
Let's guess what Google requires in 14 days or they kill our extension - cimnine
https://blog.pushbullet.com/2020/05/13/lets-guess-what-google-requires-in-14-days-or-they-kill-our-extension/
======
geofft
Uh, yikes:

> _As I looked at the permissions and what our extension actually needs to
> operate, I noticed a great opportunity to reduce our permissions requests.
> We do not need to request access to data on[https://*/*](https://*/*) and
> [http://*/*](http://*/*). Instead, we can simply request data access for
> [https://*.pushbullet.com/*](https://*.pushbullet.com/*),
> [http://*.pushbullet.com/*](http://*.pushbullet.com/*), and
> [http://localhost/*](http://localhost/*). This is a huge reduction in the
> private data our extension could theoretically access. A big win!_

While I agree with the larger part about the lack of transparency of what they
want you to fix, this is an amazingly huge oversight, and the fact that the
extension review process got an established, popular extension to go "Wait, we
don't actually need to request access to every website ever" is a point _in
favor_ of the review process - and, unfortunately, a (weak) argument in favor
of the review process taking the attitude that they get lots of crap and don't
have the time to explain to all the authors of crap what they're doing wrong.
How did the extension ever ask for this _in the first place_?

Also why do you need [http://localhost/](http://localhost/)? Is the extension
running a web server on localhost with native code? If so, can you use the
specific mechanism/permission for communicating with native code via a
subprocess (because it turns out communicating with a web server on localhost
is very hard to do securely)? If not, what's it for?

I'm sympathetic to the broader argument here, but given the provided
information, all of this is consistent with an extension that _should_ be
kicked off the app store within 14 days.

(Among other things, if you have an approved extension with
[https://*/*](https://*/*) permissions and active users, malware authors will
offer to buy your extension for a very high price. So it's definitely in the
public interest to make sure there are as few of those as possible and that
they're only in the hands of people who have the ability to understand why the
friendly person offering them way too much money for their extension isn't
just being nice.)

~~~
IG_Semmelweiss
I agree. This is hackernews, so it is easy why devs would feel otherwise, but
as a nondev, I represent the the end users.

Why would anyone think it is appropriate for google to reveal their hand, and
allow blackhat operators to build apps up to the max limit of permissions? (If
they were revealed by google via white glove customer service).

If goog did provide guidance on permissions, goog would literally have to
audit every app in the store, or come up with a way to separate bad actors
from good ones.

So, Im sorry. No. If its between 1 hacker's inconvenience or in extreme case ,
livelyhood....and the retirement savings bank account of many grandmas, i am
going to side with grandmas.

Google is doing many things wrong. Keeping the "red line" of allowable
permissions secret, from data-hungry developers.... is not one of them.

~~~
kd5bjo
> If goog did provide guidance on permissions, goog would literally have to
> audit every app in the store

You’re talking about vetting suppliers and products in order to ensure they’re
selling safe products that consumers want. That sounds like an ordinary part
of every retailer’s job to me.

------
seanwilson
For people focusing their comments on this particular extension + the
permissions it asks for, please take a quick look at the numerous recent posts
in the official forum for Chrome extension developers to see it's not an
isolated issue:

[https://groups.google.com/a/chromium.org/forum/#!forum/chrom...](https://groups.google.com/a/chromium.org/forum/#!forum/chromium-
extensions)

It's a systematic issue that isn't specific to anything Pushbullet is doing
and it's been like this before the pandemic:

\- Reviews can take up to 3 weeks. This in alone would be crazy enough if you
have an urgent bug to fix.

\- Rejection emails are vague and don't tell you what to fix.

\- After you guess at what to fix, you've then got to join the up to 3 weeks
review queue again.

\- If you try too many times, your extension gets pulled.

\- On top of this, they've recently disabled new Chrome Web Store paid items,
and user reviews.

Can anyone from Google escalate this and help extension developers? I can't
speak for everyone but there's lots of complaints in the forum and little
action beyond "we hear you and are looking to improve things".

~~~
_jal
The rule still applies: if you build your business on someone else's property,
don't act surprised when they they casually destroy you.

It has happened again and again and again. Building for FB or Google is you
making yourself their serf, and you will be allowed to exist at their whim.

~~~
chc
This isn't very actionable advice, though, since there is basically no such
thing as a software product that isn't built on somebody else's property.

You might think, "Ah-ha, web apps!" But no, Google can still casually destroy
you there. Or you might think, "Ah-ha, desktop apps!" But the OS vendor can
casually destroy you there.

~~~
skrebbel
> Or you might think, "Ah-ha, desktop apps!" But the OS vendor can casually
> destroy you there.

Casually? The amount of effort and goodwill, say, Microsoft would need to
spend to prevent me from installing $PROGRAM on my computer is significantly
higher than the amount of non-effort a single extension reviewer would need to
expend to click "no" arbitrarily because they are having a bad day.

How would Microsoft do it? Add legit software to Defender? Ship a Win10 update
that disables a key API call $PROGRAM uses? Add "if program == $PROGRAM then
exit" to the CreateProcess code? All possible, none casual. To the best of my
knowledge they've never done something like this. I'm less deep into Apple
land but I expect something similar holds on macos.

~~~
kire456
The OS vendor could "destroy" you by making changes to the OS that affect your
app, right? The Old New Thing[0] is full of stories of apps that exploited
undocumented implementation details of the OS, and were surprised that those
aspects were in fact changed in a later OS version.

To its credit (though not everyone agrees), MS has spent a lot of effort
making compatibility shims, basically doing other people's work for them, but
they have no such obligation.

0\.
[https://devblogs.microsoft.com/oldnewthing/](https://devblogs.microsoft.com/oldnewthing/)

~~~
bmj
This strikes me as a different class of problem. Of course software developers
are at the mercy of other software and hardware, and have been since the days
of yore. And even in that case, you could still potentially debug the issue.

This is a different class of problem. In this case, a gatekeeper is asking you
to use their service to distribute software through their channel, and that
channel is governed by vague rules that may, in fact, be enforced on a whim.
Further, the gatekeeper isn't being clear with the rules, and why you may have
run afoul of them.

------
throwawayext
Different extension developer here. The Chrome Extension store ecosystem has
become a nightmare for developers over the past year. Some items:

\- Extension review times have gone from 1 hour to a variable amount of time
ranging from 1 minute to 3 weeks or longer (try to plan a release or spot fix
an issue when you have no idea how long it will take for a deploy to reach
users)

\- User reviews of extensions have been disabled (how are you supposed to
build an audience or build up trust without reviews?)

\- Manifest v3 was announced (this was actually longer than a year ago) which
will completely break many types of extensions. Over a year later, it is still
on the horizon but the beta releases of it are buggy so it is hard to even try
to adapt to it at this point.

\- Persistent extension related bugs in Chrome are not being fixed and new
regressions are being introduced breaking previously working extensions (which
you then need to rush out a fix for but good luck with that when the reviewers
may take weeks to approve the update)

\- Chrome is exploring hiding extensions by default so they no longer will
show up automatically by the omnibar when you install them (say hello to a
huge amount of confused users who don't know where your extension went)

I understand the Chrome team is trying to address a user trust and fraud issue
with extensions and we are grateful for that. However, the Google extension
team appears to be massively understaffed and are having huge issues managing
and evolving the ecosystem.

~~~
_fat_santa
Fellow extension developer here as well. I've been trying to get an update
approved since February or March.

Submitted an update in late February and decided to update my screnshots.
Remove the screenshots and add new ones only for Google to tell me "you can't
add screenshots while you app is in review", fine, add them later after the
review.

3-4 weeks go by and I check the approval status. Status has been rejected
because....no screenshots provided. I've since updated the screenshots and
resubmitted for review. Currently still waiting on approval.

I've been planning on doing a Product Hunt Launch but that's been put on hold
until I can get an updated version in the chrome web store (the current
version is very old and buggy). I've even looked into distribution outside the
store but turns out chrome will no longer let you do that.

~~~
stallmanite
The screenshot thing sounds downright Kafkaesque. Infuriating!

------
cycomanic
I think the interpretation that Google does this because it does not want to
compromise the review process to malicious extension authors is a very
generous one. As others pointed out, a motivated enough entity could very well
be probing the system using multiple submissions (sure it gets your account
banned, just use several accounts).

No what is really going on is that Google wants the ability to reject an app
for any reason without actually having to give the reasons. To for example
protect a business interest.

The only reason for not making a transparent decision process is because you
want to keep the ability to make decisions that don't follow the rules you
set.

To the people saying that we should keep rules secret so that malware authors
can't work around the rules, I ask: the same argument applies to laws, but
most people agree that we want transparency. So what makes this different in
principle? (I understand that Google might not have an obligation, but you are
saying that they do the right thing)

~~~
highlysyntropic
don't create extensions. create browser controllers. you can release them as
binaries. anyone can download them. They instrument chrome using the remote
devtools API.

an oss example here:
[https://github.com/dosyago/22120](https://github.com/dosyago/22120)

and an idea I have for a browse controllers store here.

