EFF Warns Chrome Users: 'Manifest V3 Is Deceitful and Threatening' (eff.org) 46
In a recent blog post from the Electronic Frontier Foundation, the digital rights group warns that Google Chrome's latest specification for building Chrome extensions, known as Manifest V3, "is outright harmful to privacy efforts." EFF technologist Daly Barnett writes: Like FLoC and Privacy Sandbox before it, Manifest V3 is another example of the inherent conflict of interest that comes from Google controlling both the dominant web browser and one of the largest internet advertising networks. [...] It will restrict the capabilities of web extensions -- especially those that are designed to monitor, modify, and compute alongside the conversation your browser has with the websites you visit. Under the new specifications, extensions like these -- like some privacy-protective tracker blockers -- will have greatly reduced capabilities. Google's efforts to limit that access is concerning, especially considering that Google has trackers installed on 75% of the top one million websites.
It's also doubtful Mv3 will do much for security. Firefox maintains the largest extension market that's not based on Chrome, and the company has said it will adopt Mv3 in the interest of cross-browser compatibility. Yet, at the 2020 AdBlocker Dev Summit, Firefox's Add-On Operations Manager said about the extensions security review process: "For malicious add-ons, we feel that for Firefox it has been at a manageable level... since the add-ons are mostly interested in grabbing bad data, they can still do that with the current webRequest API that is not blocking." In plain English, this means that when a malicious extension sneaks through the security review process, it is usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. A more thorough review process could improve security, but Chrome hasn't said they'll do that. Instead, their solution is to restrict capabilities for all extensions.
As for Chrome's other justification for Mv3 -- performance -- a 2020 study (PDF) by researchers at Princeton and the University of Chicago revealed that privacy extensions, the very ones that will be hindered by Mv3, actually improve browser performance. The development specifications of web browser extensions may seem in the weeds, but the broader implications should matter to all internet citizens: it's another step towards Google defining how we get to live online. Considering that Google has been the world's largest advertising company for years now, these new limitations are paternalistic and downright creepy.
It's also doubtful Mv3 will do much for security. Firefox maintains the largest extension market that's not based on Chrome, and the company has said it will adopt Mv3 in the interest of cross-browser compatibility. Yet, at the 2020 AdBlocker Dev Summit, Firefox's Add-On Operations Manager said about the extensions security review process: "For malicious add-ons, we feel that for Firefox it has been at a manageable level... since the add-ons are mostly interested in grabbing bad data, they can still do that with the current webRequest API that is not blocking." In plain English, this means that when a malicious extension sneaks through the security review process, it is usually interested in simply observing the conversation between your browser and whatever websites you visit. The malicious activity happens elsewhere, after the data has already been read. A more thorough review process could improve security, but Chrome hasn't said they'll do that. Instead, their solution is to restrict capabilities for all extensions.
As for Chrome's other justification for Mv3 -- performance -- a 2020 study (PDF) by researchers at Princeton and the University of Chicago revealed that privacy extensions, the very ones that will be hindered by Mv3, actually improve browser performance. The development specifications of web browser extensions may seem in the weeds, but the broader implications should matter to all internet citizens: it's another step towards Google defining how we get to live online. Considering that Google has been the world's largest advertising company for years now, these new limitations are paternalistic and downright creepy.
Re:Enter antitrust law (Score:4, Interesting)
Time to split chrome out of google's advertising business?
What would (or could) the business model be?
AFAIC, Chrome should be forcibly taken out of Google's hands and given to FOSS developers with a mandate to keep it free, open, and privacy-oriented. Sorry Google, no more browser for you!
This is the only "business model" that makes sense - it gives Google "the business" in the way they have earned and so richly deserve for their bad behaviour, and it's a "model" for how to treat other grasping corporations whose fondest wish is to monetize everything including every word out of our mouths, everything our gaze rests upon for more than a second, and ultimately, the water we drink and the air we breathe.
Re:Enter antitrust law (Score:5, Insightful)
In this scenario, the Sherman Antitrust Act.
Whether or not it applies is for the court to decide, but the existence of the law has survived all legal challenges.
Won't happen, though. Not with the current administration, or any administration foreseeable in the near future (including a 2nd Trump term).
Re: (Score:3)
The Sherman Antitrust Act doesn't stipulate that bad actors have their property (intellectual or otherwise) be given to the public. If anything gets taken away from them, it comes in the form of spinning off one or more of their business units into other private companies, and its those other companies that still hold the keys.
