Your browsing history may have been sold already

Martin Brinkmann
Nov 1, 2016
Security
|
84

Add-on companies are selling the browsing history of millions of users to third-parties according to a report that aired on German national TV.

Reporters of Panorama managed to gain access to a large data collection that contained the browsing history of roughly 3 million German Internet users.

The data was collected by companies that produce browser extensions for various popular browsers such as Chrome and Firefox.

Panorama did mention only one add-on, Web of Trust or WoT, but did not fail to mention that the data was collected by multiple browser extensions.

Browser extensions that run when the web browser runs may record any move a user makes depending on how they are designed.

web of trust ratings

Some, like Web of Trust, provide users with a service that requires access to every site visited in the browser. The extension is designed to offer security and privacy guidance for sites visited in the browser.

The data that Panorama bought from brokers contained more than ten billion web addresses. The data was not fully anonymized, as the team managed to identify people in various ways.

The web address, URL, for instance revealed user IDs, emails or names for instance. This was the case for PayPal (email), for Skype (user name) or an online check-in of an airline.

What's particularly worrying is that the information did not stop there. It managed to uncover information about police investigations, the sexual preferences of a judge, internal financial information of companies, and searches for drugs, prostitutes, or diseases.

Links may lead to private storage spaces on the Internet that, when improperly secured, may give anyone with knowledge of the URL access to the data.

It is trivial to search the data for online storage services for instance to reveal those locations and check whether they are publicly accessible.

Panorama reports that Web of Trust logs collected information such as time and date, location, web address and user ID. The information are sold to third-parties who may sell the data again to interested companies.

WOT notes on its website that it hands over data to third-parties but only in anonymized form. The team of reporters managed to identify several user accounts however which suggests that the anonymization does not work as intended.

The extension has been downloaded over 140 million times. While the data set that the researchers bought included only German user information, it is likely that data sets are available for users from other regions of the world.

Summary
Your browsing history may have been sold already
Article Name
Your browsing history may have been sold already
Description
Add-on companies are selling the browsing history of millions of users to third-parties according to a report that aired on German national TV.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Fadi said on April 21, 2017 at 9:37 am
    Reply

    Do not install their App from Google Play, Do not add their Chrome Plug-in
    Already Firefox disabled their Plug-in during the last update
    They are collecting browsing history, emails, logins just like any typical virus or worm

  2. Cheryl said on January 17, 2017 at 8:10 am
    Reply

    Does WOT send browsing data even if you opt out of sharing it?

  3. sriram said on December 3, 2016 at 10:05 am
    Reply

    Thank you for this article. I started checking the source for all of the extensions I currently use in chrome through “chrome://extensions/” > “background page” > “Sources” > “top” > “Search in all files” > “http file:*” and found that one extension called Alert Control (https://chrome.google.com/webstore/detail/alert-control/ofjjanaennfbgpccfpbghnmblpdblbef) pings “api.s13.us”. i’m not sure why it does this, but having read this article, I felt the need to remove it.

  4. Marc said on November 6, 2016 at 2:24 am
    Reply

    What about malware domain blocking of Adblock Plus or Ghostery for which IIRC it asked to share anonymous data upon installation…

  5. b said on November 4, 2016 at 11:43 am
    Reply

    yesterday I started checking the privacy policy of the developers behind the add-ons that I’ve chosen to install. A small amount : a total of 9! thoroughly that is. I never doubted disconnect.me nor privacy badger ( eff.org ) but earlier on in this thread, I cast doubt on @Raymond Hill, the maker of ublockO. In case you read this: I apologize( quite a few developers comment from time to time. you might too be a regular reader ). I reacted instantly out of pure frustration. of course I should have cooled down before typing away. I am embarrassed to admit, that If I had taken the time I would have found your privacy policy here: https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/?src=ss

  6. Anonymous said on November 4, 2016 at 1:42 am
    Reply

    TRUST me instead.

  7. Parker Lewis said on November 3, 2016 at 9:46 pm
    Reply

    Web of Trust has been removed from AMO. I don’t know if it’s Mozilla or the add-on authors though.
    WoT had lost 3,000 users* in one day and its share of 1-star ratings increased from 7% to 13%. The authors could have removed it temporarily until things calm down to avoid getting bad stats, or Mozilla could be using its weight to obtain better privacy guarantees.

    * Out of 874,000, could be worse…

    1. A different Martin said on November 4, 2016 at 12:06 am
      Reply

      My guess is that the great majority of those 874,000 WoT extension users don’t have a clue that Web of Trust has compromised their privacy. Most of the computer users I know who aren’t actual computer professionals, including ones who have installed various browser extensions after reading an article somewhere or other, don’t routinely follow tech news. Do a Google News search for “Web of Trust,” restrict it to the past week, and see how many general news sites (let alone non-German-language sites) have reported the violation.

