
Google to developers: We take down your extension because we can - KwanEsq
https://palant.de/2018/07/03/google-to-developers-we-take-down-your-extension-because-we-can
======
tomatotomato37
In another thread[1] on HN today there was discussion over developers selling
out their web extensions to marketing corporations which end up filling them
with tracking scripts and malware. Someone suggested that google should be
much more aggressive at filtering out said extensions, and one of the
responses was a sarcastic comment over a future article about Google attacking
extension developers and the free web.

And less than 24 hours later, here we are.

[1]
[https://news.ycombinator.com/item?id=17447816](https://news.ycombinator.com/item?id=17447816)

~~~
nixpulvis
The problem isn't that an extension was removed. There will always be
erroneous attempts at making things safer for users when playing the game of
content moderator. The problem is that Google is impossible to talk to, and
makes no effort to help when things go wrong. As a current user of gmail this
worries me.

~~~
Waterluvian
This petrifies me. Google provides an incredibly easy way for me to capture
all data that I care about. Getting photos and videos of my kids growing up
and keeping them for years is trivial with Google.

And in one little error it can all disappear with no recourse.

I continue to struggle today to find a silver bullet solution for someone like
me who just wants to hurl money somewhere and say, "use this money to
guarantee that my cherished photos and videos will be here in 30 years"

Second to that is getting locked out of my Gmail. I'd consider that more
irritating than losing my wallet.

~~~
singularity2001
> find a silver bullet solution

switch to apple

~~~
akavel
Yeah, sure, with the stories of Apple deleting songs from your _local machine_
because they were deleted from your cloud account because DRM or whatever, and
IIRC even deleting some random photos because some bug (but w.r.t. photos I'm
not sure if I recall this correctly, or just spreading FUD here.) Or was this
Amazon with Kindle and with ebooks? Apple was sure reported as deleting high
quality mp3s from your disk because they have mp3s of the same songs in poorer
quality as their deduplication reference files on their cloud.

------
gnicholas
Same thing happened to me [1], with a slightly different rationale for pulling
the extension.

This happened despite tens of thousands of users, years of good reviews, and
an extension so useful that Google's own accessibility team demos it at
conferences.

I was only able to get the situation sorted because I know people who work at
Google on the Chrome team. Even with all this, it took weeks to get the
previous version restored, and after that weeks more before we could push an
update without having it get automatically rejected.

The only "good" news is they didn't uninstall our existing user base.

1: [https://medium.com/@BeeLineReader/google-yanked-my-chrome-
ex...](https://medium.com/@BeeLineReader/google-yanked-my-chrome-extension-
this-sunday-d9c481e285cb)

~~~
euske
Hey, it's off topic, but I just learned about your product and sent a link of
the product page (beelinereader.com/individual) to my colleagues - only to
find out that my email was filtered as a spam by FortiMail! Apparently, the
offending text was that URL. Maybe it's somehow related? Was this product site
previously infested by malware or something?

~~~
gnicholas
Wow, thanks for letting me know. We have never had any malware, though our
inline install of Chrome/Firefox extensions has been flagged by Avast at times
(despite our attempts to get whitelisted). Neither our website nor our tools
have ever done anything even vaguely shady — we don't gather user-level
browsing data or anything else like that, so it's a big bummer when we get
flagged like this.

Do you know if there's a way that your company can report this as an
inappropriate block to FortiMail? I will try to reach out to them also, but my
guess is they'll be more receptive to a customer request than to one of their
blacklisted websites!

BTW, we're not publicizing this, but right now we're testing out a "BeeLine
Advocate" program. Basically, if you install the extension and complete the
free trial (2 wks), you'll be invited to get free access to our Pro tier in
exchange for filling out periodic surveys.

We've just opened up this program, and it'll probably be open to new users for
3 weeks or so. Thought I'd share with the community here, since HNers are
great for feedback (as you've just shown with your comment!).

~~~
euske
> Do you know if there's a way that your company can report this as an
> inappropriate block to FortiMail?

Our corporate email is outsourced to another company, where they apparently
use FortiMail as a packaged solution. So I don't think it's very likely that
they'll listen to me - but I'll try anyway. Good luck with the new campaign!

------
CryoLogic
They somehow have the man power to ban your extension in 2 hours and 30
minutes without an explanation as to why, but than when I get a fake copyright
claim on my most popular YouTube video somehow it takes three months, 12
emails and I still don't get the ~$900 lost revenue back.

