by Daly Barnett, EFF
Reprinted from Electronic Frontier Foundation
Under a Creative Commons Attribution License
Manifest V3, Google Chrome's soon-to-be definitive basket of changes to the world of web browser extensions, has been framed by its authors as "a step in the direction of privacy, security, and performance." But we think these changes are a raw deal for users. We've said that since Manifest V3 was announced, and continue to say so as its implementation is now imminent. Like FLoC and Privacy Sandbox before it, Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks.
Manifest V3, or Mv3 for short, is outright harmful to privacy efforts. It will restrict the capabilities of web extensions--especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these-- like some privacy-protective tracker blockers-- will have greatly reduced capabilities. Google's efforts to limit that access is concerning, especially considering that Google has trackers installed on 75% of the top one million websites.
It's also doubtful Mv3 will do much for security. Firefox maintains the largest extension market that's not based on Chrome, and the company has said it will adopt Mv3 in the interest of cross-browser compatibility. Yet, at the 2020 AdBlocker Dev Summit, Firefox's Add-On Operations Manager said about the extensions security review process: "For malicious add-ons, we feel that for Firefox it has been at a manageable level....since the add-ons are mostly interested in grabbing bad data, they can still do that with the current webRequest API that is not blocking." In plain English, this means that when a malicious extension sneaks through the security review process, it is usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. A more thorough review process could improve security, but Chrome hasn't said they'll do that. Instead, their solution is to restrict capabilities for all extensions.
As for Chrome's other justification for Mv3-- performance-- a 2020 study by researchers at Princeton and the University of Chicago revealed that privacy extensions, the very ones that will be hindered by Mv3, actually improve browser performance.
The development specifications of web browser extensions may seem in the weeds, but the broader implications should matter to all internet citizens: it's another step towards Google defining how we get to live online. Considering that Google has been the world's largest advertising company for years now, these new limitations are paternalistic and downright creepy.
But don't just take our words for it. Here are some thoughts from technologists, privacy advocates, and extension developers who share our concern over Manifest V3:
"A web browser is supposed to act on behalf of the user and respect the user's interests. Unfortunately, Chrome now has a track record as a Google agent, not a user agent. It is the only major web browser that lacks meaningful privacy protections by default, shoves users toward linking activity with a Google Account, and implements invasive new advertising capabilities. Google's latest changes will break Chrome privacy extensions, despite academic research demonstrating that no change is necessary. These user-hostile decisions are all directly attributable to Google's surveillance business model and enabled by its dominance of the desktop browser market."
- Jonathan Mayer, Princeton University
"Manifest V3 positions Chrome as the all-powerful arbiter of what software lives and what dies, shattering the ideal of a diverse array of extensions serving the legitimate preferences and values of equally diverse users. In 2017, when Google banned AdNauseam from the Chrome store, it summarily cut off tens of thousands of users from data they had accumulated, and deprived them of a free and open-source extension to counter online profiling and manipulation. In hindsight, AdNauseam was the canary in the coal mine, as Mv3 is now poised to cut off users from a range of invaluable privacy tools (including ad blockers) that thousands if not millions rely on. A browser that plays favorites to advance its owners' interests effectively chokes out innovative, independent developers, while shrinking the options for individuals to shape their online experiences."
- Helen Nissenbaum and Daniel Howe (creators of AdNauseam and TrackMeNot)
"Manifest V3 is a detrimental step back for internet privacy."
"Nearly all browser extensions as you know them today will be affected in some way: the more lucky ones will 'only' experience problems, some will get crippled, and some will literally cease to exist."
|