Cloud Privacy: How is your extension paying for its development?
cloud
GAFE/ Chromebook

Cloud Privacy: How is your extension paying for its development?

You don’t get something for nothing….

There’s no such thing as a free lunch…

everybody’s got to eat…

Home truths, that could be extended (pun intended) to extensions. Developers of extensions are no different than the rest of us — they don’t generally work for free.

The ones that do (and again we’ve been down this road before with iPad apps), well, don’t expect a lot of longevity or support — you get what you pay for.

A lot of the extensions that you don’t pay for aren’t actually free, they just use a different currency – information. You’re trading the information that comes out of your web browser – where you go, what you read, how long you’re there, what sites you return to, what adds you click on, what you’re emailing/messaging about, what links your sharing etc. etc. etc. — for the functionality of the app.

That data gives granular insites into people’s behaviour on the internet, and is therefore profoundly valuable to all sorts of people: software developers, advertisers, data resellers, research firms, content makers, designers… the list goes on.

For example, some adblockers are open source and community driven. Others, however, sell their data to advertisers.

What an extension does with your information or needs to do to continue working, is critical because you are giving them permission to gather, basically anything they want.

Permissions

Permissions in Wikiwand extension screenshot

The permissions statement in the picture above for Wikiwand is a standard one.

Read and change all your data on the websites that you visit.

That’s it.

Simple, clear and hugely sweeping with enormous breadth.

You’ll probably find it on most of the extensions you’re using (just go to Settings in Chrome, select Extensions and click on details for any of your extensions.) Snap & Read uses the same statement, plus adds

Manage your apps, extensions, and themes.

And

Read all text spoken using synthesized speech.

But at least with the extensions you pay for, you know how the developers are making money. Also they should be able to tell you exactly what data they are collecting, when and for what reason. A little more detail than the statement above.

Of PIPEDA, FIPA, and all the other PIPA’s

This is very important for schools to keep in mind because they may be installing an extension on a school computer that trade in data violating the Personal Information Protection and Electronic Documents Act (PIPEDA). This is the federal law covering privacy. Then there are the various provincial acts, (eg. FIPA in Ontario, Alberta and BC’s is called PIPA. Some jurisdictions have specific legislation covering health information).

Or as the Office of the Privacy Commissioner sums up one of the key obligations of the act:

Even with consent, you have to limit collection, use and disclosure to purposes that a reasonable person would consider appropriate under the circumstances.

(https://www.priv.gc.ca/resource/fs-fi/02_05_d_16_e.asp)

School boards' obligations in regards to student privacy may also fall under local provincial law . In Ontario that’s the The Municipal Freedom of Information and Protection of Privacy Act.

Think how parents would react if they found out their school was selling or giving away student personal information for the sake of a free service? There would be justifiable outrage, but a lot of “free” extensions are giving a service in exchange for information.

So before you install an extension you should be asking how is this thing being paid for?

But even if there is no commercial intent for selling the data (consider what happens, however, if the company goes bankrupt or is bought — perhaps a new owner might seek to gain value that the original owners had not intended), if that data is collected it is incumbent for educators to ask questions about its security.

That’s why the next post, will consider what happens when the servers are hacked or breached.

–Bogdan Pospielovsky

Leave a comment

Please note, comments need to be approved before they are published.