~~~
segmondy
They optimize for their own profit, not yours. ;)

~~~
ozim
Cannot upvote this enough. People complaining about such things think that
"customer is always right" where reality is "customer is always right if he
pays enough for us to care". Have some reality check.

Every company does what is in their best interest not particular customer.

------
roadbeats
They took down my bookmarking extension with no notice, replied none of my
e-mails. Although @GoogleChrome gives support on Twitter, they completely
ignored my and also some user tweets. We had good description, many
screenshots and a screencast, our extension is even open source
([https://github.com/kozmos/browser-
extensions](https://github.com/kozmos/browser-extensions)).

I don't even know the reason why they took it down.

I just had to re-publish my extension:
[https://chrome.google.com/webstore/detail/daababmdfacmmkokdf...](https://chrome.google.com/webstore/detail/daababmdfacmmkokdfikciemmddhpche/publish-
accepted?authuser=0&hl=en)

Tweets from users:
[https://twitter.com/JesMullins/status/1014085292133888002](https://twitter.com/JesMullins/status/1014085292133888002)

Tweets I sent;
[https://twitter.com/getkozmos/status/1013511183519879168](https://twitter.com/getkozmos/status/1013511183519879168)

~~~
yani
Google is terrible at support. I had to wait 2 months to get my oAuth
application reviewed. I had to write an email in all capitals to get their
attention.

------
davidmurdoch
Back when Facebook didn't support linked hashtags I made an extension that
removed them from posts on facebook.com (they just annoyed me). It still
worked perfectly even after Facebook added native support.

It was active for many years with great reviews and a few hundred users.

Google pulled it early this year because Facebook asked them to... They
claimed it violated copyright. There was no option to appeal.

Not trying to make a point here. Just offering another anecdote.

~~~
pure-awesome
Nice. If I had known about this extension I might have used it.

When people started hashtagging on FB, I thought it was the stupidest thing.
Then, when FB made it a feature, I just had to shrug and go "I guess the
hashtaggers are the ones in the right, now..."

------
geza
Happened to my own extension this week too (
[https://habitlab.stanford.edu](https://habitlab.stanford.edu) ), except
without warning - especially frustrating since I've been developing it for
nearly 2 years and Chrome no longer allows users to easily install anything
from sources other than their Chrome store. May end up having to port it to
Firefox, except there's so much inconsistencies in CSS and webextensions
between the browsers it would take a month or more. It's quite frustrating how
these walled gardens can easily destroy years of work at someone's whim.

------
foobarbazetc
Meanwhile there’s an extension on there with our company name and logo (both
trademarked) that might be stealing peoples data and Google have done nothing
about it after _many_ submissions of their trademark infringement form.

~~~
vageli
Thank goodness that Google is not a court of law and you can engage the legal
system for restitution. I mean, wouldn't you want to go that route anyway
given the potential damage to your brand by a third-party abusing your
trademark? Would pulling the extension undo all the harm the infringement
caused you?

~~~
palant
Given that these copycat extensions usually aren't giving you a way to find
their creator - good luck with the legal system. And even if you can find
them, what will you do about them if they are located somewhere in China? The
legal route is only good enough to force Google into removing infringing
extensions. For you, it means more effort and money wasted. And these
malicious extensions get more time to catch unsuspecting users. Of course,
after being taken down they will immediately resubmit their extension and you
start from scratch. All while Google has a way to report such cases but won't
act on the reports.

------
sickmate
I'd guess that the warning period was set to 168 minutes (2hrs 48 minutes)
instead of 168 hours (7 days).

------
bitL
Isn't that extension going straight against Google's ability to track what
users are clicking on, i.e. against their core business? Maybe the warning
wording is cumbersome or opaque, but what would the author expect? Company not
protecting their turf? The only surprising thing is that they did it in this
unimaginative hidden fashion, not fitting their friendly progressive image.

~~~
threeseed
The surprising thing is that they let the extension exist for so long.

Google makes most of their money from ads. If you interfere with that then of
course you'll be in trouble.

~~~
mort96
Then why are there still ad blocking extensions? Wouldn't uBlock Origin
interfere way more than this extension?

~~~
bitL
Maybe it's the next hidden step and this one was just testing the waters for
the level of public outcry?

------
Boulth
It's interesting to observe current landscape of app delivery, previously it
was just binaries or sources on developer's site now it's shifting to
centralized model in the name of protecting users from malicious actors. I
wonder if there is a way to have a cookie (developers don't need to worry
about random behavior of your centralized owner) and eat it too (fight
malware).

~~~
seangrogg
In this case the centralized owner is the Chrome Web Store; you're leasing
space in their list of offerings at their terms, for better or worse. It's
worth noting that the Chrome Web Store is just an easy (and highly visible, of
course) way of installing extensions but not the only one; developer mode and
self-installing is totally possible (though admittedly higher friction).

Protecting users from malicious actors serves in the best interests of the
Chrome Web Store, certainly, but there's nothing stopping users from running
their own security software.

In a more ideal world a developer would distribute an extension from their own
platform and the user would run a security check against it (and all future
versions). Until we get to that world, though, a store that is focused on
integrity of security and expresses its right to remove things that don't fit
it's model is convenient.

