TL;DR
- Google Chrome is set to make sweeping changes to how extensions work via its transition to Manifest V3, but privacy advocates warn this could deal a major blow to popular tools like ad blockers.
- Over the next year, developers will scramble to update their extensions before Google begins disabling the existing Manifest V2 standard in mid-2024. Users meanwhile face uncertainty over whether their favourite plugins will retain full functionality or see their protections weakened.
- This controversial update from Google has been years in the making yet still faces criticism, and rightly so.
A Primer on Browser Extensions - Manifest Standards: V2 vs V3
Web browser extensions allow users to enhance their browsing experience through tools that can block ads or trackers, add functionality to websites, alter browser behavior and more. All major desktop browsers support extensions, though policies differ on capabilities between browsers like Chrome, Firefox, Safari and others.
Regardless of the browser, all extensions require a basic configuration file called a manifest to function properly. This manifest.json describes the extension’s capabilities, permissions required, icons displayed and other identifying metadata. For example, here is uBlock Origins manifest file
The current dominant version of this specification is Manifest V2, first introduced by Chrome in 2011. It has since become the de facto standard used by Chrome, Firefox and other browsers to ensure extensions work as expected and don’t access more user/system data than necessary for their function.
Manifest versions act like programming language updates - they often tighten security, introduce new capabilities or reshape how existing features work. That’s precisely what Google aims to achieve with Manifest V3, though in a way that has serious implications for the ad blocking and privacy extension communities. Buried under claims of "security" and "privacy" are more questionable motives regarding Google's reliance on tracking users and serving ads.
As YouTuber Nick puts it:
This context is crucial to understanding their promotion of Manifest V3.
At its core, Manifest V3 aims to replace WebRequest - the backbone API enabling ad blocking and content filtering extensions such as uBlock Origin - with a more limited alternative called DeclarativeNetRequest.
Where WebRequest allows intercepting and reacting to network requests in real-time, DeclarativeNetRequest requires blacklists to be pre-defined without access to page contextual data. This directly threatens how popular privacy tools operate.
AdGuard, a prominent ad blocking extension maker, helpfully summarized key differences:
- WebRequest provides raw access to HTTP headers and body, DeclarativeNetRequest does not
- WebRequest supports dynamic rules executed on every request, DeclarativeNetRequest requires static rules defined upfront
- WebRequest responses can be modified, DeclarativeNetRequest cannot modify responses
- DeclarativeNetRequest has strict quotas on rule size
- Restrictions on Cross-Origin Access - V3 prohibits techniques used for contextual ad blocking based on page analysis.
In other words, the new API cuts extension capabilities literally in half compared to the current powerful monitoring abilities. Extensions must predict exactly what to block ahead of time rather than reacting dynamically based on real browser and site activity.
Ghostery, a major ad/tracker blocking extension, demonstrated V3 would render over 90% of their current capabilities unusable. Given Google's financial interests, many see Manifest V3 as a trojan horse targeting these functions under the guise of security upgrades.
While transparency about motives is lacking, most agree that WebRequest does introduce theoretical security risks. So what are the technical reasons cited by Google, and how valid are concerns V3 weakens digital privacy? Let's examine the key arguments on both sides.
Google's Stated Rationale for V3
Performance Claims
Google suggested some extensions over-utilizing Web Request negatively impacted browser performance. However, ad blocker developers refuted these claims, showing any impact negligible - only a few milliseconds at best.
Without evidence, this reasoning seems disingenuous. Web Request is very lightweight since it only activates when traffic is intercepted by rules, unlike the speculative approach of Declarative Net Request.
Security Risks
Google says around 42% of malicious extensions abused the power of Web Request. While true, developers argue these bad actors would find other ways to operate and a human review process already vetted extensions on download.
So at best, V3 only addresses a portion of threats while sacrificing legitimate extension functionality. Critics argue it does little overall for security besides restricting privacy tools Google sees as competition to its own revenue streams.
Privacy Concerns
Google portrays Web Request as a privacy issue since it allows intercepting all traffic. But proponents note blocking or filtering sensitive data client-side before it ever leaves the device enhances, rather than harms, privacy.
