Hi,
This is Joel, the developer of awesome screenshot the article mentioned.
First of all, I apologize for what I did for it in the last version a day ago.
I'd like to share with you my intension for this amazon + google search feature.
1) It's from my need. When I search some shopping items from google, I always want to check them in amazon also.
2) It can help us make small mount of money.
3) I provide an option to disable it.
However, I did it in a wrong way. I should did it like this:
1) Disable it by default.
2) Ask user's permission to enable it
3) Tell users why we add it.
I did it wrong but still respect users. This feature exists only one day and I removed it in the new version(3.2.1).
You should be more honest and re-order 1 and 2. Putting affiliate links into Google search results isn't even in the same category as taking a screenshot of a page. Why "scratch that itch" in an extension that is completely unrelated unless your primary interest was to make money.
Now there's nothing wrong with making money, and I don't even disagree with the way that you attempted to monetize the awesome screenshot extension (via affiliate links). But be honest with users about your motivation. Most will understand.
No need to remove it. Just disclose it to the users. It is supposedly a great plugin (as per rating on the chrome store), and you deserve to be compensated for it. Just let people know at the time of installation how this plugin is expected to trickle some money for your efforts, and you should be fine.
My initial reaction to this was shock and disgust and I quickly uninstalled the extension.
However after seeing Joel's actions to address the issue promptly I'm glad to re-install the newest version.
I think, like many users, I really don't (didn't?) mind as long as the details of what's going on behind the scenes in the extension are clearly explained. I would even be happy to pitch in a few affiliate shekels with the developer of the app.
Hey. I used AwesomeScreenshot quite often, but I've since uninstalled it. I installed a tool to take screenshots of my browser, not to hijack my Google search results with a shitty Amazon search that I end up clicking on half the time because the content loads in one second after the rest of the page, replacing the first search result under my mouse.
If I wanted Amazon search results for my Google searches, I would install an addon to do just that. Bundling that sort of behavior with AwesomeScreenshot is just another form of malware, and is no better than something like Skype spamming up my system with unasked-for browser toolbars and adware. I appreciate the tool, but I'm not going to run any of your code if you feel it's acceptable to play fast-and-loose with your userbase like that. I'll find/write my own.
The answer from the developer of Awesome Screenshot:
===
Developer 1 hour
@All, since many of you don't like this feature, we removed
it in the version 3.2.1.
===
Developer 39 minutes
@All,
Hi All, This is Joel, developer of awesome screenshot. I am so sorry to add
the amazon search result in google search result page without info
our users first. It's such a bad decision.
This additional features was designed to scratch our own itch. Because when
I search some shopping items in google, I always want to check them
in amazon at the same time.
In the spirit of transparency, we should disclose that this feature
does bring small amount of revenue to us, which enables us to continue
to improve this product. Since so many users don't like it,
*we already updated a new version(3.2.1) to remove this feature*.
I think they should make this feature optional and disabled by default.
Nobody would ever see it. Enabling new feature discovery in software is a very hard problem. Just throwing in features and hoping people will find them is not a good philosophy.
In this case, I would probably have shown it by default with text including "why am I seeing this?" and a "don't show this anymore" button.
I provided a customize button beside the amazon search result page for users to disable it. But it seems many users don't like it, so I removed this feature completely.
1. The feature is orthogonal to the plugin. Alone, you probably could have survived this one.
2. The feature came to light for many through negative press. With number 1, that pretty much kills the feature in the current extension.
Rather than just killing the feature altogether, though, you could release it as a new extension. Add a couple other ecommerce sites and call it a shopping assistant.
I'm not sure how you can download an extension before installing but in Ubuntu after you've installed it you can look at the source under ~/.config/google-chrome/Default/Extensions/ (or in Windows C:\Users\You\AppData\Local\Google\Chrome\User)
The misspelling in the blurb "Crack open any extenstion or web app in a gallery and see what it actually does before installing" doesn't render a lot of trust.
