In another thread[1] on HN today there was discussion over developers selling out their web extensions to marketing corporations which end up filling them with tracking scripts and malware. Someone suggested that google should be much more aggressive at filtering out said extensions, and one of the responses was a sarcastic comment over a future article about Google attacking extension developers and the free web.
The problem isn't that an extension was removed. There will always be erroneous attempts at making things safer for users when playing the game of content moderator. The problem is that Google is impossible to talk to, and makes no effort to help when things go wrong. As a current user of gmail this worries me.
This petrifies me. Google provides an incredibly easy way for me to capture all data that I care about. Getting photos and videos of my kids growing up and keeping them for years is trivial with Google.
And in one little error it can all disappear with no recourse.
I continue to struggle today to find a silver bullet solution for someone like me who just wants to hurl money somewhere and say, "use this money to guarantee that my cherished photos and videos will be here in 30 years"
Second to that is getting locked out of my Gmail. I'd consider that more irritating than losing my wallet.
For me, the "Back it up in a place you trust" is coming back to square 1 of the parent poster's problem. I actually do have my photos on (a few) disks and computers, not on Google, and I still have the problem that I want to hurl money somewhere and say, "use this money..."
I'm kinda hoping for some open-source solution to emerge based on IPFS or the like, which would let me easily control replication of my photos & vids over a few local disks (probably via some local NAS machine[s]), and some online paid pinning service.
There are apparently some efforts towards something like that in the IPFS community [1][2], but no clear winner yet I think, or at least especially no good UI/UX for this yet.
edit: some random service/startup which I just googled up which apparently tries to fit into this area, linking here to hopefully match them with potentially interested users, and thus maybe help them reach critical mass: https://www.reddit.com/r/ipfs/comments/846e64/photo_backup_a...
Yes, that is the problem I'm trying to articulate. Of course you ask a ton of engineers and you get engineering solutions. =)
What I want is a holistic solution. "I have money and I have data that I want taken care of. I don't want to do much work and I don't want to think about it more than once a year or two."
Takeout is great, but it has one major flaw. There is no way to download only data that has changed after a specified date, i.e no incremental backups.
There is also no "Take in". Your data might be all in that file, but without a lot of effort, you aren't going to be able to get it back into a usable form, with Google apps or a competitor.
The Google Drive files are exported as you would expect and you can just copy them into some other sync folder as is. Takeout transforms any Google Docs and Sheets into Word and Excel formats (configurable), so you don't end up with links into your disabled Google account (contrary to how their Backup and Sync client works).
Emails are exported as mbox files, calendars in ics format. It's pretty easy to import everything using widely available email and calendar clients. It's also pretty easy to put it all back into another Google account, but you're right, it's not as simple as importing the entire takeout zip file in one piece.
What I haven't tried is what happens to files that were shared with you. I would expect that they don't get exported because it's someone else's data after all.
I think if the purpose is to let you move all your data to a different provider and avoid any lock-in, then Google Takeout is an honest and practical solution.
It's clearly not meant as a routine backup solution though.
Getting locked out of gmail is no joke. I have an old account that’s been forwarding to me for years, but when I recently changed my phone I lost my two factor.
Despite being able to supply google with the creation date (they ask), the fact that my name/birthday is the same on both accounts, I’ve attached the same visa to both google accounts, I’ve logged on to them from the same ips, and the fact that it’s forwarding everything to me, I still haven’t been able to get it unlocked.
I’m not sure I’ve really spoken to anything but an automated process either.
It’s entirely my fault for losing the two-factor restoration keys, but it’s been a little frightening to realize that you can’t just contact google and have them help you.
tl;dr: Need to contact someone at Google? File a copyright complaint.
--------------
I was in the same situation, having the correct logon credentials for my account, but the system refused to believe it's me and asked for proof, but I forgot the security answer.
Ended up filing a bogus copyright complaint, knowing they can't handle that automatically.
I told them there was a copyright violation and proof was in my locked account (a picture of a seven-legged spider...).
They unlocked the account long enough for me to move my accounts elsewhere.