[https://github.com/dosyago/browsercontrollers.store](https://github.com/dosyago/browsercontrollers.store)

~~~
dgoldstein0
hm, interesting, though I'd worry that running a server on localhost might be
a little more than most people would bargain for

~~~
highlysyntropic
server just for settings. you could do through a website, but just for ease I
did it that way.

------
jboydyhacker
I think folks are drastically missing the forest for the trees here. This is
just one minor example of the INSANE process that is now the Chrome Approval
Process. I've seen extensions go for many months getting random rejections
with no reason given.

This forces developers to GUESS as to what is wrong. Want to try and develop
according to a roadmap or timeline- forget about it. There is no "app store"
approval process that conducts itself in this way.

Fact is Chrome is 80% of the market so Google doesn't worry about competition.
If Google Chrome is broken- then the internet is broken. It harms new entrants
trying to develop and innovation.

After the 2nd or 3rd rejection- have a HUMAN intervene. Explain what is wrong.
Devs are more than happy to make the changes. But you can't do this "make you
guess" bullshit.

DOJ and EU need to get involved. Someone at Google with their wits about them
and revamp the whole process. It's a travesty against the developer community
and should be fixed ASAP. Also from what I hear they need to start with new
LEADERSHIP.

~~~
unnouinceput
After 2nd to 3rd rejection if it will require a human to intervene Google will
have to hire half the earthlings to deal with crappy spammers that will simply
spam google store with their extensions.

The answer is not human interaction, the answer is automation tool to give
more details as what was detected and didn't pass.

~~~
wtetzner
The answer is probably to stop using Chrome.

~~~
unnouinceput
I use firefox, stopped using chrome last year. But my comment was about
general usability. Chrome or something else, whoever is number 1 will get
corrupted by power. It's human condition

------
extesy
I'm in the same boat. My open source chrome extension[1] has just been taken
down[2] after several years of no complaints because it apparently violated
content policies related to nudity and pornography. Say what? Well, I guess
you could view _any_ image using my extension, including nudes. Isn't that the
problem with most other extensions which could be used on porn sites, like
editing cookies, etc? I've submitted it for re-review but I'm not holding much
hopes.

[1] [https://github.com/extesy/hoverzoom](https://github.com/extesy/hoverzoom)
[2]
[https://github.com/extesy/hoverzoom/issues/512](https://github.com/extesy/hoverzoom/issues/512)

~~~
yellowapple
I mentioned this in the GitHub issue thread (howdy!), but I strongly suspect
it has to do with specific references to pornographic sites in the extension's
manifest.

If only Google would mind its own business instead of playing mommy-knows-best
and dictating its morality on grown adults.

~~~
teruakohatu
It is also a fork of an extension that contained malware, so an automated code
review tool trained on malware might be catching it.

~~~
yellowapple
That's a possibility, too, but the email specifically mentioned pornographic
content or extensions that might "drive traffic" to pornographic sites so that
seemed like the more likely reason.

------
AlphaWeaver
I'm also an extension developer, and Google has done this to me a few times
too. We request permissions specifically for what we need, and our extension
is unlisted and can only be installed from our website.

Google is a bully, and they use their size and the threat of permanently
removing access to your Google Account (and family photos) to terrorize small
players without cause.

How many people would Google need to hire to provide email support for
extension review for extensions above a certain size? It can't be a huge dent
in their budget.

~~~
blihp
Not going to happen. This is an issue people have been raising for at least
the better part of a decade... don't expect anything to change now.

A more productive approach would be to focus on web browsers that allow you to
do what you need to and let Google fix what they need to encourage you back. I
know, most extension developers will say 'we can't do that because it's where
the users/customers/whoever are'. But as long as you encourage their bad
behavior by supporting the platform, expect the bad behavior to continue since
it's not hurting _Google_. As a result, it's just a cost of doing business on
Google's platform which is unlike to change for the better.

~~~
AlphaWeaver
Are you making a good faith suggestion that it's possible to build a business
around a browser extension and not support Google Chrome?

They have something like 70% market share dude...

~~~
hedora
Chrome’s market share would drop if extension authors moved to an alternative.

As it is, it sounds like Google’s doing this itself by breaking popular
extensions.

~~~
AlphaWeaver
I think you overestimate the percentage of Chrome users who use Chrome for the
extensions rather than other reasons ("it's fast", "it's what I'm used to", "I
like Google", "Firefox is weird")

------
patwalls
Chrome extension developer here.

Google ripped my Chrome extension off the app store about a month ago.

I got a similar cryptic message, and then I scrambled to fix it, like you're
doing now. Somehow my extension reappeared the next day.

Email me pat [at] trypigeon [dot] co and I can send you some of the things I
did that maybe have helped.

Tweeting my support as well:
[https://twitter.com/thepatwalls/status/1260638967793242113](https://twitter.com/thepatwalls/status/1260638967793242113)

~~~
WrtCdEvrydy
I have written about this recently on the Android side.

[https://medium.com/@lazherrera/that-one-time-google-made-
it-...](https://medium.com/@lazherrera/that-one-time-google-made-it-more-
difficult-to-communicate-about-covid-19-cf29c3751c69)

If you use any of the words related to the COVID-19 pandemic, they will pull
your app, suspend you and ding your account.

~~~
cwhiz
Google has effectively created a private monopoly on any Android applications
related to Covid-19. And the last time this sort of information was posted to
HN the comments section was a race to see who could do the best apology for
Google.

This policy by Google is hurting people and businesses.

Meanwhile, Apple has a similar policy but all they do is just take extra care
when reviewing your app. I suggest you port your app to iOS and submit it to
the App Store. Apple will accept it and approve it.

~~~
9nGQluzmnq3M
Google is very explicitly limiting COVID apps to those published by reputable
public health orgs:

[https://support.google.com/googleplay/thread/40578311?hl=en](https://support.google.com/googleplay/thread/40578311?hl=en)

~~~
cwhiz
Yeah that’s exactly what we’re talking about...

Which includes helping people print warning labels. Gotta protect people from
that. But the malware is fine.

------
thorum
Does your browser extension really need to access localhost/* - as in, port 80
on my local machine? That would make me very uncomfortable about installing
the extension.

Would it be possible to restrict the extension to accessing a specific port or
endpoint that is used by PushBullet?

~~~
Guzba
We use localhost to communicate with our desktop application which is commonly
installed alongside our extension by users.

An example of how we use this communication channel is preventing both our
extension and desktop apps from showing notifications on the same computer.
Our apps are all about notifications so this would get unacceptable very fast.
We ping our local desktop app via localhost to see if it can manage the
notification, and show it with our extension if it isn't running.

Maybe if we limit it to just the local port we use? Seems like it can't hurt
to try that too.

~~~
paulirwin
I believe you're supposed to use Native Messaging for that:
[https://developer.chrome.com/extensions/nativeMessaging](https://developer.chrome.com/extensions/nativeMessaging)

~~~
rosywoozlechan
This may be well what needs to change, but in any case the message from Google
should have been explicit about it instead of the dev involved having to
create a blog post, hope it gets traction on HN and that someone here knows
what the problem is.

~~~
maartn
the docs are pretty explicit about it

~~~
ldiracdelta
But not their email.

------
foobarbazetc
lol.

We have the same problem, but on the Google Play Store.

We have an brand name app used by millions of people. We uploaded an update
where the only change was a new Firebase library.

Google rejected the update for vague reasons (“violation of Google Play
policies” but not telling us which one).

Appealing the rejection, the CSR just pasted the vague policy thing back at
us. We asked for more information and they just closed the ticket.

So we took the exact build that was accepted, incremented the version number,
and uploaded that. Rejected again.

And there’s no real human to talk to.

No idea what’s going on at Google.

~~~
Florin_Andrei
> _No idea what’s going on at Google._

It's like trying to troubleshoot a machine learning algorithm.

~~~
PopeDotNinja
Now that you mention it, it does sound like an adversarial network!

~~~
Florin_Andrei
No, you're the adversarial network!

 _/ joke_

------
meraku
Another happy PushBullet user here. Extremely useful for receiving text
messages from my phone while on my laptop, especially for web apps that insist
on sending security codes that way instead of TOTP.

This sort of behavior from Google really is infuriating. How they can just
decide to boot an app from the Chrome Store that is installed by over a
million users is mind-boggling.

It's a pity that Chrome doesn't allow extensions to be installed from the new
Edge store, like Microsoft allow Edge to install extensions from the Chrome
store. With both built on Chromium, that could've potentially been a
workaround (though you may want to consider adding this extension to the Edge
store anyway).

Hopefully someone from Google will see this and stop the madness or be able to
provide more details on exactly what needs to be done, though I wouldn't bet
on it.

~~~
driverdan
> It's a pity that Chrome doesn't allow extensions to be installed from the
> new Edge store

Why would anyone want to do that? What's a real pity is that they make every
effort to block users from installing their own extensions. App stores are
terrible.

~~~
Spivak
No, they make every effort to ensure that installing extensions outside the
store is annoying so that you can't push your malware by just having users
download and install it. This kind of malware _plagued_ Firefox for years
until they made extension signing mandatory

~~~
saurik
If I am in a position to install random shit into Firefox I am also in a
position to just _modify Firefox_ , so that doesn't accomplish anything at all
except remove functionality from users.