~~~
dannyw
Self installation is disabled on Windows. And Developer Mode pops up constant
nag warnings, to users asking if they want to disable the plugin.

------
rasz
Im a bit confused:

\- [https://chrome.google.com/webstore/detail/google-search-
link...](https://chrome.google.com/webstore/detail/google-search-link-
fix/cekfddagaicikmgoheekchngpadahmlf) is still in the store

\- it IS missing the picture

~~~
palant
Oh, that's nice - it was restored without giving me any kind of notification.
Developer Dashboard says that the screenshot is there, not sure why it doesn't
show.

 _Edit_ : Got a mail now, supposedly the issue here was an internal
miscommunication resulting in a rejection. So all is good again and all I have
to do is resubmit that screenshot.

------
userbinator
I've never really been a fan of the whole "browser extensions" thing, with
perhaps the exception of UI mods, and things like this only serve to reinforce
that notion. I prefer to use a MITM filtering proxy, which works in all
browsers and is independent of, so isn't beholden to, the authoritarian
institutions which control them. Incidentally I also have a filter which does
the same thing as his extension, and I probably added it the same day Google
decided to mess with those links.

~~~
Godel_unicode
Good luck with that once hsts, cert pinning, and TLS 1.3 become more common.

~~~
jwilk
MiTM proxying TLS 1.3 connections works just fine.

Browsers ignore cert pinning when the CA certificate was manually installed,
so this is not a problem either.

I have no idea what HSTS is doing on your list.

~~~
Godel_unicode
> I have no idea what HSTS is doing on your list.

[https://moxie.org/software/sslstrip/](https://moxie.org/software/sslstrip/)

~~~
jwilk
We're talking about voluntarily installed proxy. Why would anyone want to
mount an HTTPS stripping attack against themselves?

------
edoceo
I almost lost a Google account because the Amdroid App I uploaded was I
violation of their Terms. I had to work a few emails/calls with Google to
demonstrate it wasn't a violation, but it was a very close call.

------
subsubsub
Someone should set up a website listing plugins banned by Google for reasons
that fall in a gray area or for reasons that are just outright indefensible.
Banning extensions in this manner is a signal of value to the end user. Could
also list extensions available on Firefox but not Chrome.

Something similar to hiddenfromgoogle.com but for extensions (doesn't appear
to work anymore) [1]

[1]
[https://www.bbc.com/news/technology-28311217](https://www.bbc.com/news/technology-28311217)

~~~
vackosar
also create third party store focused on foss. Somwthing like fdroid

------
ikeboy
I've had similar stories, accounts banned, extensions denied because they
didn't understand what it did, one was denied because it had minified code,
the review process could use more work.

~~~
ghazak
It’s a tough situation, because the amount of access that these extensions
have to users’ actions can be extreme. Malware is a much greater concern than,
say, the AppStore, as access to sensitive information is far less controlled.

~~~
Jacq5
Agreed. Until extensions as itself get some guidelines - it needs to be
inspected closely.

------
crobertsbmw
I had similar problems with an extension that I am developing. They threatened
to take it down because it didn't have a privacy policy attached, although
their developer guidelines state that you only need a privacy policy if you
collect personal or sensitive user data, which I am not. It took me several
resubmissions (each time I was scared I would be banned from all google
products), before they finally approved my extension. The clincher was that my
extension was marked as unlisted the whole time; it wasn't even open to the
public.