I developed such a service some time ago, but it's impossible to find any market for it. The non-technical people say "but I have it on Google already?!" and the technical people say "I just created a DO droplet and configured backup to Backblaze, easy and cheap!!".
I find both options to be not ideal, since I'd like a simple, secure and safe way of storing my pictures. But that's the way the market is.
> and the technical people say "I just created a DO droplet and configured backup to Backblaze, easy and cheap!!".
That's very much missing the point. The non-technical option is inside that post: Backblaze. Do that twice, the second time with crashplan or carbonite, and you can keep your files safe without any trouble.
The real problem is that it can only protect the files on your computer. If you have data that's fed directly to google, there's no simple software to get it back out to where it can be backed up.
What if you're a bit cheeky, mount eg your Drive storage on a VM via one of the various 3rd-party filesystem-mounting systems out there, then run $backup_client on the VM pointed at the Drive local mountpoint?
Plenty of uncomfortable chances for failure, but a few heaped handfuls of error reporting would probably be mitigation enough.
Getting the initial clone done might be a little fun, you might need to actually download the Drive folder structure to somewhere spacious so you don't run into transfer ratelimiting for the initial upload.
It is not that complicated. Just pay(monthly)for a storage Box at Hetzner(just an example provider i trust) or any other provider and your Data is still there in 30 years. - https://www.hetzner.com/storage-box?country=gb
In real empirical practice, which happens more often: google locks a user out of their own data (a user who wasn't intentionally blatantly violating the
TOS), or a non-google-user loses their data to due some technical error or natural disaster?
There's no silver bullet replacement for the Google ecosystem. However there are plenty of choices for many important services such as Email, file/ photo storage, contacts / calendars, etc. You just gotta take the plunge!
I use Glacier quite a lot for things like this. It is essentially free to store what most people reasonably consider "a shitload" of personal data. The cost is putting it into Glacier and then of course getting it out again. I'm not willing to bet AWS will still be around in twenty years, but it's a dirt cheap bet that won't cost me hardly anything if I lose that bet.
Go to Digital Ocean, make a NextCloud droplet, and configure backups to Backblaze. There you go. Bonus point if you buy a small server and become a custodian of your own data.
Yeah, sure, with the stories of Apple deleting songs from your local machine because they were deleted from your cloud account because DRM or whatever, and IIRC even deleting some random photos because some bug (but w.r.t. photos I'm not sure if I recall this correctly, or just spreading FUD here.) Or was this Amazon with Kindle and with ebooks? Apple was sure reported as deleting high quality mp3s from your disk because they have mp3s of the same songs in poorer quality as their deduplication reference files on their cloud.
Anyone using a free service anywhere provided by anyone should be worried.
I pay to use gmail and their service is incredible. Whether it's been support chat, phone calls, etc... I've always received very prompt support from Google.
I’ve paid to use Google services before, and had the most miserable customer service experience with a company ever. Contact information difficult to find, and walled behind accounts you have no knowledge of potentially, and policies designed to be explicitly hostile (I had them admit that outright to me) - I ended up out of $500+ as a result, for which they only were willing to refund $20.
Google seems to just be an exceptionally bad actor - I’ve been starting to move away from dependence on them as a result, as they’ve proven to me that I cannot rely on them to be honest/transparent in the most important ways.
I have my own ___domain, and use gmail for free. Because I'm cheap, not because I care. One day I'll find a better solution, one that avoids Google (paid or unpaid) altogether.
Yeah, I got mine for free too since I've had my ___domain for a while, but I have a newer ___domain that I set up on GSuite, and was paying $5/mo for, until I realized I could set it up as a ___domain alias of my original ___domain and get it for free.
I find it kind of frustrating that Google does nothing about extensions tracking your browser history, and quickly takes action against extensions like these. I hope Google has their Cambridge moment soon.
A slight irony is that this extension actually removes tracking capability from Google itself in the search. (I suppose only really if you have JS disabled, otherwise they can capture the click event in JS instead of handling links via a special redirect tracker).
To the author: Thanks for the extension. I'm a happy user on FF for a long time.
I have no doubt Google ruthlessly takes advantage of tracking data but that’s for them, not for third parties. Anything is possible but I think they’d see giving up data like that to a company like Cambridge to be surrendering a competitive advantage.