Of course, there's really no point in arguing that it "should be forcibly taken out of Google's hands and given to FOSS developers" because it's already open source. You're already fr
Re: (Score:2)
The Sherman Antitrust Act doesn't stipulate that bad actors have their property (intellectual or otherwise) be given to the public.
The Sherman Act is primarily a criminal statute that affect not just the company but responsible management its legal operation is fundamentally coercive: once they have been found guilty civilly, they can then be charged criminally afterwards -- Settle up under what terms the government wants, or company management will be facing jail time. If the government will be prepared
Re: (Score:2)
So it is not outside possibility that the government would pose in their settlement something such as separating the Chromium project and its oversight from Google, and disallowing Google from distributing a browser and providing services (such as "Profile synchronization") exclusive to users of a browser Google distributed.
And you know how that would be done, right? They would spin off all of the Chrome IP, including trademarks, knowledge (i.e. engineers, management, etc) into another company, separate from Google. Essentially they'd become like Mozilla.
Re:Enter antitrust law (Score:5, Informative)
Re: Enter antitrust law (Score:2)
Re: (Score:2)
The source is already FOSS so you can fork it anytime you want.
I realized that when I wrote the comment. The point isn't to have a fork of Chrome - it's to take away Google's right to distribute its own version of Chrome. Putting Google's own flavour of Chrome into the hands of FOSS developers would result in the next update replacing Google's steaming pile of privacy-raping browser code with a privacy-centric, non-advertising-oriented browser.
Re: (Score:2)
Re:Enter antitrust law (Score:5, Insightful)
I have some good news for you: there is already a free and open-source browser available for your use! You can get it here! [mozilla.org]
My actual point is, the profit-seeking goals are part of why Chrome is the most popular browser. There is a direct financial incentive to make it the most popular browser. Firefox is in a slightly different boat, and the result is clear: Firefox is not as good. If you actually succeeded at taking Chrome away from Google, and making it fully open source, it would decay into Firefox.
I use Firefox exclusively. But that is because I am willing to accept its deficiencies in order to escape Google.
Re: (Score:2)
Oh, like Chromium?
Which is going to be their defense against a move like what you propose.
Chromium? (Score:3)
Re:Chromium? (Score:4, Informative)
I have wondered why there isn't an ability to switch to a 3rd party (ideally self-hosted) sync mechanism?
https://floccus.org/ [floccus.org]
https://nextcloud.com/install/ [nextcloud.com]
Is it 100% all-the-way integrated? Not in the same way a Google Account is...but it more than makes up for it by having the plugin available for Firefox and Opera, so cross-browser bookmark sync with a drop-down menu is "close enough" for me.
Re: (Score:2)
I've been just blindly using Chrome since I switched to that when Chromium broke. Then I attempted to use Chromium on the Pi400 I got to play with, and got reminded of how stupid this is. There is n
Re: (Score:2)
Have you tried installing Chromium? It's a miserable experience designed to be as confusing as possible, with a bunch of HTML 1.0 looking hyperlinks that direct you to a nightly build zip file that has no installer. It's all surrounded by links to Chrome, too.
Re: (Score:2)
Chromium is getting kicked out of Debian due to no upstream security support, insane build system, general suckage, no regard to bug reports at all, and so on.
No one upstream responds to anything, all they care about is their internal bug tracker.
Re: (Score:2)
It's in the repos of all distros I've tried. On Fedora it's reasonably up to date also.
Re: (Score:2)
You can do that via an extension, e.g. https://chrome.google.com/webs... [google.com]
On the other hand (Score:4, Insightful)
No one who actually cares about their privacy is using Chrome anyway.
doublespeak (Score:3, Interesting)
You've missed the entire ball of wax. People care about privacy, but they get systematically priced out of the conversation.
People who "actually" care is just doublespeak for those who are too stubborn to allow themselves to get priced out of the conversation.
I've been immersed in the software profession since the 1970s. I once won a math prize. I even won a writing prize. I spent much of the 1990s reading Applied Cryptography for light e
Re: (Score:2)
I'm sorry that your family member works in part the of government that has mandated only Edge can be used, but that is not true everywhere in government. There are parts of the government where Firefox is viewed as any other software package - it is reviewed for security issues, then placed on the allowed software list, same as Chrome. We
A little more info. (Score:5, Informative)
Dear Developer,
Last year, we announced the availability of Manifest V3 - a more secure, performant, and privacy-preserving iteration of the extension platform.
<snip>
This is a notice that beginning January 17, 2022, the Chrome Web Store will stop accepting any new Manifest V2 extensions with visibility set to “Public” or “Unlisted”.
