Oct 10, 2019 9:09 AM PT
Android Intelligence Advice

A Chrome security setting you shouldn't overlook

One of Chrome's most important options is out of sight and all too easy to miss.

kreatikar/OpenClipart-Vectors

We spend tons o' time talking about Android security settings — like the added Android 10 option to limit how and when apps are able to access your location. Often lost in the shuffle, though, is the fact that the Chrome desktop browser has some significant security options of its own, and they're just as critical to consider.

In fact, Chrome has an easily overlooked setting that's somewhat similar to that new location control feature in Android. It's attached to every Chrome extension you install, as of not that long ago, and it lets you decide exactly when an extension should be able to see what you're doing on the web and be made privy to all the details (yes, even those details) of your browsing activity.

Suffice it to say, the setting's incredibly important. And if you're anything like me, you might find a few eyebrow-raising surprises when you take the time to look into it.

So don't wait any longer: Here's how to see precisely how much of your web browsing data different Chrome extensions are accessing — and then to take back control so they're shown only what's genuinely needed.

Four steps to smarter Chrome security

All right, first step: Type chrome:extensions into your browser's address bar, then one by one, click the Details box for every extension listed on the page.

That'll pull up each extension's full information rundown. And that brings us to our second step: On each extension's page, look for a line labeled "Site access." With some extensions, you'll simply see text saying "This extension has no additional site access" — meaning the extension isn't ever able to see what you're doing as you browse this wobly, wacky web of ours. Easy enough. Move on.

But with other extensions, you'll see one of three levels of access listed:

  • On click — meaning the extension is able to see and alter what's in your browser only when you actively click it (and then only for the site that's currently open in that specific tab)
  • On specific sites — meaning the extension is able to see and alter what's in your browser only when you're on the specific site or sites listed here
  • On all sites — meaning the browser can always see and alter what's in your browser, all the time, without any restrictions

Now, depending on what an extension is supposed to do, it may or may not legitimately need access to see and change your browsing data on any of those levels. An ad-blocking or script-blocking extension, for instance, clearly needs to be able to see and alter every page you open if it's gonna detect and then block certain types of content for you.

But realistically, the vast majority of extensions don't need that much access. If anything, they need to see what you're browsing either only on a specific URL or only when you actively click 'em to activate their function. And yet, quite a few Chrome extensions request unlimited ongoing access to your web browsing data — more than a third of all extensions, according to an analysis conducted earlier this year — and when looking through my own list of installed Chrome extensions, I found some pretty perplexing examples.

For instance: The official Save to Pocket extension, whose entire purpose is to save an article to my Pocket account for later reading whenever I click its icon, gives itself access to read my data on all websites, all the time. Let me repeat: The extension's only actual function is to save an article when I click its icon. There is absolutely no reason the software needs to be able to see and access everything I'm doing on every web page, all of the time. And yet — well:

JR

No bueno.

Another one that caught me off-guard: the official Authy Chrome extension (discontinued at some point after I wrote this article), which exists solely as a shortcut to open the full Authy app for two-factor authentication code management. This thing has no business knowing what I'm doing on the web at any given moment. And yet — here we go again...

JR

That's where step three comes into play: When you come across an extension like that — and when you've thought it through carefully and concluded that lowering the access level won't affect any legitimate function the software needs in order to operate — adjust its permissions by clicking one of the lower-access options in that same area.

Here's the catch: You may run into some instances where an extension will fail to work without the level of access it initially requires. With Pocket, for instance, I changed the extension to be able to access my site data only when I click its icon — which should, in theory, be all the thing needs to perform its limited job — and now, whenever I click its icon, I get an error informing me the page I'm viewing can't be saved. That means I'll have to decide whether to keep using the extension despite this apparent overreach or to ditch it entirely and replace it with an alternate solution (like the service's simple bookmarket that accomplishes basically the same thing without asking for any access to my web browsing data).

With most extensions, though, you shouldn't see any difference in how things work after decreasing their permissions in a sensible manner. With Authy, I changed the extension to be able to access my site data only when I'm on the website authy.com (because, curiously enough, there's no way to disable the permission entirely, so that seemed like the best way to effectively remove it). And then I directed a few choice curse words at the company for claiming such wildly unnecessary broad access in the first place. Aside from feeling disproportionately pleased with myself for my creative choice of profanity (which, regrettably, I can't reprint here), my situation now is identical to what it was before, practically speaking.

Other extensions whose permissions I adjusted without issue included a simple utility for identifying color codes, a tool for saving any image on the web as a PNG, and — how 'bout this? — Google's own official Save to Google Drive extension. All of those extensions claimed the ability to read site data all the time by default, when all they really need to function (and all that's really justifiable for them to have) is the "read on click" setting.

Now, to be fair, it's pretty unlikely most of these extensions did this for nefarious reasons. This granular approach to Chrome extension security settings has only existed since last October — and before that point, extensions were given just the binary option of requiring access to all browsing data or none. The three extensions I just mentioned were last updated prior to the point of that switch (which is a problem in and of itself, too, but we'll save that subject for another day), so it's likely their broad default site access permission was just a legacy carryover sort of thing. (The same is true for Authy — though notably not for Pocket, whose extension was last updated this past July.)

Regardless, though, I now have the ability to correct that in most cases. And so I did. And so should you.

One more thing: I'd be remiss if I didn't mention that anytime you install a new extension from the Chrome Web Store, you're shown a pop-up with a list of the permissions the extension requires. And, yes, included in that collection are the extension's default settings for when it'll be able to read and change data on sites you're viewing.

JR

But look: Even the most astute of us is prone to occasionally clicking through such screens without carefully considering their implications. We've all done it. We're only human. (Well, most of us are, anyway. No offense, but I'm not 100 percent sure about you.)

So, step four: Once you finish cleaning up your current Chrome extensions' security settings, make it a personal policy from now on: Don't just click through those disclosures. Closely review the permissions for every new extension you install — then think about whether you should change the data-viewing permission any given extension claims by default.

The beauty of Chrome's current setup is that you don't have to give any extension the full level of data-viewing access it tries to demand. But it's up to you to think it through every time — and then to take action to reclaim control over your personal data when needed.

Sign up for my weekly newsletter to get more practical tips, personal recommendations, and plain-English perspective on the news that matters.

[Android Intelligence videos at Computerworld]