~~~
enedil
Except most targets won't modify their Firefox.

~~~
saurik
I think I am not understanding your use of the word "target" here, as I would
have expected that to be the person being targeted by the malware install, but
that person isn't someone who by definition even knows what is going on: it is
the attacker who is choosing to install something into Firefox without the
express knowledge of the target, and so it is the attacker whom I am noting is
able to choose to instead modify Firefox; if the target were making the
decision to install the extension then clearly they should be allowed to do
whatever they legitimately _want_ to do with their software.

------
geza
I got the same notification yesterday morning for my own open-source extension
HabitLab ( [https://habitlab.stanford.edu/](https://habitlab.stanford.edu/) )
- same vague request for "you're not using the minimal set of permissions"
without mentioning what permissions they want me to stop using (HabitLab is
already using the minimal set of permissions for the features it implements -
any removal of permissions would have to be done at the expense of reduced
functionality). Emailing just results in them sending me a link to the policy.
So this is definitely not an isolated case.

~~~
brigandish
Have you considered writing a short blog post (even a tweet) about it and
submitting it to HN? Momentum is a good thing.

------
chrischen
We spend a quite a bit on Google Ads yet they seem to refuse devoting even a
few minutes of a knowledgable support staff’s time to our account—even when
we’re trying to figure out how to give them more money. For 1-2 years our
product shopping ads never displayed and we couldn’t get anyone to tell us
why. One day, it just started working by itself (perhaps some engineer pushed
a fix).

Contrast this with their sales strategy of aggressively making a human call me
every quarter to try to up my budgets. I’m not sure why they are so against
helping people succeed with their products...

It’s like they are allergic to manual human processes (unless it’s sales).

~~~
PopeDotNinja
Have you tried telling the salesperson?

~~~
chrischen
Yes I in fact did. One of the only reasons I took the call. He said he would
check internally. Nothing came of that. Technically they weren't sales but
were doing a free account review (but purely focused on how to increase my
spend).

------
GuB-42
It is a common theme with Google, what they do makes sense, but communication
is impossible.

I don't know if it is an artifact of overusing machine learning "our neural
network trained on a variety of malware gives your app a score of 4.3, you
have 15 days to get it down to 4.0". How is that calculated? No one knows,
maybe you shouldn't use the location permission if your icon is red and your
domain is not in .org, or something like that.

Or maybe it is a form of security by obscurity. Or maybe they just don't want
to pay for people to support you. Who knows?

~~~
shadowgovt
It's that last one. Chrome Extensions, as a whole, are a value-add to Chrome.
Individual Chrome extensions have negligible added value.

As long as Chrome isn't killing extensions "everyone cares about," their
system can bias pretty far towards making it had to get an extension accepted
and maintained in the store without killing the whole ecosystem.

------
jaredandrews
Slightly related, Google is also tightening up Android 11 location permissions
(with good reason). In this blog post[0] they outline a process for getting
approval that was supposed to be underway by the start of May.

So far I have not been able to locate this form nor have I been able to find
any Android developers who have.

If anyone here knows where it is or what the deal is, please let me know.

[0] [https://android-developers.googleblog.com/2020/02/safer-
loca...](https://android-developers.googleblog.com/2020/02/safer-location-
access.html)

~~~
Mindwipe
The SMS access process never worked after it was introduced in a similar way
several years ago now. Google even put some minority groups in significant
danger to their safety as a result.

Nobody at Google gave a shit and it was never fixed.

------
calmchaos
Those rejection emails are most likely sent by an AI. If you reply back and
ask them to specify exactly what is wrong, you'll get the same generic email
back. Ask again, and they'll send the same generic response without any
details or comments written by a human. They simply can't specify the problem
at all. That's how you know you are talking with an AI, not a human.

The correct way to respond to those rejection emails is to ask for a "human
being" (this is the keyword that works) to review the case. Also explain in
the email why there isn't anything more you can do (if you have done every
possible fix already).

As a side note, when AI systems get more common, this will be a common
nightmare for regular people. When an AI makes an incorrect decision regarding
you, no-one can check the code why it happened because the code doesn't exist.
All we may have are some weighted matrices and neural network data as bunch of
numbers.

~~~
solidasparagus
> when AI systems get more common, this will be a common nightmare for regular
> people

I'm not sure. We've had automated phone customer service systems forever, but
companies that in any way care about their customers still let you escalate to
a human.

~~~
couchand
... and those phone systems are a common nightmare for regular people.

------
nikolay
Google are cutting the branch they are sitting on. I only use Chrome because
certain extensions are not available on Firefox. During all these years,
they've become impossible to deal with. I open Chrome with 10 tabs and after a
couple of hours it's using gigabytes of RAM. From a thin client, it became the
thickest client in the visible universe. It's time to consider options... not
that there are many.

~~~
shklnrj
I just started using Brave and most extensions are available. Pretty good from
privacy point of view as well. Check it out.

~~~
nikolay
Still the same memory hog under the hood. I mean, how can a browser use 10+ GB
of memory unless they are a doing a million things wrong?

------
wegs
I just want to mention this is why I believe Google will never be able to
compete with AWS, or otherwise be credible in the B2B space. You're relying on
automated systems which can take down your business on a whim, with no
recourse.

Where I work uses Office 365, which is a horrible, horrible technology
compared to Google Suite, but I can't, in good faith, argue for switching to
Google. It's not a company I'd ever rely on in a business setting.

~~~
Baeocystin
I had a terrible, deep-history bug cause problems with one of my Office
365-using clients about six months ago. It was a genuine PITA to troubleshoot.

Once we figured out the source of the problem, I was on the phone with someone
from Microsoft who knew exactly what I was talking about, and the available
workarounds, within the hour.

My clients continue to use Office 365.

------
gnicholas
Consider yourself lucky that your extension wasn’t pulled after 1 day. I
received a 7-day notice on a Sunday and complied same-day. My extension was
pulled the next day, and I received an email stating that 7 days had elapsed.

I managed to get reinstated because I know people on Chrome’s accessibility
team who promote my extension, but even with that assistance it was still
months before I could push a new version without going into purgatory.

FWIW, I’ve had even more issues on Firefox. It’s like they’re in a competition
with the App Store for “most opaque review process”.

------
cirwin
We went through the same problem at Superhuman (and as I write our latest
extension update has been pending review for 2 weeks, so maybe we're about to
hit it again).

Simeon on the mailing list was quite re-assuring, and I would recommend
reaching out to him, though there are limits to what he can help with.

That said we found that the review process is quite arbitrary, resubmitting
may work simply because you get a different reviewer. (We've seen identical
copies of the extension with different version numbers where one was approved
and one rejected).

We've also observed that they use some kind of automated code-analysis to tell
whether or not you're making use of the permission; so you may want to check
that it's obvious from the code included in the extension bundle that you need
the permissions you're asking for.

We've also hypothesized that they apply different standards to extensions
depending on the number of users – our staging extension (~50 users) usually
gets approved quickly, but our production extension usually takes a while and
is less likely to be approved. (This may just be luck of the draw coupled with
arbitrariness though)

~~~
sevencolors
Damn that sounds like crazymaking :(

Dunno why they can't be more explicit which part of the code is the issue

------
nojvek
Google really sucks at customer service. Like they either don’t get it or
they’re so far up their arses that they think fancy AI algorithms will
magically fix it.

They are the most inhuman tech company I have dealt with out of the big 3
clouds.

I have a similar experience. I am trying to get an oauth consent screen
approved. It’s a simple thing. It takes up to a week for someone on their side
to reply and it’s mostly one vague sentence. They don’t give a full list of
what needs to be done. I’ve been at it for more than a month. It’s like they
really don’t give a shit about how much time you’re sinking to make things
work with their services.

I have a love/hate relationship with Google. On one side they know how to keep
things reliable like google search, on the other side they need to stop doing
a 100 million things and do 10 things really well and maintain it for
eternity.

If someone eats Google’s Search lunch, they are done for.

------
janee
Ironic reading this today. Got locked out of an old gsuite we manage for
someone on Monday because I typed the recovery mail wrong 3 times...omg what a
crazy battle to follow their recovery process.

Sent them sooo much proof, answers, cname changes, invoices, emails, etc etc,
but still get the same canned response back.

The weird thing is I never got a single notification on the recovery mail that
unauthorized access was attempted and that the account got locked.

Honestly I feel like such a dumb ass for making our company use gsuite now. I
don't think I'll ever recommend a google product to anyone again.

------
jlevers
This happened to me, too. After emailing customer support several times asking
for clarification, and getting the same uninformative answer every time, I
decided to take down the (free) extension (which had 20,000+ users) rather
than risk having my developer account deactivated for uploading a rejected
extension too many times.

I use Pushbullet every day, and would be gutted if it were killed for such a
ridiculous reason as this.

------
sming
the corporate gorilla beats its chest, demanding you comply!

But with what, it does not say ¯\\_(-_-)_/¯

~~~
crankylinuxuser
The answer is to run a campaign to work with Firefox and Safari only, and
convert all users to either platform.

Seriously, fuck google. I'm just done with them.

