This is very disappointing, and points to a weakness in these kinds of platforms: I can be a passive user of an excellent extension for years, and wake up one morning to discover that my browser has (silently!) upgraded the extension to one controlled by an entity that I don't necessarily trust.
I think it would behoove Firefox and Chrome to change their policies around automatic extension upgrades in these scenarios: if an extension discloses a change in ownership, then upgrades should require user approval. If an extension fails to disclose a change in ownership, then users should be able to report it as malicious.
This isn't just a problem with extensions, though. It's a problem with everything. Always has been and always will be.
This is why people should be extremely cautious about becoming too attached to (or, worse, dependent on) any particular product or service. It can change ownership (and therefore policies) at any time.
This wasn't a big problem with software just 20 years ago. Sure, the software you used could be bought by someone else, but that just meant you might choose not to get the next version. Software didn't automatically update, and licenses were eternal and mostly tied to physical tokens, like a disk or a fancy sticker. At some point your beloved software might become obsolete, but that was because it was outpaced in improvements by other better software, not because yours got any worse.
It's another prime example of why users should be wary of always choosing automatic software updates, and particularly wary of any company that uses security and "we know what's best for our dumb users" as an excuse for trying to stop users from using only a manual update process.
It's not a problem with everything. Distributions tend to add editorial input here and try to do something they consider reasonable for their users, staking their own reputation on that without trying to pass it off to the component publisher.
For example, I doubt that Debian would would take an update from an upstream that is detrimental to their users. They would follow a friendlier fork first. Debian maintainers follow their users' interests first.
(I'm a Debian Developer)
Edit: and that means you can generally trust automatic updates on Debian.
I think it's a particular problems with extensions because:
1. They usually mostly work in the background, don't need much interaction. It's almost like a built-in browser feature changing owners.
2. They are pretty difficult to find a business model for - as opposed to SaaS stuff and mobile apps, which people pay for rather commonly. So the choice is to a) Make no money b) Ask for donations (seems to only work if it's somewhat obnoxious) c) Make money in some creative (often shady) way d) Sell the thing.
Case in point -- I mortgaged my home with a local bank then without me knowing or being asked I became a Wells Fargo customer. At least you can uninstall the extensions :)
This is why tools are always better than products or services. Your hammer in the drawer isn't going to one day update itself and change. Neither is some of the bash tooling that's been around for decades. And should these things change, you always have your old versions of these tools in your drawers and storage drives.
I was thinking about this is the food and personal products space. I dreamed up something like requiring some kind of notation to denote how many steps you are away from a parent company. Direct private companies with no parent would have no notation, once a parent company buys the company and its brands put a dot for every parent company above the company of the product you're now purchasing. Something to make this transfer visible.
I agree. I also don't think this is something that's formally solvable in the general case, at least not in a way that's practical for distracted and non-technical users.
Instead, this is the kind of thing that needs to be solved on the policy level: Google and Mozilla have an interest in maintaining high-quality extension ecosystems, and ought to take a dim view of these kinds of ownership transfers.
That's a different issue. I can still run many old versions of software even if new versions are put out by some evil entity I no longer trust. Unless the software auto-updates. In which case I no longer have the old version.
AFAIK, it is not easy (or maybe not possible) to opt out of extensions updates.
This is why people should be extremely cautious against self-modifying software (ie unattended autoupdate) - it grants remote code execution on your computer to remote parties.
As a corollary, any private information that a publicly owned company has is for sale (since the company could be bought or merge), and any information any company has can be force-sold during bankruptcy proceedings.
Any time a company has physical access to your data, and says they will not sell it, they are lying (unless it is privately held, and never takes on debt / pays after delivery).
In particular, EULAs and other contracts do not protect your information in the above situations, since debt and shareholder obligations generally come before customer obligations, and the data is considered an asset.
A decade ago I wrote an extension called SelectorGadget (https://selectorgadget.com/). It's effectively unmaintained, but it still works and people still use it. I make no money from it and never have. Every few months someone tries to buy it from me, and I ignore them because I don't want to f** over my users. But there are a lot of extensions out there and maybe their owners care less, or find themselves in a moment of financial hardship and they sell.
I have received a few solicitations to sell apps that had not been updated in a while (they were still good, but hadn't required an update).
I suspect the buyer would repackage the app with some "extra spices," either advertising, or malware, and would count on the auto-update to force it onto users' devices.
