“I know that major API changes are always a pain for developers and they would rather not have to deal with them, but please keep in mind stats like “42% of malicious extensions use the Web Request API” when you’re considering what we’re trying to improve here.”
—Justin Schuh, on Twitter. (Also stated in Google’s official post here)
Google is using a large number—42% of malicious extensions—in isolation to justify a decision. This number shows that a large proportion of ‘bad developers’ use this API. But this single data point gives no clue about how big is the total pool of developers using this API.
Are bad developers a large proportion of users of this API, or are they a tiny minority? In the latter case, Google’s action to deprecate/restrict the API may be fairly justified. In the former case, they could have chosen a better, alternative approach in dealing with the bad actors, rather than punishing the mostly good users.
An analogy for case 1:
Bank decides to close all doors leading to the street because 42% of all robbers walk-in through those doors.
Analogy for case 2:
Bank decides to close all waste disposal tunnels because 42% of all robbers sneak-in through those doors.
All we know is that 42% of robbers come in through a point. We don’t know if it’s the main customer entrance, or the waste disposal.
If this statistic was a big argument for this decision’s approval inside Google/Chrome-Dev, then they really need to revisit their decision-making fundamentals.
I seriously doubt this though. Googlers are very smart. They are dealing with mostly smart people on the outside. This number is not for them or us. This number is being published solely to turn the narrative, for the common reader, from ‘Google blocking APIs that stop ads and tracking‘ to ‘Google blocking APIs that stop malicious extensions‘.
Some Venn diagram fun
Case 1: Malicious users are a small proportion of all the extensions that use the Web Request API:
Case 2: Malicious users are the plurality, if not the majority, of users of the Web Request API:
All that the ‘42%‘ number tells us is that A∩B is 42% of B.
We don’t know what is A∩B as a percentage of A.
Google knows, but it has decided that releasing that number is not important (or is invalidating their narrative).
Google is hoping to create an impression that the API usage reflects case B. If this is true, it may justify restricting/removing the API in question.
However, if the reality is case 1, Google seems intent on punishing the vast majority of users who are properly using the API, because it is unwilling to police the minority who abuse it.