> web extensions to marketing corporations which end up filling them with tracking scripts and malware.
one of the worse parts about this is that they auto update without you knowing. So an extension might've been safe when you first installed it then a month later its infested.
Same thing happened to me [1], with a slightly different rationale for pulling the extension.
This happened despite tens of thousands of users, years of good reviews, and an extension so useful that Google's own accessibility team demos it at conferences.
I was only able to get the situation sorted because I know people who work at Google on the Chrome team. Even with all this, it took weeks to get the previous version restored, and after that weeks more before we could push an update without having it get automatically rejected.
The only "good" news is they didn't uninstall our existing user base.
Hey, it's off topic, but I just learned about your product and sent a link of the product page (beelinereader.com/individual) to my colleagues - only to find out that my email was filtered as a spam by FortiMail! Apparently, the offending text was that URL. Maybe it's somehow related? Was this product site previously infested by malware or something?
Wow, thanks for letting me know. We have never had any malware, though our inline install of Chrome/Firefox extensions has been flagged by Avast at times (despite our attempts to get whitelisted). Neither our website nor our tools have ever done anything even vaguely shady — we don't gather user-level browsing data or anything else like that, so it's a big bummer when we get flagged like this.
Do you know if there's a way that your company can report this as an inappropriate block to FortiMail? I will try to reach out to them also, but my guess is they'll be more receptive to a customer request than to one of their blacklisted websites!
BTW, we're not publicizing this, but right now we're testing out a "BeeLine Advocate" program. Basically, if you install the extension and complete the free trial (2 wks), you'll be invited to get free access to our Pro tier in exchange for filling out periodic surveys.
We've just opened up this program, and it'll probably be open to new users for 3 weeks or so. Thought I'd share with the community here, since HNers are great for feedback (as you've just shown with your comment!).
> Do you know if there's a way that your company can report this as an inappropriate block to FortiMail?
Our corporate email is outsourced to another company, where they apparently use FortiMail as a packaged solution. So I don't think it's very likely that they'll listen to me - but I'll try anyway. Good luck with the new campaign!
> I was only able to get the situation sorted because I know people who work at Google on the Chrome team.
Hehe, one thing all successfully resolved issues have in common - a friend inside of Google. Maybe that's by design... Google employees are not friends with bad guys!
I did not, and hearing this guy’s story means that the problem hasn’t been completely solved.
For us, this was triggered by a question about our privacy policy (which we have, and always have had). I assumed that it was just a glitch in their review and follows-up software — specifically, that it didn’t give the full 7 day grace period. But it sounds like it’s a bigger problem than this.
One of the big frustrations for me was that their system was run from an anonymous mailbox, and seemed to have different folks responding different times. Also, if they sent you a message and you replied immediately, you might not hear back for days. At times, it seemed like I was either corresponding with a bot or someone with very bad English.
Maybe a tech journalist can write a story about what’s going on, and actually get some answers from them?
I have told them that this issue has pushed us to look more at other platforms. We are also on Firefox (much easier now that their extension platform is similar to Chrome’s), but we still have the vast majority of our users on Chrome (60k versus <1k).
I even submitted our extension to Opera. Months went by with no response. Dev forums show that this is a common experience.
We’re also on iOS, but since extensions don’t really exist on mobile, this isn’t a great substitute.
I’d welcome suggestions for another platform that we should be on!
They somehow have the man power to ban your extension in 2 hours and 30 minutes without an explanation as to why, but than when I get a fake copyright claim on my most popular YouTube video somehow it takes three months, 12 emails and I still don't get the ~$900 lost revenue back.
Cannot upvote this enough. People complaining about such things think that "customer is always right" where reality is "customer is always right if he pays enough for us to care". Have some reality check.
Every company does what is in their best interest not particular customer.
I'm not sure what their approach is. My article links to another about fake ad blockers - flagging these usually yielded in no results, neither when flagging trademark infringements nor malicious functionality. The process took months even for the obvious cases, and Google did little to prevent these extensions from being resubmitted. Yet when my article on them got picked up on HN, all of them were suddenly taken down. So it doesn't look like they have any man power whatsoever - the scarce resources they have are busy fighting bad press and threats to Google's business interests.
