Recently, Google took an extension down from the chrome web store that I had previously been using as part of a research project. Here are my thoughts on the matter.
An experiment with extensions
First, it is worth mentioning that the extension was originally used for a pilot study a while ago, and isn’t any longer in use, so no-one is being adversely affected by this. I also fully support any move that will increase users privacy, and like what I’m seeing.
But it does strike me as a little hypocritical that google should take down a tool which was being used to collect data for research when their whole business model is about hoarding data. Whatever, I’m not the multi-billion-dollar-conglomerate, so what does my opinion count?
The extension in question was used in a controlled study environment, and collected the following data:
- Domains of sites visited for the duration of the experiment
- Some code that people wrote in an editor
- An email address
If that’s how google wants to handle things, fair enough. For a long time the web store has been a hive of malware, and if Google are finally cleaning up and police their storefront, that’s a good thing. I’ll take down my extension and find some other route for measuring data in future research projects if it means there will be less malware for people to encounter.
For now, as part of further research, we’ve decided to build a custom system that has all of the coding side integrated using a GitLab instance. Once built we’ll be able to handle the code collection, execution, e-mail addressing and any questionnaire stuff ourselves. If we want to handle visited domains, we’ll need to work something else out though that would be in line with extension hosting guidelines.
To summarise my thoughts on a perspective of google’s newfound privacy-centric attitude:
- Their developer guidelines require Prominent Disclosure of collected data – This is when you state up front, clearly, what data is going to be collected whenever it gets collected. When we collected data, there was a big red banner that said “Domains you visit are currently being captured” that was added to the webpage. I can’t help but notice that Google doesn’t prominently disclose the fact that they are capturing your data every time you search, watch a youtube video, use your android phone in any fashion… you get the idea.
Some advice for researchers:
- Any time data is being collected (private or not, just to be safe), use big red warning banners to let participants know whats happening. I appreciate that this could feasibly impact the neutrality of the data in some circumstances, but informed consent is still important.
- Treat your extension (indeed any software or setup used) as if it was going to be public, even if it is marked as private or unlisted. This comes in handy if you have to rely on a 3rd party, but should also future proof your setup should you wish to open source it at a later date (something I would strongly recommend doing for replication reasons).
- If using a browser extension, avoid the browser vendor webstore entirely where possible – if you’re doing the study in-person, this should be doable. You won’t have to worry about Google / Mozilla making changes to their service mid-experiment. This is a consideration to have if you want remote participants.
And some advice for Google:
- If you’re going to hold developers to such a high standard of privacy, good for you. But maybe consider holding yourselves to that same standard. It just seems like the right thing to do.