When you install the Hypothes.is Chrome extension, you will receive a notification from the Chrome browser asking for a certain set of permissions.
Chrome overstates what Hypothesis needs permission to do -- we don't use your camera, for example! We ask for these permissions because the extension needs them in order to work with your browser and the websites you visit. However, our intention is only to access the minimum permissions we need to in order to do these things on your behalf, and nothing more. We don’t monitor, track or collect any of your personal data beyond what is necessary for creating, saving and reading your annotations. Hypothesis does not generate revenue from advertising or from selling metrics to third parties.
The language and definition of these permissions are set by the Chrome browser, and they are meant to tell users what the kinds of data the extension will be able to access. (To read more about Chrome extensions permissions there’s a great article about it in Lifehacker, and much more technical documentation at the Chrome website) Some permissions change during updates, and you may occasionally be asked to approve a new one. For example, we recently updated our Chrome extension to require a new permission as part of the work we're doing to allow users to link directly to an annotation in context. This is how we use permissions in the Hypothes.is extension:
- Read and change all your data on all websites you visit: we ask this so that we can inject the annotator code into the page and interact with the text on it, add and read annotations. We don’t read or modify any other data.
- Access your browsing activity: we need this to maintain the state of the Hypothesis extension on windows or tabs you have open. We also need this is to be able to tell you (via the extension badge) when a page you visit has been annotated. We don’t keep track of what you do in the browser.
- Communicate with cooperating websites: this permission is used to communicate with the Hypothes.is website to know, for example, if you have the extension installed or not.
In the future, we’re planning to eliminate the need for that last permission by changing how authentication works on our application.