Hello from the other side! Someone stole our copyrighted audio script from our website and uploaded on their own youtube channel. 4 months later (!!!), about 30 emails back and forth and $1,800 in attorneys fees, we finally gotten it down.
Mirror your videos to other services. If you want to make sure your content is preserved you can upload it to archive.org.
There's also a huge difference in scale. There's not that many browser extensions to consider, but they have millions of videos on YouTube. It's not really comparable.
They took down my bookmarking extension with no notice, replied none of my e-mails. Although @GoogleChrome gives support on Twitter, they completely ignored my and also some user tweets. We had good description, many screenshots and a screencast, our extension is even open source (https://github.com/kozmos/browser-extensions).
I don't even know the reason why they took it down.
Google is terrible at support. I had to wait 2 months to get my oAuth application reviewed. I had to write an email in all capitals to get their attention.
Back when Facebook didn't support linked hashtags I made an extension that removed them from posts on facebook.com (they just annoyed me). It still worked perfectly even after Facebook added native support.
It was active for many years with great reviews and a few hundred users.
Google pulled it early this year because Facebook asked them to... They claimed it violated copyright. There was no option to appeal.
Not trying to make a point here. Just offering another anecdote.
Nice. If I had known about this extension I might have used it.
When people started hashtagging on FB, I thought it was the stupidest thing. Then, when FB made it a feature, I just had to shrug and go "I guess the hashtaggers are the ones in the right, now..."
Happened to my own extension this week too ( https://habitlab.stanford.edu ), except without warning - especially frustrating since I've been developing it for nearly 2 years and Chrome no longer allows users to easily install anything from sources other than their Chrome store. May end up having to port it to Firefox, except there's so much inconsistencies in CSS and webextensions between the browsers it would take a month or more. It's quite frustrating how these walled gardens can easily destroy years of work at someone's whim.
Meanwhile there’s an extension on there with our company name and logo (both trademarked) that might be stealing peoples data and Google have done nothing about it after many submissions of their trademark infringement form.
Thank goodness that Google is not a court of law and you can engage the legal system for restitution. I mean, wouldn't you want to go that route anyway given the potential damage to your brand by a third-party abusing your trademark? Would pulling the extension undo all the harm the infringement caused you?
Given that these copycat extensions usually aren't giving you a way to find their creator - good luck with the legal system. And even if you can find them, what will you do about them if they are located somewhere in China? The legal route is only good enough to force Google into removing infringing extensions. For you, it means more effort and money wasted. And these malicious extensions get more time to catch unsuspecting users. Of course, after being taken down they will immediately resubmit their extension and you start from scratch. All while Google has a way to report such cases but won't act on the reports.
We should spend thousands of dollars on a lawyer for a clearly fraudulent extension... because? The legal system is a waste of time and money and is where you go as a last resort.
And yes, it would. The Chrome Web Store isn’t exactly a high traffic destination. We just want to prevent the thing from stealing data since it asks for ___domain permissions.
Why have the form specifically for this if you’re not going to process it? Oh wait, it’s Google... never mind.
Create an extension with similar name then cite the other for something. When they challenge you reference your trademark etc... or take them to court in front of a judge.
Isn't that extension going straight against Google's ability to track what users are clicking on, i.e. against their core business? Maybe the warning wording is cumbersome or opaque, but what would the author expect? Company not protecting their turf? The only surprising thing is that they did it in this unimaginative hidden fashion, not fitting their friendly progressive image.
Nowhere in the Chrome Web Store policies does it say: "Extensions aren't allowed to violate Google's business interests." Supposedly, acceptance in CWS depends on user value, and the policies protect the user rather than Google.
It's interesting to observe current landscape of app delivery, previously it was just binaries or sources on developer's site now it's shifting to centralized model in the name of protecting users from malicious actors. I wonder if there is a way to have a cookie (developers don't need to worry about random behavior of your centralized owner) and eat it too (fight malware).
