GettyGoogle’s plans to limit ad blockers in Chrome have already led many users to consider switching browsers. People’s anger was made worse by the confirmation that the only people who will avoid the changes to the way ad blockers work in Chrome will be Google’s enterprise users. Advertising is at the heart of Google’s business model and so unsurprisingly, users have been questioning the software giant’s motives. And now, another prominent voice has entered the debate. Digital rights group the Electronic Frontier Foundation (EFF) says the move will not help security and in fact, will probably hinder it. The plans, dubbed Manifest V3, represent a major transformation to Chrome extensions including a revamp of the permissions system. As a result, modern ad blockers such as uBlock Origin—which uses Chrome’s webRequest API to block ads before they’re downloaded–won’t work. This is because Manifest V3 sees Google halt the webRequest API’s ability to block a particular request before it’s loaded. The plans are earmarked for release into the Google Canary channel around now.
Google argues its ad blocking plans will increase security, and the software firm has written several blogs outlining how. On June 12 Devlin Cronin on the Chrome extensions team wrote: “No, Chrome isn’t killing ad blockers–we’re making them safer.” But the EFF argues: “The next time Google claims that Manifest V3 will be better for user privacy and security, don’t believe their hype. Manifest V3 will curtail innovation and hurt the privacy and security of Chrome users.” Google’s Manifest V3 and the rogue extension problem In July, it emerged that eight browser extensions used by around 4 million Firefox and Chrome users were harvesting data. The discovery was made by security researcher Sam Jadali, who told me at the time that Google’s Manifest V3 does not solve this specific problem: “It has some improvements however it explicitly states that server communication (potentially changing extension behavior) will still be allowed. This doesn't really solve the issue.”
The EFF uses this discovery as the launch point for its post warning users about the dangers of Google’s Manifest V3. “To start with, the Manifest V3 proposal won't do much about evil extensions extracting people’s browsing histories and sending them off to questionable data aggregators,” Alexei Miagkov, Jeremy Gillula and Bennett Cyphers said. This because Manifest V3 doesn’t change the observational APIs available to extensions. “Manifest V3 will still allow extensions to observe the same data as before, including what URLs users visit and the contents of pages users visit. Privacy Badger and other extensions rely on these observational APIs,” the EFF post said.
However he says: “It appears to do little to prevent rogue extensions from obtaining information from loaded sites, which is certainly a privacy issue and it looks as if the V3 changes don't help.”The changes outlined by Google’s Manifest V3 are certainly unpopular, but the EFF warning amplifies this further. So, what can be done? “Better review of extensions in Chrome Web Store would promote informed choice far better than limiting the capabilities of powerful, legitimate extensions,” the EFF said adding that Google could have banned remote code execution “a long time ago.”
No doubt this will cause more users to question whether Chrome is the right browser for them. Many people are already switching to Firefox, which has made a big deal about its focus on security and privacy. Or course, there are also Chromium-based browsers such as Brave, which have confirmed they will not take on the Manifest V3 changes.