~~~
Seb-C
There are no WebExtensions on Safari

~~~
crankylinuxuser
Whelp... That shows just how little I know about Mac.

------
Wowfunhappy
> The other opportunity is the tabs permission. This permission lets
> extensions see what tabs are open. Pushbullet uses this permission to avoid
> opening new tabs for websites that are already open when mirrored
> notifications are clicked. This is a small sacrifice to make to let go of a
> big permission. Let’s let it go!

No, that "small sacrifice" sounds super annoying! I don't use Pushbullet, but
if I did and this got removed in an update, I'd be pissed off! At least leave
it behind an optional checkbox.

~~~
Guzba
Thanks for the feedback here. It strikes me as a little crazy I may be
infuriating you with a change and never even know if that was something I had
to do?

An optional permission seems 100% reasonable.

~~~
Wowfunhappy
> It strikes me as a little crazy I may be infuriating you with a change and
> never even know if that was something I had to do?

Oh, for sure! Just to be clear, I didn't intend my comment as a criticism.

It's nuts that you, as the developer, actually went so far as to remove
features in your first pass, and Google still rejected that attempt without
additional instruction.

------
devit
The fact that they were requesting [https://*/*](https://*/*) and
[http://*/*](http://*/*) (i.e. full control over all your accounts) without it
being absolutely necessary reflects terribly on them.

Still not clear why localhost (which can mean root access to the local machine
since it may have localhost-only services that enable that) and cookies access
is needed, also [http://*.pushbullet.com](http://*.pushbullet.com) is
unnecessary since they should always use HTTPS.

If they had properly implemented the extension they may not have this problem
now.

~~~
jeromegv
Nobody is against enforcing better behaviors from developers, the issue is
that they are not telling anyone what those issues are. I don't know why you
can always count on someone to defend a multi-billion corporation against
small companies, is there no empathy left?

~~~
jholman
> I don't know why you can always count on someone to defend a multi-billion
> corporation against small companies, is there no empathy left?

I don't have empathy for companies, I (try to) have empathy for people. Small
companies are made up of people. Large companies are made up of people. I try
(and often fail, alas) to have empathy for the people in both cases.

------
aendruk
We had a similar interaction with the Chrome Web Store out of the blue. After
a few maddening rounds of requests for clarification and nonsensical canned
responses, I finally just gave up and accused them of gaslighting me. Our
extension was restored the next day, of course with no explanation for the
ordeal.

------
bvandewalle
If you are an engineer those type of stories should make you rethink your
usage of Google Chrome. Chrome having so many users empower them to implement
those type of nonsensical policies.

As said in other comments it is trivially easy to switch to Firefox (or any
other browser you feel that fits your needs better).

------
KIFulgore
This is scarily reminiscent of Facebook's App Review process. We submitted 8
identical Apps that, functionally, are just webhooks for Messenger events. All
required documentation, justification for the two permissions we needed,
screen casts, and test login credentials were submitted for the reviewers.

3 were approved. 5 were rejected - all for different reasons.

Re-submitted the 5 with no changes; 2 more got approved. Two were rejected
again. One was rejected with a firm reprimand for making an identical
submission (must have hit the same reviewer).

Shuffled some words, re-recorded a couple videos - 2 more approvals, 1
rejection.

Re-submitted the last outlier without changes - Approved.

We are very weary of playing Facebook App Review whack-a-mole.

~~~
awinter-py
did you write this up somewhere?

~~~
KIFulgore
I haven't written a blog about it, but it's a common experience for those
building B2B integrations with Facebook. Also common is feature deprecation
with replacement functionality gated (read: withheld) behind a closed beta
program. They're difficult to join and often can only be entered if you commit
to supporting other Facebook APIs and features (those they wish to publicize).

------
saadalem
A little bit meta here but these words are true even today :

Suddenly, 20% meant half-assed. Google Labs was shut down. App Engine fees
were raised. APIs that had been free for years were deprecated or provided for
a fee. As the trappings of entrepreneurship were dismantled, derisive talk of
the “old Google” and its feeble attempts at competing with Facebook surfaced
to justify a “new Google” that promised “more wood behind fewer arrows.”

…The old Google made a fortune on ads because they had good content. It was
like TV used to be: make the best show and you get the most ad revenue from
commercials. The new Google seems more focused on the commercials themselves.

— James Whittaker, Why I left Google

------
factsaresacred
Have been through a similar experience.

Developing extensions for Google Chrome is a particular form of masochism.
They really don't seem to care. And things took a turn for the worst last
December when the approval process went from hours to weeks.

Check out the Chrome Google group for a sample of the lost souls who hitched
their wagon to the Chrome platform and now cry futilely into the abyss for
support:
[https://groups.google.com/a/chromium.org/forum/#!forum/chrom...](https://groups.google.com/a/chromium.org/forum/#!forum/chromium-
extensions)

~~~
yorwba
This one looks particularly relevant:
[https://groups.google.com/a/chromium.org/forum/#!topic/chrom...](https://groups.google.com/a/chromium.org/forum/#!topic/chromium-
extensions/uo1HZWfHiFU)

It seems like all extension developers play the same game of guess-and-check
to find out which permissions they should remove, and the unlucky ones get
banned for trying too often.

~~~
thatguy0900
When I read something like this I have to assume Google is just trying to kill
off extensions, it's such a glaringly obvious problem there's no way any human
has seen and okay'd it with good intentions.

~~~
aaanotherhnfolk
I'm the person at $dayjob who has to chart a course through the recent chrome
web store changes and this is honestly my conclusion too.

These extensions don't make any money at all for Google, in fact some of them
lose money for Google (privacy oriented extensions, ironically.)

They are a security nightmare for Google, capable of side channel browser
attacks or direct abuse via a permission (all_urls permission can read your
emails to grandma.)

Google doesn't want extensions to exist, and they also can't outright kill
them without creating a new foothold for their competitors in the browser
wars. So we get this intentionally masochistic process change. Jump this high
or we'll ban you. Now jump higher but with your eyes closed. Okay, now
backflip or you're banned. The extension developers have absolutely no power
to fight back.

------
Crazyontap
This is a good extension but here is a cool hack I've discovered that let's
you do this anywhere without any chrome extensions:

\- Create a new whatsgroupp called 'ping self' and add your friend to it.

\- Then kick your friend out from this group

\- Open web.whatsapp.com and now you can access your messages, files, photos
across any device anywhere, anytime! (telegram also does this and allows file
up to 1gb)

~~~
djannzjkzxn
For the more limited use case of “get a link from a desktop to my phone right
now” I have really enjoyed using an extension on the desktop browser that pops
up a QR code linking to the current tab. Then I just point my phone camera at
the QR code on the monitor to open the link on my phone. I like this setup
because it doesn’t require any pre-configuration to link the desktop and the
phone. Your friend sitting next to you can scan the QR code too.

I’m not linking to any specific QR code extension because I haven’t audited
them for privacy but it’s easy to find one that claims to generate the QR code
locally.

~~~
majewsky
I use

    
    
      wl-paste | qrencode -s 20 -o - | display -
    

for this purpose. Shows the contents of the current Wayland clipboard as a QR
code. For X11, replace `wl-paste` with `xsel -b`.

~~~
jmiserez
Oooh nice. Better yet, you can show that QR code directly in the terminal:

    
    
      qrencode -t ansiutf8 google.com
    

Looks identical. In WSL, you can use 'powershell.exe Get-Clipboard':

    
    
      powershell.exe Get-Clipboard | qrencode -t ansiutf8

------
daveidol
Thanks for posting this publicly. I’m all for the general idea of reigning in
unnecessary data collection/prioritizing user privacy, but sometimes you just
need certain features to make things work!

~~~
Guzba
Agreed. I really did see benefit to the changes I made that reduced our
permissions requested based on the initial email we received from Google. When
even that was rejected though, I kind of got slammed with a "well.... what do
I do now?".

------
ChrisMarshallNY
I am the proud recipient of _many_ Apple rejection notices from the App Store
(I have been releasing iOS apps since 2012). I have not had an app pulled, but
I have had many rejections to submitted apps (the latest were received
yesterday).

In all of the notices, Apple is usually quite explicit in what the problem is,
including attaching screengrabs, and they will respond, if I ask them for
further clarification.

~~~
filleduchaos
This is why I'm often amused when people gripe about the $99/year membership
fee for the Apple Developer Program.

~~~
Wowfunhappy
As someone who gripes about it: I think $99/year is a perfectly reasonable fee
in order to submit to the App Store. I just don't think it should be the only
way to run my own code on my own phone (without jumping through the rediculous
hoop of reinstalling an app every single week).

~~~
sushid
You just answered yourself. It's not a the only way to run your own code on
your own phone. AFAIK that restriction is to prevent jailbreakers from easily
sideloading paid apps as "their" apps on their phones.

~~~
Wowfunhappy
But it effectively is! There is no way for me to make _anything_ useful for
myself if I have to connect my phone to a computer and reinstall the app every
seven days. If I forget, the app suddenly won't open. If I go on vacation
without a computer, the app won't open. The seven day thing is useful for
testing, and nothing more.