<snip>
Additionally, beginning in June of 2022, this restriction on new extensions will expand to include items set to “Private” visibility as well.
It's a real pain because I make my extensions for fun and having them on the chrome store provides a lot of benefits. But now I have to go through them reconfigure how they work just to satisfy manifest v3 for very little gain.
Re: (Score:2)
Re: (Score:2)
Little gain to you perhaps, but good for your users. Manifest V3 brings Android style permissions which can be denied by the user. I'm sure your extensions are all benevolent, but you can appreciate that users want control.
Re: (Score:2)
Re: (Score:2)
I am hoping that the background page thing is preparation for introducing extensions on Android. Firefox has them but there are some noticeable performance issues.
About the other thing, I screwed up. I usually try to post a correction but sometimes forget. My bad, I usually try not to get into stuff like that when I'm very tired but honestly the amount of sinophobic bullshit on here gets to me sometimes. It gets to me in real life too.
Re: (Score:2)
V3 (Score:5, Interesting)
Having done some development work in V2 and V3 it looks to me like the effort on V3 was one for performance. Stop extensions from running in the background sucking down CPU, RAM, and battery life. And stop extensions from slowing down all network requests (which is the big change most people don't like; you have to define ahead of time how network requests will be filtered or altered which can be impossible without being able to dynamically inspect it, depending on what you want to do). This sucks from a developer perspective since it limits what you can do but the changes they made make sense from a performance standpoint.
That said I'm not sure why they don't monitor the performance of the older API and simply disable extensions (or give the user the option to) that are slowing down the browser too much.
Re: (Score:2)
> That said I'm not sure why they don't monitor the performance of the older API and simply disable extensions (or give the user the option to) that are slowing down the browser too much.
Google is an ad company dealing a blow to adblockers and lying that they have no choice.
Re:V3 (Score:5, Insightful)
Doing things that users want requires CPU, RAM and battery life. News at 11.
Ad company uses the former excuse to limit ad blocker functionality. News at 12.
Re: (Score:3)
The dynamic filtering stuff has been re-worked to address the issues most developers had with it. The EFF article and all the others I have found don't mention specifically what issue they have with the current Manifest V3 API. As far as I can tell Google has addressed the problems and privacy enhancing, ad filtering extensions should continue to work as they do currently, only faster.
Yes it's work for the extension developers. Maybe that's what they are upset about, since none of them seem to be able to po
Re: (Score:2)
It takes malice to intentionally misread the article this way.
ad filtering extensions should continue to work as they do currently, only faster.
Only if you consider broken/removed code to be faster. The ability to filter out adware/spyware is gone, this is the issue. Your employer wants to spy on us and shove crap into our faces. And even "faster" is a lie, as remote accesses that would be blocked are so much slower than even somewhat inefficient local filtering.
Re: (Score:3)
But what specific API change has scuppered the ability to filter adware/spyware?
As I say, there was an issue but Google listened to extension developers and changed the API to resolve it. They were planning to allow extension to register up to 50k rules that the browser would evaluate, but vastly increased that limit and restored some other functionality to make the post-loading filtering work better.
And yes, that means they build the ad blocking right into the browser itself, so it would be faster. They ac
Re: (Score:2)
Asking the fox to guard the henhouse (Score:2)
What other outcome would you expect?
Firefox will still have the old mechanism too (Score:5, Informative)
It was not clear to me that Firefox would maintain the old way for extensions to filter webpages in addition to the new one, in fact the article seems to suggest otherwise to me. EFF is doing their cause a disservice with this poorly written article.
Both the article and the slashdot summary should really include this statement from Mozilla :
"After discussing this with several content blocking extension developers, we have decided to implement DNR and continue maintaining support for blocking webRequest."
Re:Firefox will still have the old mechanism too (Score:5, Informative)
Eventually Firefox will be the only browser with a fully powered uBlock Origin, making it the only browser I would ever consider running.
Re: (Score:2)
Now witness the filter power of this fully-configured and operational advert-blocker.
Re:Firefox will still have the old mechanism too (Score:4, Informative)
As far as I understand, Firefox is implem,enting only a subset of Manifest V3, leaving out all the parts that threathen privacy and adblocking, while keeping those that enhance performance and security.
that way, many/most extension makers' work is reduced when coding extensions for multiple browsers.
The more I read about these developements... (Score:2)
... the more glad I am with my choice of using FireFox ESR (with Ublock and Badger) for work and productivity, and chrome only for entertainment....
JM2C
YMMV
One localhost to rule them all (Score:2)