I doubt using typos to discredit other people's work or opinions is rational or polite. I didn't write that extension, but he/she could just be a non-native speaker like me. What's your problem with people who doesn't speak and write in your native language? Can you write in mine, 100% error free?
I have absolutely no problems with people who don't speak and write in my native language. You're misinterpreting my comment, which was intended to be constructive, and responding with an ad hominem attack by suggesting that I am bigoted.
I think it's quite rational to suggest that work is of dubious quality if something as important as the tagline or elevator pitch contains errors that should be caught by a proofreading or spell-checker. The author spelled it correctly in the title and elsewhere in the text, so it's a simple error, not a lack of knowledge. It would be impolite to not suggest improvements, because the author could use my help.
A rational response to my comment would be exactly as you have done with drv's comment: "Fixed typo, thanks!"
Do you generally measure code quality using typos in unrelated (to the quality, that is) copy? I've seen worse errors in the MySQL docs, but I still trust it to hold data.
Meta: Wow, I didn't expect to be downvoted for this. I wasn't trying to discredit the extension, I just wanted to be helpful. The attempt at humor probably didn't improve my case any, but I can't edit it anymore.
How can I submit comments like this in the future? I didn't see an easy way to submit feedback to serg472 (the author's name isn't clickable, and there's no email as described in http://www.google.com/support/chrome_webstore/bin/answer.py?...), so I dropped it here in case the parent, who was obviously supportive of the extension, wanted to forward it to someone who could take action.
Anyone could review extensions in Chrome's gallery and provide a seal of quality or recommended avoid list.
With Chrome's model, competing groups with different priorities could recommend different sets of apps to use or avoid, just like competing review magazines for consumer goods.
Mozilla's model invites pressure from DHS to kill specific apps the government doesn't like. So far Mozilla has rejected calls to kill extensions that help circumvent state sponsored blacklists,* but for how long?
As Google learned in China, if there is a technical measure which could hypothetically suppress speech, then some government will eventually demand its use.
While I don't like the Awesome Screenshot approach, high profile startups like Posterous seem to take a similar approach (stealthily rewriting links in blog articles) and hardly anybody from the tech elite seems to mind.
I think the title of this post is too alarmist. Chrome makes it very easy to install or remove apps, unlike traditional desktop applications.
I recently released a Chrome Extension myself https://chrome.google.com/webstore/detail/ifhpbfmklgecpflbnb..., and was surprised that Google requires a $5 payment from developers, supposedly to prevent malware and spam, even though most extensions are free. I suppose Google largely counts on ratings and comments to moderate content.
If the Chrome team also have access to the source of these plugins, it seems pretty irresponsible that there's no audit process whatsoever. There should at least be random audits, particularly of popular applications.
Chrome supposedly has a better security model (not to say that FF's is bad), but if it gets in the way so much that users are in the habit of allowing all extensions access to everything, then it's not really better.
"Changes to default home page and search preferences, as well as settings of other installed add-ons, must be related to the core functionality of the add-on. If this relation can be established, you must adhere to the following requirements when making changes to these settings: The add-on description must clearly state what changes the add-on makes. All changes must be ‘opt-in’, meaning the user must take non-default action to enact the change. Uninstalling the add-on restores the user’s original settings if they were changed."
Some things that could be improved upon is better sandbox. Too many extensions seems to need my data on all sites. Maybe some extensions could work just as well with a copy of the DOM instead of the DOM itself?
And a policy that extensions must not be minified and some buttons on the extension view to read the source code with syntax highlighting and all.
Google's corporate philosophy seems to be to reduce manpower needed to run operations to the bare minimum possible, and if something cannot be automated, they prefer not to do it, thus maintaining their high margin of profit.
That's why they try to tweak the search algorithm instead of banning or downranking abusers outright, have no approval process for the Android market, make it next to impossible to reach a human for support for Google Apps, Gmail etc.
That's the reason they have only 29,000 employees, compared to 19,000 in just Motorola Mobility.
