Google removes privacy-focused ClearURLs Chrome extension

[mood]

Google removes privacy-focused ClearURLs Chrome extension

 

 

Google has mysteriously removed the popular browser extension ClearURLs from the Chrome Web Store.

 

ClearURLs is a privacy-preserving browser add-on which automatically removes tracking elements from URLs. This, according to its developer, can help protect your privacy when browsing the Internet.

Extension removed from Chrome Web Store

ClearURLs is a web browser add-on available for both Google Chrome and Mozilla Firefox tasked with removing tracking bits from the URLs.

 

Many websites have superfluously long URLs with the extra parameters that have no functional value but are simply used for tracking purposes. This can especially apply to links present in newsletters, for example:

 

https://example.com?utm_source=newsletter1&utm_medium=email&utm_campaign=sale&some_other_tracking_bits=...

 

Interestingly, Google search result URLs are no different.

 

When clicking on an image search result, for example, Google does not immediately send you to the original URL of its webpage, but rather an intermediary URL which redirects you.

 

https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.bleepingcomputer.com%2F&psig=AXXXXXYAWa

&ust=1616XXXXXXX&source=images&cd=vfe&ved=0CXXXXe-p3XXX

 

The extra parameters in the URL above (ved, cd, etc.) are simply tracking bits and referrers used for analytics.

 

Google search results may incorporate tracknig elements too, like many websites across the web

 

ClearURLs is designed to filter out such tracking parameters from URLs and enhance the user's privacy online.

 

Should all links be stripped of such extraneous tracking data, they would end up looking rather minimal in length, comprising only of the essential bits.

 

However, in a mysterious move by Google last night, users saw ClearURLs disappearing from the Chrome Web Store with its page throwing a 404 (not found) error message.

 

ClearURLs Chrome extension removed

 

"Yes, ClearURLs were blocked by Google 7 hours ago."

 

"The reasons for this are ridiculous and probably only pretended because ClearURLs damages Google's business model."

 

"ClearURLs has made it to its mission to prevent tracking via URLs and that's how Google makes money. I think that ClearURLs now has so many users that it is unwelcome for Google and they would like to see the addon disappear permanently," said Kevin Roebert, the developer behind ClearURLs.

 

The developer appealed to Google against the blocking of the extension and heard from Google. 

 

In a copy of the email shared by the developer, Google claims that the description of the extension is "too detailed" and in violation of Chrome Web Store rules.

"The mention of all the people who helped to develop and translate ClearURLs is against Google's rules because it could 'confuse' the user. Ridiculous," continued Roebert.

 

Google also stated that the description of the extension did not mention it contained certain features, such as the settings import/export feature, logging functionality, and a donation button which was misleading.

 

Google also claimed in the email that the extension unnecessarily requires the clipboardWrite permission.

 

ClearURLs requires the clipboardWrite permission

Source: BleepingComputer

 

"But that's not true, and I've had a description for each permission in the Chrome Web Store Developer Dashboard for well over a year now."

 

Roebert had initially refuted Google's claim stating that clipboardWrite had a legitimate need in the application for writing clean links via the context menu into the clipboard.

 

However, when asked for further clarification on the matter, Roebert shared some insights with BleepingComputer.

"As it turned out, this is actually not necessary anymore since a few versions, because I switched to another method of copying to the clipboard."

"So the permission was still a relic from an earlier version of ClearURLs," Roebert told BleepingComputer in an email interview.

 

But, the developer also expressed that some suggestions made by Google in their email response were contradictory.

"The description of ClearURLs is said to be misleading because it is too detailed and describes irrelevant things."

"What exactly is irrelevant about the description was not communicated to me by Google. So it is hard for me to fix this."

 

Interestingly, this suggestion by Google contradicts their another suggestion in the same email to the developer, which reads the description of the functions lacks detail. 

 

"Here Google says that the description of the functions of the addon is not detailed enough and therefore deceives the user."

 

Roebert is referring to the aforementioned functions: 'Donate, Badges, Logging, Export/Import'.

"This almost reads like a joke. No user seriously cares about during installation if there is a way to donate, a badged indicator, a log for debugging, or a function to save and restore settings."

"The task of the addon is to clean URLs, I described these functions and not that there is also a donate button. But Google wants that these 'important' functions are also described because otherwise the users are 'deceived.' I have now added this to the description," the developer further told BleepingComputer.

Users cite concerns from RCE flaw to "antitrust"

This development quickly started making rounds on public forums, including Y Combinator's HN.

 

Whereas some users criticized Google's decision to remove the extension, citing "antitrust" concerns, others pointed out that ClearURLs extension had previously contained an arbitrary code execution flaw.

 

One of the users commented that it was rather hard to believe that a company like Google would be concerned enough by this "itty bitty extension" to have an impact on its business model or that these were the grounds to remove it from the web store, thereby scrutinizing what the extension's developer has claimed.

 

But, other commentators stood by concerns that Google's vast influence over Chrome development, its extensions or web standards could be problematic and indicative of the company monopolizing the space.

