&#x2F;joaoapps.com&#x2F;join-chrome-extension-in-jeopardy-googl...</a>

I&#x27;m in exactly the same situation. It&#x27;s impossible to know what they are after and my extension has a fraction of the permissions that you have.

I stopped using pushbullet because I realised its access made me a bit uncomfortable, but had I had the &#x27;So, can we cut any of these permissions?&#x27; paragraph to read at the time, that may have reassured me. Nice to see it not only being investigated (even if it took Google&#x27;s vague threat to spur it on) but positively so; seen as &#x27;A big win!&#x27;.

It seems perfectly clear to me: Google doesn&#x27;t want what pushbullet provides. They are pulling an &quot;Apple&quot; on this one.

Is there a replacement for pushbullet?<p>Long time user of pushbullet since I like to be able to text from the desktop. Google has released messages.google.com, which is a nightmare to use among various desktops.<p>Microsoft released their Phone app, which disconnects so frequently it is unusable.<p>I have no confidence Google will allow pushbullet back.<p>Is there a replacement that allows notifications and texts from the desktop?

Unfortunately this is a fancy new way of communication of tech corporations. Facebook, Apple, Google. Name one.<p>Do please us sir. Three times you shall try.<p>I would not consider any company that takes that approach as a reliable business partner.<p>Maybe it will be possible to please the platform this time. But this is a strong hint the business should not depend on the Google extension platform.<p>Escape it while you can

As the developer of an exposure notification app put on ice by Apple-Google, it&#x27;s due time to take back the freedom of the internet that made it so powerful in the beginning.<p>Is there anything happening around an all-web app phone? Seems like all the pieces are there..like native functionality in JavaScript with certain extensions.

I left Android for iOS because of this type of behavior. Google is fickle with what it&#x27;s policies and goals are.

Good. It’s clear that pushbullet has never put thought into what permissions it needs and just asked for everything

Chrome extension developers should start hosting them on Github.<p>I use a flavor of Chrome called Ungoogled Chrome (<a href="https:&#x2F;&#x2F;ungoogled-software.github.io&#x2F;" rel="nofollow">https:&#x2F;&#x2F;ungoogled-software.github.io&#x2F;</a>) and the only way to install plugins is to manually install the CRX file.

Well this is my favorite Extension, If Google kills it then how will users gets its pushbullet chat data back.

Yikes! I&#x27;ve used PushBullet for since several years and I can&#x27;t imagine not using it.<p>I can understand why Google is doing this though. They have a &quot;Send to device&quot; feature in Chrome. Killing the top 3rd party app is the perfect way to grow adoption of their new &amp; in-built feature.<p>&quot;Do no evil&quot;

I love pushbullet and I&#x27;m happy it works fine on firefox. And that&#x27;s at least partially the fix - install firefox, depend less on google chrome.<p>Hopefully that will give a signal to google that make them cherish the developers that create great functionality for them a bit more.

I think that reading all of a users&#x27; cookies from all websites is pretty privacy invading...

I know Google employees that have had their accounts on various Google Services shutdown and they couldn&#x27;t even get them back themselves. The place is very siloed, something needs to give because these nightmare scenarios keep happening over and over.

I had a friend who went through a similar, onerous process with Google which ended up killing his entire chrome extension (which had 400,000+ MAU). This iron-fisted control of the extension marketplace is not becoming to Google.

I&#x27;ve had a Chrome extension removed from the store before, I suspect because it conflicted with Google&#x27;s business model. I would be very wary of building a business on a foundation that another company controls.

No Chrome, no Google search and no Gmail as default email here.<p>Hopefully, many others will follow.

Does chrome already offer features like PushBullet? Firefox somewhat does with Pocket, so I assume chrome has something similar.<p>If they do offer something of the sort, or start to shortly, this seems like a perfect antitrust case.

I just want to take this opportunity to complain about trying to send a gmail email from a service account, which required us to use G-Suite, and still doesn&#x27;t work because it can&#x27;t generate a token.

