Paperpile asks to install a Chrome extension, saying “This enables Paperpile’s advanced features, like one-click PDF downloads and total browser integration”, and refuses to run without it. But the Chrome extension asks for permission to “read and change all data on the websites you visit”, so installing this extension would give Paperpile access to all my accounts, including email. I’m not willing to do that.
It’s a good point and I’m happy to get this question here in the forum so I can explain the situation.
The Paperpile Chrome extension is not just an extension to Paperpile. It is Paperpile. Paperpile does things a normal web app can’t do. That includes looking up data in databases and on publisher sites.
We can’t search or import a reference from Google Scholar if we can’t read the data on Google Scholar. A normal web app can only access data from the same domain, in our case paperpile.com. If we want data from nature.com or scholar.google.com we need this permission.
It’s basically the permission to use the Internet. I don’t think that’s unreasonable. Actually, it would be impossible to build a modern reference manager that can compete with desktop applications without access to the internet.
I can understand that some don’t want that and avoid extensions that have these permissions. There are many extensions that require these permissions like all ad blockers or hugely popular extensions like Evernote.
An important thing is in this context is that desktop applications don’t have a permissions model altogether. So if you install EndNote or Mendeley you give them full access to your hard drive and email. You just trust that these programs are not malware that transfer your private data to Thomson Reuters or Elsevier.
There is no reason not to trust them but at the same time there is no reason to think any Chrome software is malware just because it asks for permission to access the web.
Understood that the chrome extension needs access outside the paperpile domain. However, when I only enable it on specific domains (like those publisher sites, but not on gmail), the extension (pdf reader) stops accepting annotations to the pdf and becomes View Only. I’m wondering if there is a way to make the extension work without giving it access to all websites.
I’m sure great many more people would be less hesitant to use paperpile if it is given proper access control.
Desktop software can read hard disk, but they are not able to read my screen (unless explicitly given the permission). So no arbitrary desktop software can read my email. But a chrome extension with access to all websites is different. Hope the point is clear.
Welcome to our forum, @L_Ext! This was recently brought up by another user here on the forum, and my answer there also applies here. Make sure to check out this page detailing our permissions with Google.
In any case, I understand there will be some improvements in this regard by the end of this year – once we’ve implemented what’s currently on the pipeline. So stay tuned!