Google Removes Privacy-Focused ClearURLs Chrome Extension

Google has mysteriously removed the popular browser extension ClearURLs from the Chrome Web Store.

ClearURLs is a privacy-preserving browser add-on which automatically removes tracking elements from URLs. According to its developer, this can help protect your privacy when browsing the internet.

Extension removed from Chrome Web Store

ClearURLs is a web browser add-on available for both Google Chrome and Mozilla Firefox tasked with removing tracking bits from the URLs.

Many websites have superfluously long URLs with the extra parameters that have no functional value but are simply used for tracking purposes. This can especially apply to links present in newsletters, for example:https://example.com?utm_source=newsletter1&utm_medium=email&utm_campaign=sale&some_other_tracking_bits=…

Interestingly, Google search result URLs are no different.

When clicking on an image search result, for example, Google does not immediately send you to the original URL of its webpage, but rather an intermediary URL which redirects you.https://www.google.com/url?sa=i&url=https%3A%2F%2Fwww.bleepingcomputer.com%2F&psig=AXXXXXYAWa
&ust=1616XXXXXXX&source=images&cd=vfe&ved=0CXXXXe-p3XXX

The extra parameters in the URL above (ved, cd, etc.) are simply tracking bits and referrers used for analytics.

Also Read: Compliance Course Singapore: Spotlight On The 3 Offerings

ClearURLs is designed to filter out such tracking parameters from URLs and enhance the user’s privacy online.

Should all links be stripped of such extraneous tracking data, they would end up looking rather minimal in length, comprising only of the essential bits

However, in a mysterious move by Google last night, users saw ClearURLs disappearing from the Chrome Web Store with its page throwing a 404 (not found) error message.

“Yes, ClearURLs were blocked by Google 7 hours ago.”

“The reasons for this are ridiculous and probably only pretended because ClearURLs damages Google’s business model.”

“ClearURLs has made it to its mission to prevent tracking via URLs and that’s how Google makes money. I think that ClearURLs now has so many users that it is unwelcome for Google and they would like to see the addon disappear permanently,” said Kevin Roebert, the developer behind ClearURLs.

The developer appealed to Google against the blocking of the extension and heard from Google. 

In a copy of the email shared by the developer, Google claims that the description of the extension is “too detailed” and in violation of Chrome Web Store rules.

“The mention of all the people who helped to develop and translate ClearURLs is against Google’s rules because it could ‘confuse’ the user. Ridiculous,” continued Roebert.

Google also stated that the description of the extension did not mention it contained certain features, such as the settings import/export feature, logging functionality, and a donation button which was misleading.

Google also claimed in the email that the extension unnecessarily requires the clipboardWrite permission.

“But that’s not true, and I’ve had a description for each permission in the Chrome Web Store Developer Dashboard for well over a year now.”

Roebert had initially refuted Google’s claim stating that clipboardWrite had a legitimate need in the application for writing clean links via the context menu into the clipboard.

However, when asked for further clarification on the matter, Roebert shared some insights with BleepingComputer.

“As it turned out, this is actually not necessary anymore since a few versions, because I switched to another method of copying to the clipboard.”

“So the permission was still a relic from an earlier version of ClearURLs,” Roebert told BleepingComputer in an email interview.

But, the developer also expressed that some suggestions made by Google in their email response were contradictory.

“The description of ClearURLs is said to be misleading because it is too detailed and describes irrelevant things.”

“What exactly is irrelevant about the description was not communicated to me by Google. So it is hard for me to fix this.”

Interestingly, this suggestion by Google contradicts their another suggestion in the same email to the developer, which reads the description of the functions lacks detail. 

“Here Google says that the description of the functions of the addon is not detailed enough and therefore deceives the user.”

Roebert is referring to the aforementioned functions: ‘Donate, Badges, Logging, Export/Import’.

“This almost reads like a joke. No user seriously cares about during installation if there is a way to donate, a badged indicator, a log for debugging, or a function to save and restore settings.”

“The task of the addon is to clean URLs, I described these functions and not that there is also a donate button. But Google wants that these ‘important’ functions are also described because otherwise the users are ‘deceived.’ I have now added this to the description,” the developer further told BleepingComputer.

Also Read: Considering Enterprise Risk Management Certification Singapore? Here Are 7 Best Outcomes

Users cite concerns from RCE flaw to “antitrust”

This development quickly started making rounds on public forums, including Y Combinator’s HN.

Whereas some users criticized Google’s decision to remove the extension, citing “antitrust” concerns, others pointed out that ClearURLs extension had previously contained an arbitrary code execution flaw.

One of the users commented that it was rather hard to believe that a company like Google would be concerned enough by this “itty bitty extension” to have an impact on its business model or that these were the grounds to remove it from the web store, thereby scrutinizing what the extension’s developer has claimed.

But, other commentators stood by concerns that Google’s vast influence over Chrome development, its extensions or web standards could be problematic and indicative of the company monopolizing the space.

Meanwhile, another commentator alleged that last they had checked, the ClearURLs extension had a security issue:

“I’d love to use ClearURLs, though last I checked it had a major flaw: it allows arbitrary code execution by the provider of the filter list.”

“Among other things, it can redirect script URLs to arbitrary sources, and the filter list is periodically updated from a GitLab page, which enables the filter list provider to perform a targeted attack by serving a malicious filter list to a specific device,” yet another user commented.

Multiple users also suggested that this move had reinforced their loyalty to using Mozilla Firefox as their choice of web browser.

BleepingComputer has reached out to Google before publishing this article and we are awaiting their response.

In the meantime, Chrome users can download and manually install the ClearURLs extension from the project’s GitHub releases page.

Microsoft Edge users can also download the extension from the Edge Add-ons store.

Roebert has also released a newer version 1.21.0 with the proposed updates expected to appear on both Mozilla and Edge stores, pending a review.

Update 24-Mar-21 9:30 AM ET: Added statement from ClearURLs developer, Kevin Roebert.