I&#x27;m always surprised that such a in-transparent behavior is even legal for the operator of a custom marked place (or whatever you call it).<p>(I think the same about Google Play, the iOs App Store etc.)

Wait can some one please simply explain to me whats gong on here? I&#x27;m new to this but I absolutely love it! and I paid for it too. Why do all good things have to be taken away?

Normally in a lucrative but restricted market there is a regulator or ombudsman one can appeal to if one feels they have been unfairly pushed out. App stores need regulators.

I can&#x27;t wait till Google starts running contract tracing.

Robots are in control here, follow their rules and get your accounts permanently deleted if you don&#x27;t understand the robots rules and mindset...

Avoiding Google and looking into the alternatives is what took a significant part of my working hours and spare time as of the last 2-3 years.

For one, I think this is good news. I work in a field that exposes me to a lot of dubious ways to collect peoples data. Especially what they are doing in their browser. You would not believe how many pieces of software you are using daily that do this.<p>A lot of these are chrome extensions. If you are honest, then I do feel for your situation. But, I am also happy to see that Google are finally stepping this up and looking after their users by not exposing them to potentially malicious services.

When I was sixteen years I received the exact same email from Google, and was then permanently banned from the chrome web store.

This is also why I will never publish to Android Play Store. Experience is very similar, it constantly demands random changes.

Same thing happens on Google Play Store. They ask us to comply the privacy policy without giving us any guideeline :(

They don&#x27;t give shit about your 4.5 star rating. Your 4.5 star rating doesn&#x27;t mean you are the most private or most secure over there. Facebook got 4+ rating on all there apps with 1B+ users, that doesn&#x27;t mean they need access to those call logs,messages and everything on your phone. Keep you permission to the minimum, for both security and privacy. Chrome team doesn&#x27;t give shit about people like you.

Aside of youtube and search I am not using Google at all. And Chrome is on my computer only for testing.

This situation looks even worse considering Google runs a competing service (Android messages for web)

Stuff like this makes me wonder why Chrome&#x27;s security model allows things if it can be scanned and deemed unsafe. Isn&#x27;t it preferable to bake such restrictions into the extension API if Google didn&#x27;t want PushBullet to go beyond it? Why does this need to be enforced by an app store?

This kind of thing just keeps. Coming. Up. from Google and between ML black boxes making arbitrary judgements and random product shutdowns, a hard requirement for any personal projects of mine is &quot;no Google dependency&quot;, because it might vanish at any time, with zero notice or recourse.

Don&#x27;t work for free for Google. Don&#x27;t write extensions for Chrome.

Don&#x27;t relies on the Google to distribute the browser extension.

Can anyone at Google even pretend they aren&#x27;t evil any more?

i guess removing plaintext http and localhost should fix this.

Doesn&#x27;t matter. Chrome has become unusable anyway.

How about removing the permissions for HTTP and keeping the HTTPS permissions? If the problem is &quot;User Privacy Safety&quot; as the rejection suggests, this seems to be the obvious choice.

Funny, very funny. Not your keys, not your coins. Not your store, not your clients. Not your playground, not your rules. etc. etc. I sympathise, but discourage cooperating with Google.

The hypocrisy is tangible and bitter sweet.

This literally just happened to me today...

Another reason to use Firefox.

I&#x27;m not a very big fan of Push Bullet, what utility to they make? become more distracted?

Why does it require http?

even mozilla is terrible in this regard, its a losers game.

This is sad but they&#x27;re just responding to market hysteria on permissions.

Ahh the hypocrisy

It says, in the email provided, exactly what must be done: Change the required permissions - your scope is too broad.

This dude has written crappy, inefficient code and is now complaining for it. If just permissions are so inefficiently written one can only imagine, what would be the state of rest of the codebase. Badly written apps can also generate traction. Users don&#x27;t see the code quality. They rarely know the first thing about privacy and security.<p>It&#x27;s not Google&#x27;s job to teach someone to how to write good code. Good compiler can tell you what is the error, it won&#x27;t pop out a solution as well.