  8. Owl said on November 3, 2016 at 12:41 pm
    Reply

    Hy: Mozilla Policy (URL is too long) from developer page:

    “Features like advertising or certain forms of user activity tracking may be required to be opt-in, or at least opt-out, depending on the privacy and security impact, and whether the feature is necessary for the add-on to function or not. Since these are usually additional monetization features that are unrelated to what the add-on is meant to do, they generally require an opt-in for listed add-ons and an opt-out for unlisted ones. Some forms of tracking, like gathering all visited URLs, are generally forbidden even for unlisted add-ons. The decision to activate or deactivate these features and its implications must be clearly presented to the user.”

    I understand your concerns. I guess we just have to go with what trusted sources tell us?

    1. Hy said on November 3, 2016 at 4:14 pm
      Reply

      @Parker and Owl:
      All of that is clear, and helpful. Good to know add-ons are periodically re-reviewed. Thanks, guys!

    2. Parker Lewis said on November 3, 2016 at 1:24 pm
      Reply

      @Hy
      Indeed, while there aren’t technical barriers (any add-on can technically send any data), manual reviews are a barrier that isn’t easy to sneak through. Sorry that was not clearly stated in my earlier comment. Although an add-on could have a cosmetic feature whose real purpose is to stand as a mere justification for data to be sent.

  9. Owl said on November 3, 2016 at 10:41 am
    Reply

    Some addon Privacy Policies explicitly state they don’t phone home. Pays to check, and do homework, and then just take a chance, (read reviews, look up developer info, etc.? ) Like others have said, you only had to read WOT’s Privacy Policy to know it potentially was like that. Do the best you can, can’t do much more than that.

    1. Hy said on November 3, 2016 at 11:10 am
      Reply

      I wonder how much these add-on privacy policies can be trusted. Is it reasonable to trust them to do what they say they’re going to do, and to not do what they say they won’t do? I recognize that we may not have any other choice. But are there any compliance mechanisms in place to verify that an add-on is in fact complying with its own self-declared privacy policy, once the add-on has passed, for example, the initial Mozilla add-on review? Or is the only check on compliance the occasional investigative journalism report, or test by an advanced user?

      1. GSZ said on July 8, 2017 at 10:11 pm
        Reply

        Privacy Policies are legally binding if income, nonprofit, for donations, ad revenue or any income is legally generated from exchange of product, content, service, website, etc. If they are a Corp or LLC always, if they are DBA legally binding. if they post it through parent company with explicit instructions regarding their customers “policy” or conduct when using their service.

      2. Parker Lewis said on November 3, 2016 at 1:19 pm
        Reply

        An add-on is supposed to be reviewed manually by Mozilla when first submitted and on each update.

        You can find very detailed information here: https://developer.mozilla.org/en-US/Add-ons/AMO/Policy/Reviews

        Add-ons on AMO must “Clearly disclose all user data handling in a Privacy Policy” if they want to pass review, whether on first release or subsequent updates.

        So on AMO: Read privacy policy and if unacceptable data is sent, don’t install the add-on. If the privacy policy says that they don’t store the data, that they only use it for the add-on’s feature and then trash it, well, Mozilla can’t verify this, it’s up to the user to check the add-on author and decide if the feature is worth the leap of trust.

  10. A or B, not C. said on November 3, 2016 at 8:04 am
    Reply

    First off, M$’s Win 10/8.1/8/7 are not free shareware, ie users hv to pay for a Windows license.
    .
    Looking from the other side of the coin, most free shareware hv to survive by displaying ads and/or selling user-data to marketers or charging commissions for 3rd-party app sales, eg Google’s freely available Chrome browser, Search, Maps, GMail, Cloud-storage, ChromeOS, Android OS, etc. This is similar to the old business model of free-to-air TV broadcast stations like ABC, CBS, NBC, FOX, etc, ie putting lotsa ads on their free TV shows. It was pure greed for the paid-subscription-based Cable n Satellite TV stations to do the same, ie putting lotsa ads on their cable or satellite TV shows. Similarly for greedy M$ to do the same with their paid-for-licensed Win 10/8.1/8/7, ie displaying ads, selling user-data to marketers and charging commissions for 3rd-party app sales at M$ Store.
    .
    Maybe, users of free shareware should tolerate the practice of selling user-data to marketers like how they hv tolerated the display of non-intrusive ads. Of course, the abuse of user-data for nefarious purposes should not be tolerated, eg stealing of user IDs, users’ trade secrets, extortion of users, spying by NSA, etc.

  11. neal said on November 3, 2016 at 1:26 am
    Reply

    I had mywot since Firefox was released, very disappointed b/c the addon was useful. I uninstalled it, and nowadays browsers seem to have good enough security through EMET or Malwarebytes antiexploit.