If the goal is to prevent piracy, well, as with other forms of DRM I as a
paying customer don't appreciate being treated like a thief. Dedicated pirates
can and do just buy stolen enterprise certs on the black market anyway.

~~~
ChrisMarshallNY
_> If the goal is to prevent piracy_

I don't think that's their goal.

I suspect that it's all about "brand reinforcement."

Apple is (arguably) the world's most valuable brand. Those don't come in
Cracker Jack boxes.

They don't want some knucklehead running around, showing some crapplet that
makes the brand look bad, and they _certainly_ don't want them installing said
crapplet on their friends' phones, so there's a bunch of folks running around,
making them look bad.

This makes that a lot less likely. If they restrict it to paid accounts, then
they have an assumption that the people writing the apps are "serious" about
developing decent software.

I suspect that a big part of them buying up TestFlight was because they didn't
want a company out there, making it easy to install un-vetted crapplets into a
wide range of devices (which the old TestFlight allowed).

I have some experience with this. I used to work for a world-renowned
corporation that made photographic equipment. Their brand is right up there,
with Apple.

They would go _nuts_ about sample photos getting out of the company. It was
really difficult to report bugs, or even share test results, because the
sample photos couldn't make our cameras look bad.

There's a great deal of controversy about Apple's iron-fisted control issues,
but I do understand. I'm not always happy about it, but you can't argue with
the results.

------
gregsadetsky
I went through the same hell a year ago [0]. My extension [1] now has 60k
users (covid added 10k users in 1 month) and I'm also afraid that any
insignificant update would trigger this hell.

I'll contact PushBullet with a possible way forward (PB, if you're reading
this -- contact me). Anyone else in this situation: my email is in my profile.

[0]
[https://news.ycombinator.com/item?id=20186915](https://news.ycombinator.com/item?id=20186915)

[1] [https://chrome.google.com/webstore/detail/dictation-for-
gmai...](https://chrome.google.com/webstore/detail/dictation-for-
gmail/eggdmhdpffgikgakkfojgiledkekfdce?hl=en-US)

------
MattGaiser
Any reason that Google doesn't give reasons and ways to comply?

I haven't ever had to deal with a Google person regarding Android development,
but when I built stuff for Blackberry (miss that company), they always
provided nice and detailed feedback. Blackberry famously let legal influence
design, so I would be surprised if it was a cover your ass thing.

~~~
patwalls
Because they are attempting to automate all of it. This message is generic and
based on some analysis of the "manifest.json".

They have also _turned off_ all reviews in the Chrome Web Store:
[https://news.ycombinator.com/item?id=22935092](https://news.ycombinator.com/item?id=22935092)

~~~
gowld
Huh? They turned off reviews because a _worldwide pandemic_ eliminated their
ability to maintain staff to moderate reviews. That's the _opposite_ of
"automating it".

~~~
patwalls
I'm not saying that's why they turned them off, just another sign that Google
is not investing time/money/resources into the Chrome Web store.

------
jboydyhacker
Google has 70% market share. If Chrome is broken- innovation nd the internet
is broken.

If we really want to fix this. 1\. Use Survey Monkey to collect info from
other developers having issues (which is like all of them). 2\. Isolate
instances of severe delays, inability to innovate, harm to business,
negligence etc. 3\. Send to DOJ and EU Antitrust

------
maehwasu
I’m surprised Google et al. haven’t been forced to make more contractual
disclosures at the time of a user submitting an extension or app.

Absent blaring warnings like “you understand that if you build any type of
business on this platform we reserve the right to destroy it at any time for
any reason”, it’s pretty hard to see how users had any ability to understand
the implicit and explicit contracts they were entering into.

This isn’t much different than “Nathan for You” style hiding of onerous terms
deep in hilariously small fine print, and judges tend not to look fondly on
such games.

------
jyfzbj
This is concerning. Shouldn’t Google’s store have a dedicated support rep for
extensions above a certain threshold?

~~~
tbodt
[https://twitter.com/dotproto](https://twitter.com/dotproto)

------
qwertox
I wonder why the cookies permission is requested. It's not needed to
communicate with .pushbullet.com, as in that case the normal cookies which
have been set by Pushbullet will be sent along in the extension's requests to
.pushbullet.com. It is only needed to access 3rd party cookies.

------
pdonis
If Douglas Adams were still around, he'd put "Get actual assistance from a
human at Google" on the list of "Recreational Impossibilities" in the
Hitchhiker's Guide, right after "Get the Brantisvogan Civil Service to
acknowledge a change of address card".

------
pkaye
What kind of people make these decision at Google? Engineers? Or did they
automate everything with "machine learning"?

~~~
snazz
It's very automated, especially during the pandemic when many of the content
moderators can't go to work.

------
Baeocystin
Another long-term PushBullet customer here.

Anyone at Google who is listening- this kind of behavior _kills_ my desire to
continue using your products dead. I _need_ functionality, of the type
PushBullet has provided for years, to do my work. The recent nerfing of ublock
origin has already had me feeling iffy on things. Behavior like this is simply
unacceptable. If you want people to use your services, you need to have some
way to communicate. Period. "If you use our tools, we can kill your livelihood
at any time for any reason and tough shit if you want a why" doesn't exactly
inspire, you know?

~~~
wlesieutre
Chrome is a trivially easy product to switch off of compared to other Google
properties like Gmail and YouTube. Have you tried Firefox recently?

~~~
jtxx
ProtonMail has come a long way as a replacement for Gmail as well. Suuuper
happy with them, they're really responsive to feature requests and support
inquiries. I requested for an iOS feature to choose browsers so I could open
all links from PM in Firefox. They had it implemented in a month or
something... it a quick fix but that impressed me. hence me shilling here They
recently added ProtonCalendar too.

~~~
bcrosby95
Switching email isn't nearly as friction-free as switching your browser. Not
only do you have to change your email in every service you've registered for,
you also need to convince your friends and other contacts to use the new
email.

~~~
RcouF1uZ4gsC
The most important change you can make for your email is to own your own
domain. Once you own your own domain, changing providers is much easier since
it is transparent to the people that email you.

Even if you decide to keep Gmail, you should switch your email to your own
domain.

~~~
cpascal
One worry about tying your identity to your own domain, is the security of
your identity (aka your domain) hinges on the security of your registrar. If a
bad actor can socially engineer their way into controlling your domain, your
entire identity is compromised.

Here's a blog post about this nightmare happening to someone:
[https://medium.com/@N/how-i-lost-my-50-000-twitter-
username-...](https://medium.com/@N/how-i-lost-my-50-000-twitter-
username-24eb09e026dd)

~~~
toohotatopic
So, which ones are the good registrars?

~~~
nucleardog
I generally trust the major cloud providers a bit more than the companies
focused on acting as a domain registrar.

The domain registrars are generally a race to the bottom and focused on "add-
on" sales as most people are shopping on price and that's going to reflect in
the overall quality of the things that most people don't really notice like,
y'know, security and validation.

You don't hear a lot of stories about Amazon/GCP/Azure handing over someone's
entire account based on a couple digits of a credit card number and it would
be a PR nightmare if they did (hell, look at the flak they catch just for the
data that people leave public on their services that ends up released...
imagine if they _handed_ it to someone). An active account with 2FA/etc
enabled and a secure recovery email is probably safe enough for most people.

Spend the extra couple bucks to register through one of those guys instead of
JimbosDiscountDomains.

~~~
mythrwy
So use Google or Microsoft to register your domain?