I declined. I remove moribund apps. I've written over 20 but only have a few on the store.
This problem is more far reaching than just extension, and further reaching than what entity is in charge of something.
For instance, the worst company imaginable may be in charge of software that was once FOSS, and they may change absolutely nothing about it, so it should be fine. However, if a small update is added that does something bad, you should know about it immediately.
Wherein users can get a clear picture of what dependencies are used in the full chain, and how they have been independently reviewed for security and privacy. That's the real solution for the future. A quick score that is available upon display everytime you upgrade, with large warnings for anything above a certain threshold.
Change of ownership is easily gamed though. The change can be hidden or the extension can be "leased for 99 years" or whatever.
It really makes me wonder if there's a way to formalize a system of verification, trust, vouching, etc. not just for extensions but for source-viewable software in general, version by version, diff by diff.
Volunteers actually inspect an extension's JavaScript to check for anything potentially malicious (is it reporting on user activity etc.), they vouch for each other, and you select some core single individual or group to trust (or majority-vote or something), and then only allow software on your system that is vouched for. Nothing ever gets upgraded until it passes.
These types of problems roughly map onto the distributed identity problem: there's no known way to distribute `K` authority identities to `M` trusting identities without some kind of trusted intermediate.
"Vouching" can form that kind of trusted intermediate, but probably not without grinding an ordinary speedy update process to a near halt. That's probably a worse outcome than just having the pre-existing authority (i.e., Mozilla or Google) establish an enforceable policy around what constitutes an acceptable (or acceptably transparent) update.
I have couple extensions I've made. Most have couple hundred weekly users, but one has few thousand and I have gotten emails about adding ad and search redirect code for some money. If I was in bad financial situation or just didn't care, I could have just added the code without anyone really knowing.
Everything about this is sad. Sad that I have to install an extension to get rid of stupid messages forced upon me just for visiting a website, sad that an untrusted company is trying to buy trust, sad that users have to waste time switching away.
> If an extension fails to disclose a change in ownership,
They would just change ownership and keep that a secret from the world. Avast would 'hire' the dev of this extension, and provide him with more engineers and ideas of features to implement.
Technically that is what chrome MV3 is. The issue with that is they also heavily restricted any kind of content blocker by removing most APIs with a declarative api
This is why you have the power to turn off auto-updates on anything that has auto-updates. And you should exercise that power. That way you'll wake up to the news of a horrible change, not the reality of already being part of it.
Except.... Companies regularly switch their legal entities around. Which can be annoying. So you might wake up one day seeing ownership was transfered from <X> to <X>.
Still, it could be not disclosing it in such cases and live with it in a gray zone.
I know how to disable automatic updates. The point was that there's a substantial shift in trust when the underlying identity that controls an extension changes.
We need to stop writing “X buys Y”, and start writing “Y sold to X”. Big co’s aren’t some boogeyman that can buy whatever they want, individuals and small companies are selling out, and by pretending they’re blameless we normalize it. This extension wasn’t taken over, it sold out. Like LastPass, Private Internet Access, WhatsApp, Figma, Dark Sky, Wunderlist, the list goes on. All decided that, actually, they care less about their mission, users’ experience, and users’ trust than they do a pile of cash. And that’s not necessarily horrible or even wrong, but what is wrong is for us to not even withdraw our trust from people who have sold it. Or for us to withdraw equally from those who don’t.
The only startup as was in didn't. They ran short of money and laid me off, but 20 years later the company is still around doing the same thing they always have and I assume making money. Just before they laid me off they rejected a buy out offer from a big company.
I think that is actually normal overall, but the real fast riches are of course in the big buyout.
There's a lot of sell outs, not just someone who sells their app.
Many people work for places and sell their soul to them, accepting the evil they push - e.g. Google
It's not unique to solo devs. Unless you work for a morally sound employer, and only interact with morally sound companies, throwing shade like that just means the boot will fit on you too.
There seems to be a lot of edtech startups being sold to big companies right now. I’m guessing these are distressed companies that need to raise tons of money or find a buyer. Since the VC landscape has changed in light of the end of free money, they’re disproportionately being sold off.
I don’t blame the companies, though I’ve taken a bootstrapped strategy because I didn’t want to get stuck on the VC treadmill.
Someone here in HN recommended Consent-O-Matic instead of I don’t care about cookies. Said “I do t care about cookies is the extension advertisers want you to install” :) apparently it just says yes to everything. Consent-O-Matic specifically configures things to share the least amount of information possible.
