Cockup or conspiracy? Popular privacy extension ClearURLs removed from Chrome web store
The Chrome browser extension ClearURLs has been removed from the Chrome Web Store, for reasons its developer describes as “ridiculous.”
Google’s Chrome team emailed ClearURLs developer Kevin Roebert yesterday to tell him (translated from German): “Your item had to be removed from the Chrome Web Store,” citing three violations of its terms.
These were “inaccurate description – missing information”, on the basis that the donate, badges, logging and export/import of sessions are not mentioned; “use of permissions”, on the basis that the Clipboard/Write permission is not required; and “keyword spam”, on the basis that there is irrelevant information about the extension in the description.
In typical Google fashion, it appears that although the extension has been available for a long time, the discovery of these violations meant that it was instantly removed and its page now returns a 404 “not found” error. It is still available for other browsers including Firefox, Microsoft Edge, and for Chrome via manual download from GitHub or GitLab.
Roebert said: “The reasons for this are ridiculous and probably only pretended because ClearURLs damages Google’s business model. ClearURLs has made it to its mission to prevent tracking via URLs and that’s how Google makes money.”
He said that he made corrections to meet the requirements and appealed against the block. The clipboard permissions are needed for a right-click context menu option, he said, and he does not understand what was wrong with the description.
Dutch government: Did we say 10 ‘high data protection risks’ in Google Workspace block adoption? Make that 8
It is not clear whether Google is really concerned about the functionality of the extension, or whether this is just another example of seemingly arbitrary violations being discovered, communicated badly, and blocking happening by default and without notice.
The duke of URL
The issue does expose an aspect of today’s web which perhaps gets too little attention, and which is disguised by Google and others. The idea of the URL (Uniform Resource Locator) is that it identifies the address of a web location, but the existence of URL arguments means it can be more than that, and it is easy for developers to generate URLs that include tracking information that is used for analytics rather than navigation, or to power things such as affiliate links and advertising fees.
Another related matter is hidden redirects. In the early days of web search, the blue links returned simply included the URL of the destination, but most search engines quickly changed that to make the link target their own servers, in order to capture analytic data about the search before redirecting the user to the final destination. The user may not be aware of this, since hovering the mouse over the link shows a different URL from the real one.
One of the functions of ClearURLs is to “support redirecting to the destination, without tracking services as middleman” and to “prevent Google from rewriting the search results to include tracking elements.”
A quick experiment with Firefox proved this to be the case.
Using the Inspect Element context menu option (part of Firefox, not ClearURLs) shows that without the extension, a Google search result targets a redirect service on Google’s server, including various arguments alongside the destination URL, whereas with ClearURLs installed, the link is direct.
This is a deep rabbit-hole though; in Chrome itself we found that the same search yielded a direct link with or without ClearURLs with the analytics metadata inserted into a ping attribute, meaning that Google gets posted the data when the user clicks, so the company gets the data either way. In Firefox, the ping attribute is disabled by default.
In Chrome, Google gets its analytics from the ping attribute – making ClearURLs ineffective for this case
The depressing news is that Mozilla apparently intends to enable ping in future, without any option to disable it, telling Bleeping Computer that it is “a matter of improving the user experience by giving websites a better way to implement hyperlink auditing without the performance downsides of the other existing methods.”
Apple also takes this view, and has said that: “Just turning off the Ping attribute or the Beacon API doesn’t solve the privacy implications of link click analytics. Instead, it creates an incentive for websites to adopt tracking techniques that hurt the user experience.”
What this means is that for this extension to really harm Google’s business model, it has to do more than simply cleaning the URLs. The extension also leaves untouched another common use of tracking URLs, which is in email links.
A private matter?
Google’s developer terms for its Chrome Web Store states that “Google retains the right to refuse to include a Product on the Web Store.”
It would be entitled to block an extension because it harms its business model – though that is not what has been said to Roebert. The issue is complex because Google also claims to be concerned about privacy, saying for example that “people want assurances that their identity and information are safe as they browse the web”, and introducing many changes to Chrome on this basis.
In a post last year on privacy practices for Chrome extensions, the company said that “protecting users and their data is a fundamental aspect of the work we do on Chrome.”
Blocking an extension that has an obvious privacy benefit sits uncomfortably with such statements, though a quick read of Google’s monster privacy policy shows that while it cheerfully supports technology that blocks others from tracking data, it reserves the right to collect data for itself – and it looks unlikely that ClearURLs, as things stand, does much to prevent it.
The Register has asked Google to comment. ®
READ MORE HERE