Doesn't that bring us back to the same potential problem though?

~~~
justinholt
I think the idea is to use their "enterprise", paid offerings as opposed to
relying on the "free" services that Google or Microsoft offer.

------
duncan_bayne
From a comment by Baeocystin:

"If you use our tools, we can kill your livelihood at any time for any reason
and tough shit if you want a why"

It has always been thus with proprietary tools and platforms.

Back in 2011 I switched careers from developing software on proprietary stacks
- at the time C# 4.0, Silverlight, and MS Windows - to developing on open
source stacks, starting with Ruby on Rails and JavaScript.

A short time after I switched away from Silverlight, I found a bug in the open
source XML library my team was using. I then submitted a PR to fix it, which
was merged (with some revision :)) after a few days. The experience was a
revelation after the combination of magic 8 ball and years-long wait times for
non-critical bug fixes on Visual Studio.

It looks like the younger generation is busy rediscovering the vulnerability
and helplessness of proprietary systems themselves.

------
dasm
As a daily Pushbullet user, thank you for posting this! It's maddening that
the best way to escalate a Google customer service issue is social media.

------
tobyhinloopen
We tried to create an android app and we never were able to got it submitted.
We never figured out why and just gave up.

I’ll never again try to create a business around an environment outside our
control. Both Google and Apple are complete black boxes.

------
pembrook
The lesson here:

Building a business off someone else’s platform is easier because it provides
a built-in distribution channel.

However, when you don’t own your distribution, it means your business can be
shut down by the decision of one person at X company.

It turns out, all decisions have trade-offs.

If you want to have a real business, don’t do the above, or only do the above
while getting started.

Developers hate having to deal with distribution. Platforms exploit this by
creating these fantasy worlds where developers don’t have to think about it.

This is a mirage. You have not created an “easier” business. You’ve simply
sold your soul to the devil.

------
dapids
The fact that this team realized so simply that they shouldn't be reading data
on every site the user visits while the extension is installed is deserving of
a vague response from google. Sad really.

------
grayfaced
I wonder if they got caught up in google removing "creepware" recently and
notification mirroring might count. "CreepRank algorithm can identify apps
with features that can be abused to extract SMS messages from a device, spoof
another user's identity in IM/SMS chats."

[https://www.zdnet.com/article/google-
removed-813-creepware-a...](https://www.zdnet.com/article/google-
removed-813-creepware-apps-from-the-android-play-store/)

------
brazzy
> clipboardRead

I bet that this is it. Clipboard data is _extremely_ sensitive, as it can
often contain passwords.

------
fsckboy
I went to look at what pushbullet does since I'm not familiar with it--in this
day and age, "bullet" is a fearsome term so I wanted to make sure that wasn't
the cause of google's alarm.

The personal information security concern I had is that it seems that
pushbullet shovels all sorts of data from Chrome to the pushbullet server and
then routes it to, pushbullet says, my other devices while respecting my
privacy. While I don't doubt that pushbullet is an honest broker of my data,
it's doing all this outside of google's purview. For somebody to spy on my
data, they wouldn't need to break into google's ecosystem, they'd just need to
break into pushbullet's.

I'm not disagreeing with all the other comments here about big bad google, I
already think they are bigger and badder than everybody else here does.

And I'm not at all sure that what I'm pointing out has anything to do with
google's motivation here (I liked the comment that said that this app is a
threat to their walled garden), I'm just pointing out my impression to try to
be helpful to OP in figuring this out.

------
danpalmer
As much as we can criticise Google's handling of this situation, the fact that
the developer was able to reduce permissions from accessing data on _all
websites_ down to _their website_, as well as tighten up a few other
permissions, shows that Google is correct that the extension is asking for
more than it needs.

I hope the developer finds another load of permissions they can tighten up,
resubmits, and is approved. As long as it results in permissions being more
correct this is a very positive thing for users because for every PushBullet
there's hundreds of attempts at malicious Chrome extensions that are abusing
permissions.

~~~
fgonzag
That's what you got out of it? Google doing a good job? They sent an email
with no guidance whatsoever.

These guys went above and beyond what most developers would've done, which
would have been to contact support until they get a clear answer.

This only alienates the extension ecosystem. And this was the primary reason I
switched to Firefox. Google is the new Microsoft. If I remember correctly,
they started Chrome exactly so this very thing wouldn't happen.

~~~
danpalmer
As mentioned, I think Google have handled it poorly, but their fundamental
position – that this extension is incorrectly using permissions – was
significantly correct and may prove to be fully correct.

Google deserve criticism for the lack of clarity in the communication, they
deserve criticism for the lack of human touch, customer support and many other
aspects.

They do not deserve criticism for calling out incorrect permissions usage and
forcing developers to do better.

~~~
munk-a
It's confusing because whatever system (whether human or automated) they're
using to flag permission issues has more precise detection abilities than they
chose to expose with a simple "Permission is too wide - fix it".

The fact that the extension has over broad permission asks isn't good but I
think saying their communication lacks clarity is underselling just how opaque
they were with their feedback. It also concerns me a bit because it looks like
their opaqueness might be an attempt at security via obscurity by trying to
cloak what the rules actually are - which is a generally bad approach to
trying to fight malevolent actors.

~~~
danpalmer
It's possible that the flagging has come from user submitted reports. In that
case if Google trust the reports (and they have enough data about users to
know if reports are likely to be genuine) then they don't necessarily need to
know any more details.

Alternatively it could be vague to restrict the possibility of bad actors
circumventing the letter of the rules without adhering to the spirit of them,
or even just protecting themselves from legal repercussions (perceived or
real).

~~~
munk-a
Your later point is the one that concerns me. Organizations like governments
have issues where the spirit of the law is valued over the letter due to
inertial restrictions over revising the law - when it comes to private
corporations the ability to restructure rules remains unless it's explicitly
surrendered. In these cases keeping the set of rules exposed to the public
(and even demoing changes) can allow revisions to those rules to increase
their accuracy.

And, when you get right down to it, any rule that isn't well structured will
be exploited by bad actors, people looking to roll out malicious browser
extensions have a strong motivation to try and discover those rules with a
high level of accuracy by testing them - only the good actors remain
uninformed.

------
Kikawala
I've been using Pushbullet in FF and on my iOS devices for years, but need to
find a replacement as the app was removed[1] from the App Store.

[1][https://www.reddit.com/r/PushBullet/comments/eirc1m/not_avai...](https://www.reddit.com/r/PushBullet/comments/eirc1m/not_available_on_ios/)

------
henearkr
Just remove access to [http://localhost](http://localhost). This is a huge
overreach in permissions, and honestly as a user I would feel violated by
that. I have shitloads of things that I can lauch myself on localhost on
custom ports, and no-thank-you I do not need to open them to some app.

------
raybb
This is awful. I'm going to send GCP support a message with the small hope
that someone can flag it up to the right team.

~~~
snazz
GCP and the rest of Google are separated from each other similarly to how
YouTube and Google are separated. Unfortunately, the odds of that technique
working are very low.

~~~
raybb
Well they responded saying:

> Although I am sure that this is not the correct place to reach out, I have
> reached out to the Chrome privacy team to see if they can give us some
> advice for PushBullet.

Though I posted this before this article was on the front page of HN.

------
51Cards
LONG term Pushbullet user here, big proponent of their services. I use it on
Firefox myself so this doesn't affect me personally but still there are few
services I will strongly advocate for. Pushbullet is one of them. Google, if
you're listening this is going to make a lot of users very unhappy.

------
Cymen
I went through this on a side project and just let them kill off my public
listing for now. I had the same thought process in terms of what I could
change however my extension made use of InboxSDK and had access to GMail and
I'm still concerned it might not make it through review...

Anyone else using InboxSDK in a Chrome extension and didn't get killed off by
this change?

My extension hooks up the address book from a SaaS project (school information
system) to GMail so faculty/staff can quickly look up parent contact
information or send to special group email addresses that broadcast out to
part or all of the school. The people using it were very happy to have it but
I could conceivably go back to a private chrome extension if that is still
allowed.

------
tripzilch
This is just completely disingenuous from Google.

> \- Request access to the narrowest permissions necessary to implement your
> product’s features or services.

> \- If more than one permission could be used to implement a feature, you
> must request those with the least access to data or functionality.

> \- Don't attempt to "future proof" your product by requesting a permission
> that might benefit services or features that have not yet been implemented.

My first thought was "oh it would be NICE if G actually enforced these". But
the truth is that they're not. One glance at the Android Play store, and it's
abundantly clear that Google is letting shitty apps request whatever
unnecessary permissions left and right.

Literally the top flash light app requires "full network access", GPS precise
and approx location, "view network connections" and "receive data from
internet".

It's complete bullshit, Google isn't policing these permissions at all, but
just using it as an arbitrarily enforced rule.

It's pretty clear what the incentives are. Android already has a flashlight,
but this one has ads, harvests and sells your data, and uses Google Play
Billing Service. Win for Google. On the other hand, there's PushBullet, which
gives users more control and this is key, _the option to use a platform that
is not controlled by Google_. It has nothing to do with user privacy.

And the whole nice thing about these permissions is that they are _granular_ ,
this means it should be trivial to point out which one is wrong or better and
why, like an error message. That is not "gaming the system", it's literally
what these permissions are for.