So don't hold your breath waiting for the Chrome team to audit extensions or Chrome apps anytime soon.
I wish they could atleast crowdsource some of the work, like allowing search users to label spammy sites and downrank them based on the the collective users' authenticity(calculated from Gmail account's age, usage, Google+ usage) so that spammers can't do the same.
A few months ago I discovered a similar situation with a very popular extension (300,000+) users. It removed facebook ads, and injected it's own. After a quick search, I found 4-5 others that were doing the same. Took Google over 3 weeks to remove them.
Also, think twice before visiting any website. A web browser can be used for many things. Some of those things (like running extensions, or visiting web pages) have the potential to deliver malicious code to a user's machine. It is not Google's responsibility to police the content of the web, or the content of Chrome extensions. Although one could argue that it would be wise for Google to use its vast resources to provide recommendations/warnings on extensions, similarly to what it does for links in Google results that it suspects are delivering malware.
Odd, I've had that extension installed for a while now and have never had any of those amazon ads inserted into my content. Uninstalling awesome screenshot just to be sure.
So in principle the Chrome gallery has the tools in place to prevent these abuses. The extension listing page states what permissions the extension will have (if it says "access all web pages", then you certainly should think hard before installing it!), and the user reviews and ratings mean users can call out bad behaviour (like this sneaky affiliate link adding) and warn other users.
Unfortunately both of these things are pretty broken in the Chrome gallery at present. The warning about what the extension can access is fairly muted, and you have to notice and read it - unlike when you install a Facebook or Android app, when the permission dialog interrupts the install flow so you have to at least see it before you can install. And the implementation of user reviews is terrible - there's no way for the extension author to reply to a misinformed or misleading review, except to leave his own "review" (yes, you can review your own extension).
The "access all pages" permission is required for "content extensions". That's any extension that interacts with web content. They can limit themselves by domain, but that's it.
Even simple UI tweaks, like changing how scrolling works, can often only be implemented by injecting into every page. Since Chrome doesn't understand the meaning of any web content, it can't pick and choose what an extension has access to in any useful way. As a result, the permission model is just not terribly useful for extensions, besides the site-specific ones.
Also, last I checked, reviews worked essentially like comments and I could effectively reply to issues on my extension's page. Maybe that has changed by now.
There's a big difference between "can access your data on domain.com" and "can access your data on all websites". (And not all extensions need to modify pages, even Chrome ones.)
I didn't say you shouldn't install extensions that require content privileges (indeed I would highly recommend that you install at least one [1] [2]); just that you should do so with care, and decide whether you trust their authors, because of the broad access they have. The advantage of the Mozilla approach of reviewing every extension is that they (partially!) offload some of the trust decision from the user onto the reviewers.
As I said above, you can respond to a review with your own review, but that's a broken way of doing it: the author's response isn't visually distinguished, and there's no way to ensure it appears anywhere near the review it's responding to, so there's a high chance prospective users will just read the negative or misleading review without seeing the response.
(Concretely: someone can "review" your extension by saying "this extension is evil and spies on all the sites you visit", and your only options as an author are to leave another review halfway up the page saying "@anonymous: oh no it doesn't", or to abuse the "mark review as spam" button.)
I completely disagree with the conclusion of this article. Consider Apple's App Store. Supposedly, the application and review process makes things safer for end users. Unfortunately we've seen this is not always the case. Additionally, Apple's policies have been harshly criticized by others as being a walled garden that stifles competition.
Can Google really expect to keep an app like this from slipping through their approval process? It's not like the extension runs and crashes Chrome while sending your browsing history to DoubleClick.
I think a better way to approach this issue is to engage the users when they install an app with flexible permission settings, by saying "These are the things this app is allowed to do. If you don't want it to do all of these things, you may uncheck specific permissions. Be aware that restricting this extension may cause it to not work properly".
That's a bad idea. People will always click through warning and permission screens; increasing the complexity of warning screens simply increases the likelihood that people will click through it without reading it.
