I publish a few extensions    and have been contacted multiple times by companies asking to buy them for several thousand dollars. They told me the going rate was 0.20 USD per user. You can imagine what kind of deals are being made when the extension has a million plus users.
When pushed for exactly why they wanted to buy the extensions, which are in no way monetizable, they gave vague answers about "user insights". I can guarantee there will be many other major extensions that have sold out their users.
Luckily enough the source code was still on github, and I managed to fork it and improve that version into "Tab Manager Plus" 
Since then I've refurbished around 10 extensions and published a few of my own. It's fun, just annoying that malicious extensions aren't getting taken down fast enough, since I suppose not enough people report them.
How to report malicious extensions is also sometimes unclear. Some people think they have to install them first, that's only true for ratings, not reports. For example to report the extension from this blog post you just have to submit this form 
For other malicious extensions simply replace the extension id in that link.
 Tab Manager Plus - https://chrome.google.com/webstore/detail/tab-manager-plus-f...
 Report extension - https://chrome.google.com/webstore/report/fjnbnpbmkenffdnngj...
I've not received my own updates for weeks a few times because I haven't noticed the warning, and about a third of our users are on ancient versions presumably because of it .
I think the real solution to this problem is GDPR: massive fines if you abuse your users' trust (and get caught).
I'm not keen on the literal dark pattern that Firefox uses to dissuade developers from requiring new permissions.
If url, div, cookies and any other info are collected, what are they?
What server connections are made by the extension, IP, Name, contents of info transmitted?
All the GUI, collection system should be in place as part of JS dev/debug tools already. Just customized it a bit so any tech savvy users can check the audit logs and enable more logging for a plugin if needed.
If an user spots something not right, it is also easy to out the "plugin/extension" on a public forum.
> Chrome prompts the user if adding the permissions results in different warning messages than the user has already seen and accepted.
If you want more permissions, then ask for more permissions.
And don't be surprised when people say NO.
Not everyone wants to grant the permissions to your update even if the update fixes bugs in older versions. Not everyone will want your new feature in the first place. Denying permissions is an easy way to eliminate the risk of having to go through and figure out whether or not the new feature is trustworthy.
And if you're not adding a new feature, then why do you need more permissions?
I agree with you. As another reply to you states, however, Firefox doesn't currently let me ask. You have to kind of go hunting for it.
> And if you're not adding a new feature, then why do you need more permissions?
Firefox does not let me explain why the permissions are needed. It would be nice if we could have a little blurb where we can state our case next to each permission.
Our current approach is to explain likely upcoming permissions requests in advance and ask our users to stay vigilant for the appearance of the tiny yellow exclamation mark, but that's not very helpful to the third of users stuck on old verions before we learnt that trick.
> And don't be surprised when people say NO.
I think very few of these users have said no on purpose. We ask for (and use) almost everything , so any marginal new permissions are unlikely to give us much more power. The current permission model actually makes it tempting to just literally ask for everything because we might want it for a new feature in the future.
The optional permissions are not fine-grained enough to be useful (you can accept all optional permissions, or none) and not available for enough permissions, otherwise we would use them.
Also, the first versions of our software were really slow and bad. I really doubt many people are staying there on purpose. (If there are any Tridactyl users in this thread using an old version on purpose, I'd like to hear from you :) ).
How much more time can I reasonably be expected to donate? Just trying to find duplicates on the BMO could take ages.
Complaining into the void on the internet takes much less time and makes me feel better :)
A better approach would be to allow extension upgrades, irrespective of permissions. If a user chooses to deny permissions the extension should still work on the latest version.
The extension has a backend API and web service which is required for the extension to work, not once has a buyer asked about acquiring that. They only want the extension and literally have no understanding of how it works or what it does. Their intent is obvious.
One sneaky way to get back at them is to send a bunch of fake “poison” requests with fake data back at these guys. It probably wont hurt them but if enough people do it, it might make their data worse and make their operation unprofitable.
In my experience anonymization is hit or miss, but ostensibly always in place.
Installed and will be using both. Please don't steal my data!