Sites work much better if you just say yes to everything. Devs never test the 'no' path as well, and half the time you'll find embedded videos/maps/tweets won't display or are buggy.
Since I care about a fast efficient web experience far more than I care about leaving digital footprints around, I choose the extension that says yes to everything.
I'm more or less in your camp. I really don't care about "saying no to cookies" because I don't believe that sites will implement no properly anyway. I'd much rather be relying on the clear (hopefully!) lines being drawn by my browser and its settings.
Asking me if I'd like to allow various cookies is by far the least important part of the problem. Relying in the cooperative efforts of site owners? Really?
Why answer the question at all? I use uBlock Origin's cosmetic filters to simply delete the prompt from the page. I nether accept nor decline, and I've never run into problems with this.
I don't think I've ever seen a website that broke when I clicked "decline", or "disable all+save".
(Yes, I manually click or click click for every website. Also I don't think that EU "broke the internet", rather they made me painfully aware that every f.in website uses cookies and other tracking methods just to give my browsing history to ~300 total random company for no reason.)
With a name like "I don't care about cookies" it does kind of make sense that it would just auto-accept everything. After all, they don't care about cookies
Better to just start using Firefox multi-account containers. An add-on like I Still Don't Care About Cookies ensures you aren't bothered by the popups, and temporary containers are wiped upon tab closure so anything those sites leave behind is automatically deleted.
I found using Firefox containers (new tabs get new empty containers, sites I use often get their own separate containers but always the same ones so I don’t have to login every time) + ublock origin means that accepting cookies doesn’t matter as much anymore. Because once I close the tab, the container is destroyed and so are the cookies, and the various ad and analytics servers were not getting data anyway because uBo was blocking them.
I don't think the behavior is strictly equivalent. From this extension's description:
When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do).
I still have a copy of this addon, before it got acquired by Avast. I turned off automatic updates for extensions in Firefox, since I don't want weird / malicious code being pushed into my browser. I do this since I audit some extensions for malicious code, and want to keep the good / last-known-good version, before a tainted/malicious one arrives in my browser in an update.
It's broken though, and messes up YouTube by persisting the cookie interstitial in an invisible overlay, making the interface unusable. This is why these types of addons have so many new versions: they have to constantly watch for changes in the JS/CSS of cookie banners.
Thank god we have community maintained alternative forks[0]
> It is very wrong for the extension to change ownership without warning the user about it. I trusted the original developer of this extension, but i do not trust Avast.
I don't see the logic here. Unless Avast had threatened him, I wouldn't trust neither of the parties. How do you trust someone that sells their extension to someone you don't trust and still trust them?
Readit News
I think it would behoove Firefox and Chrome to change their policies around automatic extension upgrades in these scenarios: if an extension discloses a change in ownership, then upgrades should require user approval. If an extension fails to disclose a change in ownership, then users should be able to report it as malicious.
This is why people should be extremely cautious about becoming too attached to (or, worse, dependent on) any particular product or service. It can change ownership (and therefore policies) at any time.
For example, I doubt that Debian would would take an update from an upstream that is detrimental to their users. They would follow a friendlier fork first. Debian maintainers follow their users' interests first.
(I'm a Debian Developer)
Edit: and that means you can generally trust automatic updates on Debian.
1. They usually mostly work in the background, don't need much interaction. It's almost like a built-in browser feature changing owners.
2. They are pretty difficult to find a business model for - as opposed to SaaS stuff and mobile apps, which people pay for rather commonly. So the choice is to a) Make no money b) Ask for donations (seems to only work if it's somewhat obnoxious) c) Make money in some creative (often shady) way d) Sell the thing.
Instead, this is the kind of thing that needs to be solved on the policy level: Google and Mozilla have an interest in maintaining high-quality extension ecosystems, and ought to take a dim view of these kinds of ownership transfers.
AFAIK, it is not easy (or maybe not possible) to opt out of extensions updates.
As other commenters have pointed out, it doesn't apply as much to actual physical products.
So this leads to reason, should any of this be accepted as the norm?
Any time a company has physical access to your data, and says they will not sell it, they are lying (unless it is privately held, and never takes on debt / pays after delivery).
In particular, EULAs and other contracts do not protect your information in the above situations, since debt and shareholder obligations generally come before customer obligations, and the data is considered an asset.