By limiting this capability, V3 weakens users' ability to opt-out of certain trackers or undesired ad experiences and pushes more data directly into Google's own infrastructure unfiltered for profiling and targeting purposes.
The Transition Timeline
Originally announced way back in 2018, Manifest V3 encountered immediate and fierce backlash upon unveiling plans to undermine ad blocking functionality. Widespread criticism forced Google to delay the transition timeline repeatedly. But Google has announced in a recent blog post that they will be moving forward with the transition with the following timelines:
- June 2024 - Original deadline for phasing out the old Web Request API on Chrome Dev/Canary channels, preventing new V2 extensions.
- July 2024 - Transition expected to more forcefully hit stable Chrome users, limiting V2 extensions overtime.
- June 2025 - Enterprise exemptions but only through deployment configuration policies for one final year.
So existing Manifest V2 extensions effectively have until mid-2024 before stopping work in newer Chrome versions going forward. An additional year is given for business users, but Google maintains control over the final sunset date.
As with previous Chrome changes limiting ad blocking, privacy tools face a ticking clock to either alter functionality under V3's constraints or risk future users unable to install established, trusted extensions offering less robust protections post-2024.
Implications for Developers
Understandably, developers share strong reservations regarding Manifest V3 and the difficult choices it poses:
- Legacy extensions must be overhauled to fit new restricted API models like Declarative Net Request, compromising core capabilities.
- Maintaining two versions (V2 for Firefox and V3 for Chrome) burdens engineering resources small teams cannot sustain long-term.
- Most will feel compelled to comply with V3 to retain access to Chrome/Chromium's enormous market share (63% globally), even if the technical changes harm users.
- Firefox as the sole alternative browser lacks scale for viable monetization, leaving developers with little leverage against Google's policies on the primary ecosystem.
This puts extension authors in an impossible position - either settle for hobbled privacy protections to reach the masses or direct efforts to niche browsers unable to sustain independent, high-quality development over the long run.
Implications for Chromium browsers' Users
Users also experience unclear tradeoffs from Manifest V3:
- Trusted ad blocking and privacy tools may retain basic functions but lose precise controls and sophisticated rules processing core to their effectiveness.
- Less tech-savvy individuals risk losing important privacy and usability protections without realizing extensions were downgraded post-2024.
- Alternative browsers remain a hard sell against switching costs and Google's lock-in from services like Gmail, Drive, Photos etc tying users to Chrome.
- Long-term impacts likely see more pervasive online tracking as pluggable extensions get sidelined in favor of whatever Google chooses to selectively allow or block internally.
- Users have limited sway against policies from a near-monopolist controlling the dominant platform without serious cross-browser competition or regulatory intervention.
For most average Chrome consumers, the path of least resistance seems accepting diminished privacy safeguards rather than proactively switching to a less supported browser. But the effects stand to undermine the open web as an accessible, participatory platform for all.
Alternatives and Responses
Fortunately, not all tech firms remain passive as Google tightens controls. Other browser vendors are working to preserve both user choice and extension capabilities:
- Firefox pledges ongoing WebRequest support alongside Manifest V3 to retain competitive ad blocking tools through "
webextensions.webrequest" support. - Firefox is also investing in its own built-in tracking protection and enhanced privacy functions to remain a viable Google Chrome alternative for concerned users.
- Brave browser focuses on blocking at the network level using the same techniques as popular extensions to maintain robust privacy without additional plugins required.
The path forward remains uncertain. Users determined to opt-out of pervasive tracking face an uphill technical challenge as Google leverages dominance to shape the landscape. Regulators too seem content overlooking privacy and competition concerns from the player controlling online infrastructure.
Developers and users alike feel backed into a corner by policies from a near-monopolist ruling the primary ecosystem. Meanwhile competitors struggle overcoming the collective inertia keeping Chrome the default without serious intervention.
The next year presents a pivotal test of whether user choice, cross-browser plugins or robust privacy defenses against commercial surveillance can endure Google's shifting priorities. Or will a technical transition solidify their influence over everything from search to browsers to online experiences?
Only time will tell the ultimate impacts as stakeholders strategize workarounds or regulatory responses. But Manifest V3 looms large as a defining moment that could re-shape the balance of power across the entire digital landscape for years to come.