------
internet_user
another StallmanWasRight moment?

~~~
fwdpropaganda
Yes. And because of that I cannot empathise with this developer.

It's not longer a case of "don't put your time into a closed ecosystem, for
your own sake", but "you have the moral duty not to contribute to a closed
ecosystem, for everyone's sake".

The developer was doing something imoral and something bad happened to him.
It's karma, Kramer.

------
jlpom
A similar situation happened to the ublock origin maintainer:
[https://twitter.com/gorhill/status/997206089132400641?s=09](https://twitter.com/gorhill/status/997206089132400641?s=09)
[https://twitter.com/gorhill/status/997162260199075840?s=09](https://twitter.com/gorhill/status/997162260199075840?s=09)

------
actionowl
Side rant: I have an extension which has been published for about 6 years now.
They've broken the extension several times due to removing or changing the
APIs. I have a couple of bad reviews due to having to remove features from the
app because they removed functionality or APIs. The past couple of years
things have been more stable, but still, it's been painful.

------
asserttrue
My google apps account is being shut down the same way. Apparently using it
everyday doesn’t constitute activity for 365 days...

------
kevingadd
A fun related issue with the Chrome Web Store is that you can submit random
gibberish to their DMCA takedown form and they'll pull an extension down
anyway. Then they take upwards of 4 weeks to process counter-notices and
refuse to fulfill their obligation to provide the identity of the reporter so
you can sue them.

------
lgats
I had an extension, NoBing which redirected Bing searches to Google. Removed
due to copyright so I rebranded it as "Bongle" removed again due to copyright
despite no mention of Bing. Gave up.

------
csomar
> I guess, Mountain View must be moving at extreme speeds, which is why time
> goes by way faster over there — relativity theory in action.

The other way around. The OP must be the one moving at extreme speeds.

~~~
palant
If you remember special relativity theory, it's the same thing - merely
depends on your point of view. From my point of view, Mountain View is moving.
But if you are a Google employee, then I must be moving of course.

------
guscost
What does the user story look like for installing a Chrome app locally? Do you
need to go through tons of menus or is it just dev mode + easy/scriptable
setup process?

~~~
sbr464
For Chromebooks? I thought Google was deprecating chrome apps.

~~~
guscost
I’m way out of the loop then, I guess. Back in my day you could move code
files around your computer’s file system, and even run them with interpreters.

------
edhelas
It's funny because my app just got removed from the Play Store for similar
(weird) reasons
[https://twitter.com/edhelas/status/1014265845940441088](https://twitter.com/edhelas/status/1014265845940441088).

Basically I'm also providing a link to F-Droid on the home screen. The app is
blocked and I can only resubmit a new one…

------
norswap
How to get tech support from Google: get a lot of upvotes on HN. Sad.

------
justinzollars
Its their sandbox.

~~~
snarfybarfy
but, but, they are NOT evil, are they?

------
joshschreuder
My extension, which was just a script block and some CSS tweaks was banned as
it was a paywall bypass for a popular news site in Australia.

Fair enough according to their policy but I couldn’t help feeling disappointed
when I got the email as the extension was quite popular at the time.

~~~
dannyw
Adblock: OK.

Paywall bypass: Not OK.

Hmm...

~~~
joshschreuder
Yeah I know right?

The reason given was:

> We don't allow products or services that facilitate unauthorized access to
> content on websites that circumvents paywalls.

The functionality from the extension was roughly possible with a set of
adblock rules anyway, I just packaged it up for the less technically inclined.

------
dvfjsdhgfv
I'm very curious to see how this plays out. Obviously, the reason for banning
the extension is that it prevents Google from tracking our clicks (I'm
surprised it took them so long!) But they can't clearly spell out the reason
as it would make them look bad, so they just used some template and try to
sweep it under the carpet. Now that it's on HN it's no longer so easy to
ignore, so I'm really curious to see what happens next.

~~~
duskwuff
There's a much more obvious reason: the OP's extension presumably requested
permissions to inject scripts to google.com. This is a very common pattern for
malicious extensions, which can use that permission to hijack the user's
Google session, or to inject third-party ads into Google search result pages.
Coupled with the lack of information on the extension page, it looked risky.

~~~
dvfjsdhgfv
If it's really so, and it's just an "AI mistake", let's see how quickly Google
discovers it and apologizes to the author.

------
stephengillie
> _Anyway, dear users of my Google search link fix extension. If you happen to
> use Google Chrome, I sincerely recommend switching to Mozilla Firefox. No,
> not only because of this simple extension of course. But Addons.Mozilla.Org
> policies happen to be enforced in a transparent way, and appealing is always
> possible. Mozilla also has a good track record of keeping out malicious
> extensions, something that cannot be said about Chrome Web Store (a recent
> example)._

It's interesting to hear this, when Firefox Mobile keeps uninstalling uMatrix
and uBlock Origin, while these keep running on Chrome without issue.

~~~
pitaj
Are you saying that Firefox mobile has uninstalled add-ons from your browser
multiple times?

I've been running Nightly mobile for more than a year and never had that
happen. It sounds like a very strange bug, maybe it had something to do with
Sync?

~~~
stephengillie
> _Are you saying that Firefox mobile has uninstalled add-ons from your
> browser multiple times?_

Yes. Checked while posting this, and they're uninstalled again.

~~~
ripdog
Try wiping Firefox's app data. Sounds like a corrupt profile to me.