Good on you!
I have received a few solicitations to sell apps that had not been updated in a while (they were still good, but hadn't required an update).
I suspect the buyer would repackage the app with some "extra spices," either advertising, or malware, and would count on the auto-update to force it onto users' devices.
I declined. I remove moribund apps. I've written over 20 but only have a few on the store.
The solution seems to be much more clearly in the realm of things like crev: https://github.com/crev-dev/cargo-crev/
Wherein users can get a clear picture of what dependencies are used in the full chain, and how they have been independently reviewed for security and privacy. That's the real solution for the future. A quick score that is available upon display everytime you upgrade, with large warnings for anything above a certain threshold.
1. There is a "Write a review" button, but you cannot leave a review.
2. There is no owner listed on the extension page. Only the text "Featured", and some kind of rosette certificate badge.
https://chrome.google.com/webstore/detail/i-dont-care-about-...
It really makes me wonder if there's a way to formalize a system of verification, trust, vouching, etc. not just for extensions but for source-viewable software in general, version by version, diff by diff.
Volunteers actually inspect an extension's JavaScript to check for anything potentially malicious (is it reporting on user activity etc.), they vouch for each other, and you select some core single individual or group to trust (or majority-vote or something), and then only allow software on your system that is vouched for. Nothing ever gets upgraded until it passes.
"Vouching" can form that kind of trusted intermediate, but probably not without grinding an ordinary speedy update process to a near halt. That's probably a worse outcome than just having the pre-existing authority (i.e., Mozilla or Google) establish an enforceable policy around what constitutes an acceptable (or acceptably transparent) update.
I have couple extensions I've made. Most have couple hundred weekly users, but one has few thousand and I have gotten emails about adding ad and search redirect code for some money. If I was in bad financial situation or just didn't care, I could have just added the code without anyone really knowing.
They would just change ownership and keep that a secret from the world. Avast would 'hire' the dev of this extension, and provide him with more engineers and ideas of features to implement.
Change just happens, you need to be on top of it, to not miss things like this. This isn't going to have a technological solution.
So I just refuse and skip all updates, but yeah that's not an option with extensions afaik.
Still, it could be not disclosing it in such cases and live with it in a gray zone.
Deleted Comment
Deleted Comment
1. Open application menu
2. Add-ons
3. Extensions
4. click gear
5. uncheck Update add-ons automatically
I think that is actually normal overall, but the real fast riches are of course in the big buyout.
It's called "being a for-profit company."
Many people work for places and sell their soul to them, accepting the evil they push - e.g. Google
It's not unique to solo devs. Unless you work for a morally sound employer, and only interact with morally sound companies, throwing shade like that just means the boot will fit on you too.
I don’t blame the companies, though I’ve taken a bootstrapped strategy because I didn’t want to get stuck on the VC treadmill.
Since I care about a fast efficient web experience far more than I care about leaving digital footprints around, I choose the extension that says yes to everything.
Asking me if I'd like to allow various cookies is by far the least important part of the problem. Relying in the cooperative efforts of site owners? Really?
(Yes, I manually click or click click for every website. Also I don't think that EU "broke the internet", rather they made me painfully aware that every f.in website uses cookies and other tracking methods just to give my browsing history to ~300 total random company for no reason.)
It's not just that - some services are literally unrenderable without cookies! (Fewer these days at least).
https://addons.mozilla.org/en-US/firefox/addon/consent-o-mat... (Firefox)
https://chrome.google.com/webstore/detail/consent-o-matic/md... (Chrome)
https://consentomatic.au.dk/ (Official site)
When it's needed for the website to work properly, it will automatically accept the cookie policy for you (sometimes it will accept all and sometimes only necessary cookie categories, depending on what's easier to do).
Dead Comment
It's broken though, and messes up YouTube by persisting the cookie interstitial in an invisible overlay, making the interface unusable. This is why these types of addons have so many new versions: they have to constantly watch for changes in the JS/CSS of cookie banners.
Thank god we have community maintained alternative forks[0]
[0] https://addons.mozilla.org/en-US/firefox/addon/istilldontcar...
> It is very wrong for the extension to change ownership without warning the user about it. I trusted the original developer of this extension, but i do not trust Avast.
I don't see the logic here. Unless Avast had threatened him, I wouldn't trust neither of the parties. How do you trust someone that sells their extension to someone you don't trust and still trust them?