This is also _clearly_ not an automated scanning process that PushBullet
accidentally got hit by. Because it would have to have been a _very_ slow
running process, given the heaping amounts of trash in the Play Store. And
then it just happened to pick PushBullet instead of the Flashlight app that
has 50 times more downloads??

~~~
throw_m239339
It's classic google. Now that they are a monopoly, they don't have to compete
for developer's attention. That's why I will never give a cent to Google
Cloud, I know too well how it's going to end up if they ever become a major
force in the cloud, I'm not going to invest anything with them and strongly
suggest any business I work in to minimize their exposure to Google product.
They all end up the same way.

------
ThePowerOfFuet
> Once you have made these changes you may submit and publish a new draft in
> the Chrome Web Store Developer Dashboard.

> Your draft will then be reviewed for policy compliance. If the outcome of
> the review is successful, your existing store listing will get replaced by
> the approved draft. However, if the new draft fails to comply with our
> policies, both the draft and the existing store listing will be removed.
> Please note that the rectification window expires the moment a new draft is
> submitted. After this point, you will not be able to make iterative changes
> regardless of the days remaining in the warning period.

Holy fuck, that's insane. You get one shot; if you miss, game over.

------
inopinatus
Counterpoint: there is a team within Google that got it right at least once.
We have live import/export integration with Google Sheets and this requires
additional OAuth scopes. The request for justification they sent was polite,
specific about the scopes of concern (and why), and with no hard deadline. Our
response was handled politely and promptly.

I realise the GCP API team may not be dealing with as big of a swamp as a
consumer-facing apps group, but it was nevertheless one of those few occasions
when Google left me with an impression other than overwhelming hubris. It was
more like talking to AWS service teams, or Cisco TAC when you have a CCIE on
staff.

------
Too
I haven't used Pushbullet in depth but on first glance it doesn't seem like a
browser extension at all. It looks more like a standalone chat app _that
happens to be running in the browser_. It has nothing to do with enhancing the
browsing experience, except for a share-link feature?

Google might not want to make Chrome the browser into an OS.

If i were Google i would also be skeptical when such standalone apps wants to
read my browser cookies or access my [http://localhost](http://localhost).
Actually i think cookies is the violating permission here.

------
moxylush
You are the victim of an algorithm. No people and no accountability, thats how
they roll.

------
tonystubblebine
I'd been in a similar issue on the Android store and found that the best
solution was to try to game whatever bot is flagging you. Support was
completely unable to provide clarity and getting escalated by internal Google
employees just led to more unhelpful emails from higher levels of support.

I was positive that I was in compliance but I could also see that a bot was
flagging something. So I kept tweaking code and resubmitting. Eventually what
worked was taking the offending code block and hiding it at the server level.

It's such a face palm. I literally call out to the server to run some logic
that should be completely safe to run in the app.

------
aws_ls
These folks also do the same thing for Adsense on sites. For a site, I am
running for a long time. 10+ years. And earned multiples of 100ks worth of
revenue from it.

They sent a vague email, regarding violation and suspended Ad serving. Never
ever had any issue before.

I can only suspect that their policies have changed because of the current
pandemic. But isn't it disingenuous, in that case. Similar to laying off an
employee, and cooking up a shady reason for it.

They will only make me kill the business, which in turn will stop payments
(reduce significantly) to AWS. Thereby enabling more slow down.

Very very unhappy with them.

------
imhoguy
2020 and our browser privacy handling is like MS-DOS.

Why the hell I can't disable all extensions when I enter my bank account or
insurance page? As far as I know Firefox containers are close but still no
fine grained control over extensions.

------
crazygringo
I understand that with many spam-related heuristics, a company like Google
chooses not to share exactly why a site or e-mail server is blacklisted --
because an actual spammer can evade that metric and still get away with
everything.

But I don't believe that thinking applies whatsoever to apps or extensions.
There are far fewer of them and parties need to work together. It's
unfathomable to me why Google doesn't point out which specific permissions a
reviewer has flagged as suspect, or given an option for the developer to give
the justification specific to each option.

------
crispyporkbites
A bit late to this thread but this is happening to my chrome extension right
now. No idea why, I have 10,000+ users and the chrome support team just keeps
emailing me the same statement with different items highlighted in bold,
saying it doesn't work and the description isn't accruate.

a) It does work

b) The description is accurate

I have no idea what they want me to do and I don't have time to try and guess.

I don't get paid for my extension, so I'm just going to redirect everyone to
the FireFox version now. The Chrome store will be poorer without it and that's
on them.

------
ajayyy
I have made an extension and am getting the exact same complaint whenever I
submit updates. Luckily, old versions are still up though.

Link:
[https://chrome.google.com/webstore/detail/mnjggcdmjocbbbhaep...](https://chrome.google.com/webstore/detail/mnjggcdmjocbbbhaepdhchncahnbgone)

It only has access to 2 domains, it doesn't have the tabs permission and it
uses optional permissions for everything else.

I think it is just an automated issue due to covid-19, and I guess I might
just have to wait until then.

------
komali2
> This may also result in the suspension of related Google services associated
> with your Google account.

Get all your emails off gmail ASAP, pushbullet developers. It may be more than
your extension that gets nuked.

------
aeyes
If Google doesn't want extensions to have a certain permission, why don't they
just kill it globally in Chrome?

And if some apps can have permission X but others can't, there should be clear
guidelines.

------
katzgrau
I have an app that was falsely flagged as malvertising by Google Ad Manager.
Also got a generic message with no insight into the specific problem.

It was only because I had a point of contact at Google with actual influence
that I was able to resolve the issue (and they did, miraculously). If you
don't know a human, Google's automated systems can more or less destroy your
app or business for Google product users, which is pretty much everybody. G is
a big, multi-headed beast. Not evil, but worse - indifferent.

------
consultSKI
Is that why universal cut & paste has been flakey? I am dropping all Google
stuff. They recently killed my Alexa Skill on Android (Samsung S9). With
everything google deleted or permissions denied on my phone, they still hijack
the word "contact." Try saying, "Alexa launch Contact Ski Man." Still works
with Alexa on iPhone, but how do you use a smartphone without back button? We
have reached the point where it is time to throw the baby out with the dirty
water. Say, "Hey FireFox!"

------
davesque
It seems like everyone in here suggesting a switch to Firefox is missing the
point. The Pushbullet team has already stated that having this Chrome
extension pulled might mean the end of Pushbullet. So I'm going to trust that
they know their own business well enough to make that statement.

I actually already use Firefox and their Firefox extension. But it won't
matter that I'm savvy enough to do this if losing enough users from having the
Chrome extension killed is enough to kill the larger business.

------
mehrdadn
My guess is 'cookies'. You really shouldn't need access to (say) the user's
Google cookies. I don't expect Google likes extensions doing that without good
reason.

------
saltedonion
I too have deGoogled as much as I can, but I’m hesitant to jump on the hate
wagon for this one.

Consider the counter factual - what if google was highly specific about the
changes required? Clarifing the boundaries of what’s allow is prone to abuse.
This is the same reason why the search algorithms are not explicitly
published, but only the spirit is explained.

I would say this is the best solution when there are no perfect solutions.

Perhaps the 14 day period could be longer, but that’s another point of
contention.

------
tony-allan
Similar story published around the same time as this one...
([https://news.ycombinator.com/item?id=23183742](https://news.ycombinator.com/item?id=23183742))
[https://joaoapps.com/join-chrome-extension-in-jeopardy-
googl...](https://joaoapps.com/join-chrome-extension-in-jeopardy-google-wont-
tell-me-why/)

------
ggm
Don't they call this a "marketplace"? If so,the Regulator is the FTC not the
FCC.

If they walk like a duck and call it a duck then talk to the duck hunting
authority?

------
SparklingCotton
I'm in exactly the same situation. It's impossible to know what they are after
and my extension has a fraction of the permissions that you have.

------
beders
It seems perfectly clear to me: Google doesn't want what pushbullet provides.
They are pulling an "Apple" on this one.

------
OJFord
I stopped using pushbullet because I realised its access made me a bit
uncomfortable, but had I had the 'So, can we cut any of these permissions?'
paragraph to read at the time, that may have reassured me. Nice to see it not
only being investigated (even if it took Google's vague threat to spur it on)
but positively so; seen as 'A big win!'.

------
pgrote
Is there a replacement for pushbullet?

Long time user of pushbullet since I like to be able to text from the desktop.
Google has released messages.google.com, which is a nightmare to use among
various desktops.

Microsoft released their Phone app, which disconnects so frequently it is
unusable.

I have no confidence Google will allow pushbullet back.

Is there a replacement that allows notifications and texts from the desktop?

------
tomaszs
Unfortunately this is a fancy new way of communication of tech corporations.
Facebook, Apple, Google. Name one.

Do please us sir. Three times you shall try.

I would not consider any company that takes that approach as a reliable
business partner.

Maybe it will be possible to please the platform this time. But this is a
strong hint the business should not depend on the Google extension platform.

Escape it while you can

------
ridewinter
As the developer of an exposure notification app put on ice by Apple-Google,
it's due time to take back the freedom of the internet that made it so
powerful in the beginning.

Is there anything happening around an all-web app phone? Seems like all the
pieces are there..like native functionality in JavaScript with certain
extensions.

------
Medicalidiot
I left Android for iOS because of this type of behavior. Google is fickle with
what it's policies and goals are.

------
nojito
Good. It’s clear that pushbullet has never put thought into what permissions
it needs and just asked for everything

------
popup21
Chrome extension developers should start hosting them on Github.

I use a flavor of Chrome called Ungoogled Chrome ([https://ungoogled-
software.github.io/](https://ungoogled-software.github.io/)) and the only way
to install plugins is to manually install the CRX file.

------
deepender99
Well this is my favorite Extension, If Google kills it then how will users
gets its pushbullet chat data back.

~~~
tiborsaas
What's more is that chat history is broken, I can't see tons of messages on
the web interface.

You can still access some on the web.

But your best option is to do a GDPR request to export you all your data.

------
grwthckrmstr
Yikes! I've used PushBullet for since several years and I can't imagine not
using it.

I can understand why Google is doing this though. They have a "Send to device"
feature in Chrome. Killing the top 3rd party app is the perfect way to grow
adoption of their new & in-built feature.

"Do no evil"

~~~
jerf
You know, at the _very least_ it would be nice to get something a bit more
direct, like, "We are no longer permitting extensions that do X on our
marketplace", or heck, even just a "We're permanently rejecting this for
unspecified reasons."

But if that's what you're doing, don't claim that the extension is being
rejected for "overbroad permissions". I understand that Google may not
literally come out and say "We've decided to eat your extension's
functionality and you can just burn." But don't _lie_ about why it's being
rejected... however much you may wrap the result up in marketingspeak, don't
actively _lie_ about the reason for rejection, so that someone can burn the
candle at both end for two weeks futilely trying to appease the lying error
message.

As for the fact it may not look that great no matter how much marketing-speak
it gets wrapped up in for Google to just eat some functionality and kill all
competition... yeah, well, suck it up Google. Don't _lie_ about it. I mean,
you can always spin it as security security blah blah security if nothing
else, which ought to be enough of a fig leaf.

