There's gotta be some law that could be passed about stuff like this. Software should have an implicit contract that it does what it says and not something wildly different than it, with harsh penalties for violations.
Common licenses specifically go out of their way not to imply such a contract. This is the start of the all-caps portion of the MIT License [0]:
> THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO […] FITNESS FOR A PARTICULAR PURPOSE
…and the GPL has nearly the same text in section 15. [1]
Yeah, but also common licenses are set by the distributor. (which they're also evidently free to secretly change?)
I want the other side of the deal: a default license implicit in the existence of software that can't be traded away without an explicit contract that involves something like an exchange of money, which a federal agency will safeguard against violations of. If an extension changes its behavior nefariously people should go to jail. If Google safeguards an extension that changes it's behavior nefariously then Google should go to company jail. (or, like, be fined and forced to comply).
(admittedly, this is hopeless idealism. But still.)
I mean, contractual terms that are implied by statute exist. In English consumer contract law—which since 2015 has been extended due to the EU Consumer Rights Directive to cover digital content—includes an implied term that the goods are of satisfactory quality, and when it's a continuing service (including something like a digital content service like Netflix or Spotify, or a software product with updates), it doesn't radically depart from what's initially offered.
Most jurisdictions have something broadly similar (albeit often not quite up-to-date around software and digital products). Everywhere in the EU will have laws that implement the EU's Consumer Rights Directive.
Which is great and would apply if you'd paid money for it. NightOwl is free (as in beer). The expectations the law sets out regulating the sale of goods and services do not apply when no money has changed hands.
Which I'd argue is pretty much right: while it sucks that companies get taken over and have spyware crap put into products, the idea that, say, a teenager who is hacking around and building stuff to learn how to code, puts up a project they've made as open source or a freeware download, does something silly like the left-pad debacle, then gets sued—potentially by a big corporate behemoth with very deep pockets and very scary lawyers—for a series of acts which involved them writing some software for no money. Regulation of technology should rest far heavier on the shoulders of Google, Microsoft, Apple and so on than it does on a hobbyist or small indie dev creating freebie menubar utilities or Chrome extensions or whatever.
The difficulty of ensuring those little freebie and open source apps don't become a vector for supply chain attacks remains difficult. Much better sandboxing and OS app-level permissioning, good network monitoring and anomaly detection on a per-app level, and building trust into packaging/distribution processes - these are all slow, grinding, incomplete ways to improve this. Lawsuits probably aren't.