 

Users cite concerns including "antitrust" and security flaws

Source: Hacker News

 

Meanwhile, another commentator alleged that last they had checked, the ClearURLs extension had a security issue:

"I'd love to use ClearURLs, though last I checked it had a major flaw: it allows arbitrary code execution by the provider of the filter list."

 

"Among other things, it can redirect script URLs to arbitrary sources, and the filter list is periodically updated from a GitLab page, which enables the filter list provider to perform a targeted attack by serving a malicious filter list to a specific device," yet another user commented.

 

Multiple users also suggested that this move had reinforced their loyalty to using Mozilla Firefox as their choice of web browser.

 

BleepingComputer has reached out to Google before publishing this article and we are awaiting their response.

 

In the meantime, Chrome users can download and manually install the ClearURLs extension from the project's GitHub releases page.

 

Update 24-Mar-21 9:30 AM ET: Added statement from ClearURLs developer, Kevin Roebert.

 

 

Source: Google removes privacy-focused ClearURLs Chrome extension

[mood]

The curious case of ClearURLs' removal from the Google Chrome Webstore

 

ClearURLs is an anti-tracking web extension that I have been using it for a long time, and reviewed it at the blog nearly 2 years ago. It is one of many privacy related add-ons that I use along with UBlock Origin, Multi-Account Containers, to name a few.

 

 

I came across a thread on reddit's Firefox sub yesterday, where I learned that ClearURLs has been removed from the Google Chrome Webstore.

 

As a long time user, I was naturally curious, and also slightly alarmed. Was there a reason for me to be worried? That's when I headed to the add-on's official GitHub page, where a user had raised an issue regarding the extension's absence.

 

For those unaware, here's a gist of what the add-on does. Its primary feature removes tracking elements from URLs. This is usually the extra part of a link that is completely unnecessary for you to visit and view the page that is being linked to. You may have seen really long URLs that takes you from one website to another, which is quite common when referral links are used. A website that wants to earn some commission for a product that it is affiliated with, adds a trackable link, for which it is paid a compensation fee. That is not exactly our problem, the issue is the landing page knows where you came from, which in layman's terms boils down to online tracking. This is a violation of your privacy, and it also happens when you click on ads.

 

Oh, and I should point out that ClearURLs is one of the extensions recommended by Mozilla. So, a privacy-focused organization loves it, while a company that relies heavily on online advertisements for its revenue removes it. Gee, I wonder who I should trust!

 

Here's the link to the Webstore page in question. I digress.

 

Let's see why the extension was removed from the Webstore. The response from the developer, Kevin Roebert, sheds some light on the issue. He has posted a screenshot of the message he received from Google, it's in German.

 

 

He states that the reviewer who removed the extension claimed that the description of the add-on is too detailed, and that is a violation of the Chrome Web Store's policies. Wait, what? Yes, you read that correctly. Well this does sort of explains why we see the extensive change-logs we see every so often with the "Bugs fixed" or "New features were added." They don't want to tell us what they did, because we may not like it.

 

 

Apparently, ClearURLs' description was so good that it could confuse the user. That is pure gold, isn't it? Among other claims the removal notice states that the extension is misleading because it has an export/import button (used for the settings), a built-in option for logging and debugging.

 

The translated text (attached on GitHub) from the reviewer tells that the developer has not provided descriptions of what the buttons in the add-on's interface do. Is that a reason to ban an extension?

 

 

The ClipBoardWrite permission mentioned in the above image has been deemed unnecessary and removed in the latest version of the add-on. According to a comment from Roebert, the permission wasn't being used at all, so that doesn't seem like a valid reason to remove the add-on either. The third violation makes no sense, how is ClearURLs providing misleading information about itself?

 

The developer has commented that the description was written based on suggestions made by Mozilla's press department, specifically so users can understand how the add-on works. You can go to the Firefox AMO where the extension still exists and read the description there (or check the screenshots below). The wording is quite extensive.

 

 

My guess is someone didn't like the penultimate line in the above image.

 

 

ClearURLs' developer says that the add-on's Webstore description had been used for over a year. So, why did Google remove it now and not earlier? Roebert's theory is that it is because the add-on has many users now and that it is hurting somebody's business. Here's an article that explains what data Google collects from you using Chrome.

 

Oh, and if you aren't aware of it, Google has enabled Manifest V3 in the beta version of Chrome. This controversial move could possibly be the end of ad-blockers for the browser. It may not be directly related to this article, but I just wanted to point out the general direction in which we are heading in terms of privacy.

 

There is a discussion on Hacker News that says ClearURLs could be used for potentially dangerous. Apparently, and I use this word because I'm not a developer, the extension allows arbitrary code execution aka targeted attacks if a filter list contained malicious stuff. The developer has responded to the issue in a comment on GitHub.

 

Comments on the GitHub issue suggest visiting the project's releases page, get the CRX file and drop it onto your browser's interface. This didn't work for many users (including me), the developer says that's because it is not signed by Google.

 

If you want a ClearURLs alternative, you want to take a look at NeatURL. You can also install it in Chrome directly from the GitHub page.

 

 

Source: The curious case of ClearURLs' removal from the Google Chrome Webstore