[JAM1971]

> It is completely unacceptable that the default level of access has become "everything."

Even on Android (and I presume iPhone) where apps ask for/document their permissions requirements, most people just say "Yes" and move along. Most people have neither the time nor the expertise to critically evaluate whether or not an extension needs any of a dozen permissions.

I sympathize, but I have no idea how you can realistically solve this.

[beaconstudios]

it shouldn't be necessary for users to know this because the permission-granting relationship is potentially adversarial, so the user will always be on the back foot unless they're technical/power users. It should be Google's responsibility to ensure that extensions only request the permissions they need.

[dwohnitmok]

> It should be Google's responsibility...

That seems ripe for more of the same articles of this flavor. The specifics would probably be just something akin to "turns out that using this permission in a way that Google didn't anticipate immediately gets your app shelved and leads to loss of users."

[beaconstudios]

If you extrapolate down the fine-grained-permissions line, you eventually end up with effectively a legal system where the rules are encoded explicitly (and enforced programmatically) but the spirit-vs-letter of the law is left to interpretation by a judge (the reviewer in this case).

That's probably better than the scenario we have right now. Such a system of smaller permissions would be an improvement over every extension asking for all permissions and being able to do what they want with your browser.