The Karma connection in Chrome Web Store

I was optimistically hoping some of the MV3 changes would result in Chrome webstore policy enforcement being standardized, but that hasn&#x27;t happened.<p>Sensor Tower (<a href="https:&#x2F;&#x2F;sensortower.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;sensortower.com&#x2F;</a>) makes a lot of popular extensions, like StayFocusd <a href="https:&#x2F;&#x2F;www.stayfocusd.com&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.stayfocusd.com&#x2F;</a>. They seem to resell ad data (in violation of [1]?) and ship likely obfuscated code [2] (in violation of [3]?), but there&#x27;s no enforcement or even clear reporting mechanism.<p>[1] <a href="https:&#x2F;&#x2F;developer.chrome.com&#x2F;docs&#x2F;webstore&#x2F;program-policies&#x2F;limited-use&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developer.chrome.com&#x2F;docs&#x2F;webstore&#x2F;program-policies&#x2F;...</a><p>[2] <a href="https:&#x2F;&#x2F;robwu.nl&#x2F;crxviewer&#x2F;?crx=https%3A%2F%2Fclients2.google.com%2Fservice%2Fupdate2%2Fcrx%3Fresponse%3Dredirect%26os%3Dmac%26arch%3Dx86-32%26os_arch%3Dx86-32%26nacl_arch%3Dx86-32%26prod%3Dchromecrx%26prodchannel%3Dunknown%26prodversion%3D9999.0.9999.0%26acceptformat%3Dcrx2%2Ccrx3%26x%3Did%253Dlaankejkbhbdhmipfmgcngdelahlfoji%2526uc&amp;qf=content-scripts%2Fad-finder.js&amp;qb=1" rel="nofollow">https:&#x2F;&#x2F;robwu.nl&#x2F;crxviewer&#x2F;?crx=https%3A%2F%2Fclients2.googl...</a><p>[3] <a href="https:&#x2F;&#x2F;developer.chrome.com&#x2F;docs&#x2F;webstore&#x2F;program-policies&#x2F;code-readability" rel="nofollow">https:&#x2F;&#x2F;developer.chrome.com&#x2F;docs&#x2F;webstore&#x2F;program-policies&#x2F;...</a>

There was a question raised but not really answered about &quot;what do these extensions what with all this browsing data?&quot; - while it may be that they&#x27;re used for direct ad targeting (like real time ad buying against your IP address) it&#x27;s more likely that they&#x27;re selling &quot;click stream&quot; data.<p>In its most innocuous form, this is stuff like SimilarWeb (which is like a more advanced Google Trends), but in the B2B world, it&#x27;s also custom enterprise reports that are like &quot;how many people that use our bank at xyz also use any other bank at this array of domains and which are most common?&quot;

I&#x27;ve decided that browser extensions are too much of a security&#x2F;privacy risk. I just stick with 1password extension and an ad blocker extension that uses Safari&#x27;s Content Blocker API only.<p>And then from time to time I have a dedicated profile on Chrome to use other extensions that might be useful, but I don&#x27;t do day-to-day browsing there.

Is there any way to only allow chrome extensions to update with permission? It seems like any extension on the store could become malicious overnight, automatically, for millions of users.

Why is Google not policing this? Liability concerns?

I am absolutely flabbergasted at the fact that Chrome extension security is the way it is, considering how much Google spends to keep chrome secure.<p>How is it, in 2024, users can still blindly install malicious software directly into their browser from a web store with Google’s name at the top of it?<p>This goes to show even the most cautious and conscientious of users can get caught out by their extension changing hands. What, is Google expecting us to review our extensions, and their permissions, and their authors, and their authors’ associated businesses, every time we want to use our computer?<p>Additionally, are we even able to review the source code of extensions if they are not open source?

Most people aren&#x27;t (or at least feel they aren&#x27;t) able to take a hardline stance about only using free software, but if there&#x27;s one area of your digital life you should be able to apply it to, it&#x27;s browser extensions.