Mozilla's Addon repository is one of the backbones of the Firefox web browser, Thunderbird email client and various other programs based on the same core. Users can download and install add-ons with just a few clicks to benefit from new or modified features they make available in the installed program.
Add-ons are reviewed by Mozilla before they are added to the repository on the site, and while many may think that these reviews are thorough enough to keep illegitimate add-ons out, it may not always be the case.
What would you say if I told you that companies buy add-ons from developers to make a profit? You'd probably ask how they'd make a profit from these add-ons and I'd reply to you that they monitor what you do on the Internet.
While this may sound like fiction let me reassure you that it is not. Take the Autocopy extension as an example. It is a popular extension with more than 57k active users at the time of writing and 481 user reviews and an overall star rating of four stars out of five.
When you look at the most recent comments you will notice that they are all rating the add-on with one star, the lowest rating available.
What do the reviewers complain about? According to them, the extension is sending information to a server on every page visit.
Besides providing auto copying, this add-on sends info to stats.wips.com about EVERY page you visit and how long you stay there. Highly NOT recommended!
We need to go back to the beginning for a short moment before we dive into this again. The AutoCopy extension was purchased by Wips recently from its former author who confirmed that to me in an email. So, the extension ownership changed hands and what seems to have happened thereafter is that the company added the "phone home" feature to the add-on.
The company responded to several user reviews confirming the ownership change as well and that the extension was sending statistics to company servers.
Hi,there is no need to worry, we provide this add-on for free without any spyware, spam or advertising.
You can turn the stats off in the options.
I contacted the company to find out more about this. Lukas Marek, the company CEO told me that the extension was not sending any browsing data- but did so in the past - and that the connections that are still made by the extension are for analytical purposes only.
What I can confirm is that the extension is still contacting servers on every page load of the browser.
If you look into the about:config dialog you will find several stat related parameters including a client ID (likely unique identifier) and options to disable the sending of permissions.
In addition, for every Web page you view while using the Extension Service, the Wips.com software transmits and stores your IP address, which may include a domain name, the full URL of the Web page you are visiting, general information about your browser; general information about your computer's operating system; your Wips.com cookie number or other identifying alphanumerical information enabling Wips.com to identify your computer; and the date and time the above information is logged.
Autocopy is not the only extension the company seems to have bought. It is now listed as the owner of eleven add-ons including BlockSite, an add-on used by more than 210,000 users and Fasterfox Lite, used by more than 115,000 users.
When you try to install Fasterfox Lite you are taken to an intermediary page where you need to accept the end user license agreement before you continue. A note at the beginning states that the company collects and stores information about web pages that users visit and that this may in some cases include personally identifiable information.
WIPS.COM'S EXTENSION SERVICE COLLECTS AND STORES INFORMATION ABOUT THE WEB PAGES YOU VIEW. IN SOME CASES, INFORMATION COLLECTED BY THE EXTENSION SERVICE MAY BE PERSONALLY IDENTIFIABLE, BUT PRIVACY IS IMPORTANT AT WIPS.COM, AND WE DO NOT ATTEMPT TO ANALYZE WEB USAGE DATA TO DETERMINE THE IDENTITY OF ANY WIPS.COM USER.
I tried to get a better understanding about ownership changes. A Mozilla representative confirmed that "no interaction with Mozilla representatives is necessary for a transfer of ownership" and that a change is not highlighted anywhere on the Mozilla website.
All add-on updates or new versions are reviewed by Mozilla on the other hand which is certainly reassuring. It is still not clear why new versions of the extension were approved by Mozilla since they phone home and at least one, Autocopy, does not mention that anywhere on the add-ons page.
So, what can you do to protect yourself from this practice? Not much it seems. While you could dive into the code of the extension it is not really something that the majority of users can and want to do. The only other option to find out about a built-in phone home feature is to install the extension and monitor the browser's connections afterwards.
Update: Statement from Mozilla
It appears you tested Version 1.0.8 of AutoCopy. This version is not sending all browsing data to Wips. That can be verified by looking at the source code or installing version 1.0.8 and looking at the network traffic.
After version 1.0.8, Wips submitted a new version of Autocopy that sent more data, but that version didn't pass review. Version 1.0.8 is the latest public version available on Mozilla add-ons and what the majority of users have installed.