Dropbox Dash's browser extension demands 'read and change all your data on all websites'
2023–2024
The Dropbox Dash Chrome extension requests permission to 'read and change all your data on all websites' and imports up to 90 days of browsing history — URLs, page titles, and page contents — to power its AI search.
What happened
Dropbox Dash, the company's AI-powered 'universal search' tool, ships a browser extension that, by Dropbox's own help documentation, requires the Chrome permission to 'read and change all your data on all websites.' Dropbox explains the broad scope is needed because the extension lets users add any open page to a Stack and 'it's not possible to only ask for read permissions,' and says that apart from a small pop-up it will not change website data.
More consequentially for privacy, Dropbox states that when you use Dash it imports your browser history — beginning with the previous 90 days — including the URLs of sites you visit and 'the contents of those websites (including page titles, images, and page content),' and that it may share that data with trusted third parties and other Dropbox companies to power search. This is a far wider data grant than the file-sync product, reaching into general web activity, and it is distinct from the 2016 macOS accessibility-permission controversy, which concerned the desktop client's system access.
Impact
For users who install Dash, the extension's reach extends Dropbox's visibility from stored files to broad web-browsing behavior and on-page content, with onward sharing to third parties. The 'all websites' permission and 90-day history import exemplify how AI search features can dramatically widen the data a cloud provider collects, and revive concerns about permission overreach in Dropbox's client software.