In this case the centralized owner is the Chrome Web Store; you're leasing space in their list of offerings at their terms, for better or worse. It's worth noting that the Chrome Web Store is just an easy (and highly visible, of course) way of installing extensions but not the only one; developer mode and self-installing is totally possible (though admittedly higher friction).
Protecting users from malicious actors serves in the best interests of the Chrome Web Store, certainly, but there's nothing stopping users from running their own security software.
In a more ideal world a developer would distribute an extension from their own platform and the user would run a security check against it (and all future versions). Until we get to that world, though, a store that is focused on integrity of security and expresses its right to remove things that don't fit it's model is convenient.
Firefox still allows installation from third party websites, they merely require add-ons to be signed by AMO. This allows Mozilla to revoke a signature for malicious add-ons, not sure how often this happens in practice.
Isn't signing supposed to solve some of that? You sign the binaries you host on your site, and the OS checks to make sure the signature is valid. (Maybe against a non-profit "Let's Sign".) If it's a valid signature, then you know it was signed by someone your OS trusts. Ideally, the OS would not trust signatures from malicious actors.
I've never been involved with that kind of thing, so I'm just guessing. Feel free to correct me.
What kind of package? That probably means the signing is way too complicated. There's not much to get wrong in doing a single hash of an entire zip package and then appending a simple signature of that hash.
And in the end the malicious actors are the centralized hosts. Even if they don't start that was centralization leads to perverse incentives for censorship.
Quite remarkably, they are only moderately successful in keeping malicious actors out of Chrome Web Store. Centralizing deployment won't give you that automatically, you also need the manpower to enforce policies. And Google isn't even acting when extensions are flagged.
well the solution is sandboxed temporary runtime environment with user controlled session duration, user managed permissions and strong profile siloes, also known as: your browser.
They aren’t application they extend the environment on which the untrusted application run, as such they’re more like kernel modules in regard of security and threat modelling
Oh, that's nice - it was restored without giving me any kind of notification. Developer Dashboard says that the screenshot is there, not sure why it doesn't show.
Edit: Got a mail now, supposedly the issue here was an internal miscommunication resulting in a rejection. So all is good again and all I have to do is resubmit that screenshot.
I've never really been a fan of the whole "browser extensions" thing, with perhaps the exception of UI mods, and things like this only serve to reinforce that notion. I prefer to use a MITM filtering proxy, which works in all browsers and is independent of, so isn't beholden to, the authoritarian institutions which control them. Incidentally I also have a filter which does the same thing as his extension, and I probably added it the same day Google decided to mess with those links.
How carefully have you analyzed the MITM proxy you are using? Many have security holes and you may be opening yourself up to attacks. Modern browsers have placed a lot of effort into security, you may be undoing a lot of the transport security.
I almost lost a Google account because the Amdroid App I uploaded was I violation of their Terms. I had to work a few emails/calls with Google to demonstrate it wasn't a violation, but it was a very close call.
Someone should set up a website listing plugins banned by Google for reasons that fall in a gray area or for reasons that are just outright indefensible. Banning extensions in this manner is a signal of value to the end user. Could also list extensions available on Firefox but not Chrome.
Something similar to hiddenfromgoogle.com but for extensions (doesn't appear to work anymore) [1]
I've had similar stories, accounts banned, extensions denied because they didn't understand what it did, one was denied because it had minified code, the review process could use more work.
It’s a tough situation, because the amount of access that these extensions have to users’ actions can be extreme. Malware is a much greater concern than, say, the AppStore, as access to sensitive information is far less controlled.
I had similar problems with an extension that I am developing. They threatened to take it down because it didn't have a privacy policy attached, although their developer guidelines state that you only need a privacy policy if you collect personal or sensitive user data, which I am not. It took me several resubmissions (each time I was scared I would be banned from all google products), before they finally approved my extension. The clincher was that my extension was marked as unlisted the whole time; it wasn't even open to the public.
Yes. And because of that I cannot empathise with this developer.
It's not longer a case of "don't put your time into a closed ecosystem, for your own sake", but "you have the moral duty not to contribute to a closed ecosystem, for everyone's sake".
The developer was doing something imoral and something bad happened to him. It's karma, Kramer.