Safari extensions too. I installed Dictionary by Slice Factory. Then, when I was shopping on Amazon, I got a huge in-browser pop-up asking to help me find products with the lowest price. They do have an opt-out feature, but it was very disconcerting since initially I had no idea where this came from.
Extensions really can't do anything without specifying permissions explicitly in their manifest. Those permissions are then shown to the user when extensions are installed. I don't see the problem here.
And inserting links in a search results page is hardly the type of malware the title of this article implies.
Hackers place a high value on veracity of information. Altering a search result page without complete transparency ahead of time is not cool. Altering a search result page in a way that filters money away to someone else is exactly what some malware does.
This is why I only use bookmarklets. I click they run. I don't click, they don't run. Sure my Readability bookmarketlet might be collecting a couple of links I have trouble reading, but at least they aren't doing anything malicious when I'm not using them.
The developers of this app just lost a lot of trust! Be honest with your users. That's the first rule of developing a good product. It does not matter how much they apologize now, a lot of users aren't going to trust them anymore!
This is Oliver Roup, CEO of VigLink. Merchants generally offer affiliate programs to encourage the creation of content discussing their products or the development of services where such content tends to develop.
Extensions like this one have neither of these characteristics and instead are seen as a "tax" by the merchants - they drive up costs without any benefit. This is of course not welcomed by the merchants and as a result, VigLink does not permit this type of use of our service.
The account this extension references was terminated quote some time ago, not long after we discovered it. Although the extension continues to insert our code (we cannot prevent it) we do not affiliate any clicks on the account and the extension owner is making no money through VigLink.
Oliver Roup
Founder / CEO, VigLink
oroup@viglink.com
Wasn't able to move to Chrome from Firefox. No proper replacement for Vimperator/Pentadactyl. Vimium just doesn't cut it. Doesn't work on all pages, often stops working. Any chrome users here who use vimium (vim bindings) who might share some inputs?
I wondered where those Amazon ads were coming from! This is definitely shady; to have websites modified without your knowledge is unnerving. With such a successful extension, there must be a better monetization idea than tricking users.
Why is everyone treating this as something new?!?!
you run code on your machine, you have to trust it.
Heck, i don't trust even stuff i download from the app store! and I still limit the talk of my wii with nintendo servers on my router.
the chrome extensions just add a little insult because it 'seems' official or something. Much better the grease monkey way, full of warnings so the user remembers that he has to think for himself.
There should be a permission for contacting external sites. That's where the biggest security threats lie and most extensions, like a screenshot extension, don't need to be making requests to other sites (like Amazon).
The extension requests permission to access "Your data on all websites" and "Your tabs and browsing activity". I guess what I'm saying is that there should be a distinction between permissions for accessing stuff in the browser and accessing external data through AJAX and other resource requests. Besides cutting off extensions themselves from the outside world, Chrome would just have to prevent extensions from injecting scripts or elements that made external requests into loaded pages by disallowing <script>, onclick='', src='' etc... from being added to the HTML and DOM of those pages.
For example, say you wanted an extension to be able to take a screenshot of Amazon, but not get access everyone's private data on Amazon. This is not currently possible in Chrome. To get the screenshot, you need to allow access to Amazon.com in the permissions list of the extension config, i.e. manifest.json. This, however, gives you permission to request resources from Amazon that the user did not load into the browser, like all their previous purchases. And if there's another URL in the permissions list that the extension developer hosts, they can set up an API for the extension to phone home the users private data on Amazon.
I'd like to share with you my intension for this amazon + google search feature.
1) It's from my need. When I search some shopping items from google, I always want to check them in amazon also.
2) It can help us make small mount of money.
3) I provide an option to disable it.
However, I did it in a wrong way. I should did it like this: 1) Disable it by default. 2) Ask user's permission to enable it 3) Tell users why we add it.
I did it wrong but still respect users. This feature exists only one day and I removed it in the new version(3.2.1).