~~~
TheAdamAndChe
Outright admitting this may cause issues with antitrust laws.

------
vldr
I love pushbullet and I'm happy it works fine on firefox. And that's at least
partially the fix - install firefox, depend less on google chrome.

Hopefully that will give a signal to google that make them cherish the
developers that create great functionality for them a bit more.

------
maartn
I think that reading all of a users' cookies from all websites is pretty
privacy invading...

~~~
qwertox
True, that was the way before they removed the "http(s):// _/_ " permission.
That is a tremendous permission to ask for and would be a huge red flag in any
case.

Now they limited it to " _.pushbullet.com ", but even then they don't need
that permission since "_.pushbullet.com" is a server controlled by them, so
they are free to set and read those cookies anyway.

The cookies permission is only needed if you want to read cookies from a
domain you don't own. The extension has no need to modify the cookies, and if
Pushbullet wants to set or change them, for example to set session cookies, it
can do so in a non-extension tab. The extension can then send those cookies in
their API request automatically without needing to access them.

------
mtnGoat
I know Google employees that have had their accounts on various Google
Services shutdown and they couldn't even get them back themselves. The place
is very siloed, something needs to give because these nightmare scenarios keep
happening over and over.

------
ajhurliman
I had a friend who went through a similar, onerous process with Google which
ended up killing his entire chrome extension (which had 400,000+ MAU). This
iron-fisted control of the extension marketplace is not becoming to Google.

------
elwell
I've had a Chrome extension removed from the store before, I suspect because
it conflicted with Google's business model. I would be very wary of building a
business on a foundation that another company controls.

------
Shorel
No Chrome, no Google search and no Gmail as default email here.

Hopefully, many others will follow.

------
boomboomsubban
Does chrome already offer features like PushBullet? Firefox somewhat does with
Pocket, so I assume chrome has something similar.

If they do offer something of the sort, or start to shortly, this seems like a
perfect antitrust case.

~~~
beastman82
Zero chance this will happen without a much bigger party involved

~~~
pkilgore
Under the Clayton Act, the Sherman Act, or both? Is this a legal realism
commentary on the comparative cost-benefit of civil antitrust litigation in
modern America?

Or are you just pretending you know things to feel good on the internet.

~~~
beastman82
I was going to respond in earnest, but then I read the second paragraph. If
you want a civil discussion you might hold the insults next time.

------
throw1234651234
I just want to take this opportunity to complain about trying to send a gmail
email from a service account, which required us to use G-Suite, and still
doesn't work because it can't generate a token.

------
dathinab
I'm always surprised that such a in-transparent behavior is even legal for the
operator of a custom marked place (or whatever you call it).

(I think the same about Google Play, the iOs App Store etc.)

------
jimnotgym
Normally in a lucrative but restricted market there is a regulator or
ombudsman one can appeal to if one feels they have been unfairly pushed out.
App stores need regulators.

------
mgeyer
Wait can some one please simply explain to me whats gong on here? I'm new to
this but I absolutely love it! and I paid for it too. Why do all good things
have to be taken away?

------
narrator
I can't wait till Google starts running contract tracing.

~~~
majewsky
Good news! They won't. They're only providing an API to give everyone who
needs to run contact tracing access to the Bluetooth Beacon system.

EDIT: /me wonders what "contract tracing" is going to be

------
therealmarv
Robots are in control here, follow their rules and get your accounts
permanently deleted if you don't understand the robots rules and mindset...

------
wprapido
Avoiding Google and looking into the alternatives is what took a significant
part of my working hours and spare time as of the last 2-3 years.

------
rergaerg
For one, I think this is good news. I work in a field that exposes me to a lot
of dubious ways to collect peoples data. Especially what they are doing in
their browser. You would not believe how many pieces of software you are using
daily that do this.

A lot of these are chrome extensions. If you are honest, then I do feel for
your situation. But, I am also happy to see that Google are finally stepping
this up and looking after their users by not exposing them to potentially
malicious services.

------
fourzs
When I was sixteen years I received the exact same email from Google, and was
then permanently banned from the chrome web store.

------
spajus
This is also why I will never publish to Android Play Store. Experience is
very similar, it constantly demands random changes.

------
eating555
Same thing happens on Google Play Store. They ask us to comply the privacy
policy without giving us any guideeline :(

------
squarepluto
They don't give shit about your 4.5 star rating. Your 4.5 star rating doesn't
mean you are the most private or most secure over there. Facebook got 4+
rating on all there apps with 1B+ users, that doesn't mean they need access to
those call logs,messages and everything on your phone. Keep you permission to
the minimum, for both security and privacy. Chrome team doesn't give shit
about people like you.

------
FpUser
Aside of youtube and search I am not using Google at all. And Chrome is on my
computer only for testing.

------
dnissley
This situation looks even worse considering Google runs a competing service
(Android messages for web)

------
madrox
Stuff like this makes me wonder why Chrome's security model allows things if
it can be scanned and deemed unsafe. Isn't it preferable to bake such
restrictions into the extension API if Google didn't want PushBullet to go
beyond it? Why does this need to be enforced by an app store?

------
Arcsech
This kind of thing just keeps. Coming. Up. from Google and between ML black
boxes making arbitrary judgements and random product shutdowns, a hard
requirement for any personal projects of mine is "no Google dependency",
because it might vanish at any time, with zero notice or recourse.

~~~
ernsheong
Far from arbitrary, Pushbullet is just wielding far too many permissions.

------
slaw
Don't work for free for Google. Don't write extensions for Chrome.

------
ezoe
Don't relies on the Google to distribute the browser extension.

------
djyaz1200
Can anyone at Google even pretend they aren't evil any more?

~~~
kinkrtyavimoodh
So Google is evil for asking that an extension not request permissions it
doesn't need to use?

If this were Apple we would be celebrating how privacy-forward they were.

------
yawniek
i guess removing plaintext http and localhost should fix this.

~~~
Guzba
We never use plaintext http so that is a reasonable thing to remove for our
first-part domain (pushbullet.com).

We use localhost to communicate with our desktop application. An example is
preventing both our extension and desktop apps from showing notifications on
the same computer (our apps are all about notifications so this would get
unacceptable very fast). Maybe if we limit it to just the local port we use?
Seems like it can't hurt to try that too.

~~~
frei
You could try that. Long term, it should also be possible to route this
communication through the internet, or use the Chrome/Firefox/WebExtension
NativeMessaging API [0][1].

0\.
[https://developer.chrome.com/apps/nativeMessaging](https://developer.chrome.com/apps/nativeMessaging).

1\. [https://developer.mozilla.org/en-US/docs/Mozilla/Add-
ons/Web...](https://developer.mozilla.org/en-US/docs/Mozilla/Add-
ons/WebExtensions/Native_messaging)

------
scoot_718
Doesn't matter. Chrome has become unusable anyway.

------
max___
How about removing the permissions for HTTP and keeping the HTTPS permissions?
If the problem is "User Privacy Safety" as the rejection suggests, this seems
to be the obvious choice.

------
_rrnv
Funny, very funny. Not your keys, not your coins. Not your store, not your
clients. Not your playground, not your rules. etc. etc. I sympathise, but
discourage cooperating with Google.

------
metreo
The hypocrisy is tangible and bitter sweet.

------
binaryfour
This literally just happened to me today...

------
typenil
Another reason to use Firefox.

------
lihaciudaniel
I'm not a very big fan of Push Bullet, what utility to they make? become more
distracted?

------
stevage
Why does it require http?

------
softwarejosh
even mozilla is terrible in this regard, its a losers game.

------
renewiltord
This is sad but they're just responding to market hysteria on permissions.

~~~
danShumway
> but they're just responding to market hysteria on permissions.

And responding poorly.

What the market wants is for companies to lay out understandable policies that
protect their privacy. People I know want more clarity about what's happening
in the extension store and on their devices, not less.

As a consumer, it doesn't make me feel any better for Google to say in vague
terms, "we booted off an app that doesn't respect your privacy." Okay, what
was it doing? Are there other apps I should be concerned about? How bad did
the app need to get before you booted it off? Are there exceptions to these
standards? Are they being applied to internal apps as well?

My feeling is that Google's inability to communicate with developers and users
is its own problem; it's not the market's fault. Tech companies in general
have had difficulty with customer support for a while, even before the media
started picking up on privacy issues. Nothing has really changed, Google just
happens to be notably bad at this.

------
metreo
Ahh the hypocrisy

------
BFatts
It says, in the email provided, exactly what must be done: Change the required
permissions - your scope is too broad.

------
kishansagathiya
This dude has written crappy, inefficient code and is now complaining for it.
If just permissions are so inefficiently written one can only imagine, what
would be the state of rest of the codebase. Badly written apps can also
generate traction. Users don't see the code quality. They rarely know the
first thing about privacy and security.

It's not Google's job to teach someone to how to write good code. Good
compiler can tell you what is the error, it won't pop out a solution as well.

