What 'Read and Change All Data' Actually Means for Extensions

What

That's the sound of a Chrome extension requesting permission to "Read and Change All Data" on a website. It's a phrase that can send shivers down the spine of even the most seasoned privacy advocates. I've seen it myself, and I've wondered what it really means.

As someone who's been using TraceMind daily for 6 months, I've had to wrap my head around this very issue. I've found that understanding what's going on under the hood is key to feeling more comfortable with the level of access that extensions like TraceMind require. So, let's break it down.

When an extension asks to "Read and Change All Data", it's not asking for permission to send all your browsing data to some shady server. What it's really asking for is the ability to parse the DOM (Document Object Model) of a webpage. The DOM is like a blueprint of the webpage, showing how all the different elements are structured and related to each other. By parsing the DOM, an extension can extract specific information from the webpage, like text content or metadata.

For TraceMind, this ability is crucial. We use it to capture and index the actual text content of pages you visit, so you can search for them later by meaning, not just keywords. This is made possible by our use of a model called all-MiniLM-L6-v2, which runs in WebGPU or WASM, combining semantic search with traditional full-text search. But I'm getting ahead of myself.

The important thing to note here is that when an extension like TraceMind requests permission to "Read and Change All Data", it's not a blank check to do whatever it wants with your browsing data. It's a necessary step for the extension to do its job, and it's up to the extension to use that permission responsibly.

The Ctrl+H problem

So, how do extensions like TraceMind use this permission responsibly? For us, it's all about keeping your data local. We store all the data we collect in IndexedDB, which is a local storage system that's built into your browser. This means that nothing leaves your machine, and you have full control over your data. We also use ML inference in-browser via WASM, which means that we don't need to send any data to a server to process it.

But what about when you need to validate your license? That's the one time when we do need to make an external call, to TraceMind. Even then, we're only sending a minimal amount of data, and it's all encrypted with AES-256-GCM and PBKDF2 (200,000 iterations).

I think it's worth noting that most productivity blogs will tell you to just blindly trust extensions that ask for this permission. That's terrible advice. You should always be mindful of what permissions you're granting, and make sure you understand what the extension is going to do with that permission.

On-device AI

One of the things that sets TraceMind apart from other extensions is our use of on-device AI. By running our models in-browser, we can provide a more private and secure experience for our users. I wrote about how local-first software is changing data privacy if you want the full breakdown.

It's not magic — you still need to actually visit the page first. But once you have, we can start indexing the content and making it searchable. And because we're using on-device AI, you can be sure that your data is staying local.

Here are a few key points to keep in mind when it comes to on-device AI:

1. Local storage: We store all your data locally, so you have full control over it.
2. In-browser processing: We process all your data in-browser, so nothing leaves your machine.
3. Encryption: We encrypt all your data with AES-256-GCM and PBKDF2 (200,000 iterations), so even if someone does manage to get their hands on it, they won't be able to read it.

I've found that having this level of control over my data is a huge relief. I don't have to worry about some faceless corporation mining my browsing history for ads. And I think that's something that more people should be aware of.

Why it matters

So, why does all this matter? It matters because your browsing data is some of the most personal and sensitive information you have. It's a window into your thoughts, interests, and habits. And if you're not careful, that window can be opened up to the world.

That's why I built TraceMind. I wanted to create a tool that would help people take control of their browsing data, and keep it private. And I think we've succeeded. With TraceMind, you can search your browsing history by meaning, not just keywords. You can find pages you visited weeks ago, and re-visit them with ease. And you can do it all without sacrificing your privacy.

It's not perfect, of course. There are still some limitations to what we can do. But I think we've made a huge step in the right direction. And I'm excited to see where we can go from here.

As I look back on the past 6 months of using TraceMind, I'm struck by just how much of a difference it's made in my daily workflow. I can find what I need in seconds, rather than minutes. And I can do it all without worrying about my data being sent off to who-knows-where.

I think that's something that more people should experience. And I hope that by explaining what "Read and Change All Data" really means, I can help people feel more comfortable with the level of access that extensions like TraceMind require. It's not a scary phrase, once you understand what's going on under the hood. And with the right tools, you can take control of your browsing data, and keep it private.