Side rant: I have an extension which has been published for about 6 years now. They've broken the extension several times due to removing or changing the APIs. I have a couple of bad reviews due to having to remove features from the app because they removed functionality or APIs. The past couple of years things have been more stable, but still, it's been painful.
A fun related issue with the Chrome Web Store is that you can submit random gibberish to their DMCA takedown form and they'll pull an extension down anyway. Then they take upwards of 4 weeks to process counter-notices and refuse to fulfill their obligation to provide the identity of the reporter so you can sue them.
I had an extension, NoBing which redirected Bing searches to Google. Removed due to copyright so I rebranded it as "Bongle" removed again due to copyright despite no mention of Bing. Gave up.
If you remember special relativity theory, it's the same thing - merely depends on your point of view. From my point of view, Mountain View is moving. But if you are a Google employee, then I must be moving of course.
What does the user story look like for installing a Chrome app locally? Do you need to go through tons of menus or is it just dev mode + easy/scriptable setup process?
I’m way out of the loop then, I guess. Back in my day you could move code files around your computer’s file system, and even run them with interpreters.
That's the thing that makes Google a more challenging beast than Facebook: you don't have to have an account to be an asset for Google, and you likely feed them more data all the time.
Definitely, though between search, communicating with the many Gmail users, AdWords, YouTube, and Android's marketshare, Google Map's dominance, etc, Google is IMO far more ubiquitous
I'm very curious to see how this plays out. Obviously, the reason for banning the extension is that it prevents Google from tracking our clicks (I'm surprised it took them so long!) But they can't clearly spell out the reason as it would make them look bad, so they just used some template and try to sweep it under the carpet. Now that it's on HN it's no longer so easy to ignore, so I'm really curious to see what happens next.
There's a much more obvious reason: the OP's extension presumably requested permissions to inject scripts to google.com. This is a very common pattern for malicious extensions, which can use that permission to hijack the user's Google session, or to inject third-party ads into Google search result pages. Coupled with the lack of information on the extension page, it looked risky.
No, the reason isn't obvious. The extension wasn't popular enough on Chrome, Google simply wouldn't bother doing anything about it. This might be a trademark issue, the extension's name has "Google" in it - then it's a major messup then, failing to spell out the correct reason. Or maybe it was flagged by some automated tool and whoever checked output of that tool didn't properly validate it. Impossible to tell from the outside.
> Anyway, dear users of my Google search link fix extension. If you happen to use Google Chrome, I sincerely recommend switching to Mozilla Firefox. No, not only because of this simple extension of course. But Addons.Mozilla.Org policies happen to be enforced in a transparent way, and appealing is always possible. Mozilla also has a good track record of keeping out malicious extensions, something that cannot be said about Chrome Web Store (a recent example).
It's interesting to hear this, when Firefox Mobile keeps uninstalling uMatrix and uBlock Origin, while these keep running on Chrome without issue.
How can you say extensions run on Chrome without issue in comparison to mobile Firefox, when mobile chrome has no extensions?
What kind of twisted logic is this? uBlock can't run without issue on mobile Chrome, since there's no uBlock for mobile Chrome. Even super locked-down mobile Safari has ad blockers available.
I had UBO disappear once or twice from my desktop Firefox, but that appeared to be a bug of some kind. Never vanished from my mobile version, and AFAIK it's never been removed from Mozilla's add-ons store.
Mozilla also doesn't stand to gain anything by forcing you to view ads. Google does. That's why Firefox Mobile has historically been the mobile browser that lets you install add-ons and ablockers, while Chrome for Android has not.
Are you saying that Firefox mobile has uninstalled add-ons from your browser multiple times?
I've been running Nightly mobile for more than a year and never had that happen. It sounds like a very strange bug, maybe it had something to do with Sync?
I've had uBlock disappear from the main menu in mobile Firefox, but it was still accessible from the add-ons screen. I can get uBlock to reappear in the menu by force quitting Firefox.
It also happens to me. I assumed it's some bug or internal crash. However it seems to keep working even if it doesn't appear in the menu. It's just impossible to pick elements to hide if it's not in the menu.
And less than 24 hours later, here we are.
[1] https://news.ycombinator.com/item?id=17447816