    Beside I noticed mywot didn’t pick up malware sites very well. If the malware site was very old then it would pick it up and warn you, if it was even relatively new, my wot often wouldn’t have any ratings. Same with phishing sites. It was useful to check to see if the bank or whatever financial site is the real deal, but other than that……

  12. b said on November 2, 2016 at 7:59 pm
    Reply

    @Tom Hawack
    I do check Ghacks every single day and I agree: it’s a great blog with great comments and debate. Here I’ve learned quite a bit about firefox-related topics and other stuff as well. As for privacy and security, my number one rule is to, if possible, get to know and master the basics and keep it simple. I prefer to set my cookies manually, block for geolocation via systemsettings etc. only the more complicated stuff I hand over to add-ons. anyway, thanks for calming me down

    1. Tom Hawack said on November 2, 2016 at 8:28 pm
      Reply

      I had no intention of calming you down because 1- I didn’t recognize any symptom! and 2- it’s not in my culture to calm anyone! I start moving with insults otherwise my relational policy has always been to consider people as they are, to try to help when I’m in a good mood + not in a hurry + able to + not lazy (many conditions!) and, whatever, to add a touch of humor :)

      Seems you’re managing your browser and I guess your computer quite well, you’re concerned and as myself eager to improve. That’s great. Modesty as well is a good partner, without it too many of us consider asking for advice/help is the signature of weakness when it is in fact in the very nature of mankind. Of course we’ll always have profiteers and in that case the first suitable help is motivating if not encouraging them : we may seem to be a profiteer when the truth is not that we’re lazy but that we lack self-confidence; psychology is complex but the best approach, IMO, requires always, beyond knowledge of the fundamentals, brotherhood, simply put.

      The beat goes on :)

  13. b said on November 2, 2016 at 2:35 pm
    Reply

    it never occurred to me to check privacy policy. I just read github’s ( followed the link of ublockO ) and I don’t like it :

    “If you’re just browsing the website, we collect the same basic information that most websites collect. We use common internet technologies, such as cookies and web server logs. This is stuff we collect from everybody, whether they have an account or not.
    The information we collect about all visitors to our website includes the visitor’s browser type, language preference, referring site, additional websites requested, and the date and time of each visitor request. We also collect potentially personally-identifying information like Internet Protocol (IP) addresses.”

    according to privacy badger they use thirdparty tracking ( google.com ) as well. if you have an account, there’s plenty more.
    of course this is the policy of Github and not that of ublockO. or is it? or: do github have access to my info via the account of add-on makers?

    1. GSZ said on July 8, 2017 at 10:05 pm
      Reply

      If you use a browser like Brave which blocks even Browsers biggest vulnerabilit IMO, ability for fingerprinting; getting a digital sig of your system OS, browser, Device, HW, Screen Size, SW versions; it blocks all trackers ads, analytics, cookies can be set to DENY ALL on ALL browsers if you so choose, & upgrades to SSL always, you can see the speed increase noticeably. Alternative…subscribe to a Good VPN service use OpenVPN Algorithm Choices & use SSH2 or SSTP tunnels if possible for maximum stealth protocol enabling security; if you have good network HW use a GRE/SSTP/OpenVPN(or portforward through a service used daily but will accept the tunneled traffic to disguise VPN use. take advantage of xtra features like 2nd NAT, “stealth” protocol service & dns, redundant FW, 360′ security; multihop server tech SSL 3072 EV + certificates to verify server or use ssh or sstp to eliminate the vulnerability of the handshake completion. so use server in China, port forward, using 2nd protcol although doesnt matter BC already on seure provider network, and access server in mexico thats where your traffic exits; use a server in Poland for DNS so your in 2 places visibly? daisy chain 2 or more VPN providers to further anonymize or use VPN -> TOR (SUPER SLOW, EXTREMELY ENCRYPTED & ANONYMOUS GOOD LUCK ATTEMPTING TRAFFIC ANALYSIS) and tjhen bc tor exit nodes could be malicious, -> 2nd VPN so you appear to have gone from A-B but you went from A-B-C-D-E-F-B use split tunnel to be even more annoying so are you at A? all those NAT-T & tor circuits confuse things? maybe your PC has Malware?@?@?!

      also privacy policy better be present on VPN providers & they should state NO LOGGING, PERIOD. not NO LOGGING, we just note the time you connected. how long you used the service, and when you logged off & obviously we can see your IP……that’s the BS no logs

      1. Cheryl said on July 9, 2017 at 8:12 pm
        Reply

        I only understood about half of that, but thanks for the tip about Brave.

        I have been meaning to do something with another WOT-ish link tagger like McAfee Web Advisor but found it sort of intrusive in the way it steals the search engine. I like DuckDuckGo because it tracks nothing and the search results are not tweaked to my past usage, but I have not found a way to make WebAdvisor tag links in DuckDuckGo.

    2. Tom Hawack said on November 2, 2016 at 3:00 pm
      Reply

      That’s Github’s policy, clearly stated when it is a fact everywhere and seldom notified : cookies are legion even when not required. Nothing to do with scripts, add-ons found on Github’s pages, and nothing malicious in itself unless to consider that the very nature of an unnecessary cookie is malicious : if by now users still don’t know that and don’t develop their own privacy policy served by tools found everywhere then there’s nothing anyone can do about it : life is, has always been and will always be a blend of the best and the worst with a strong concentration around the in-between.

      1. Tom Hawack said on November 2, 2016 at 4:13 pm
        Reply

        @b, there is prevention and cure. Prevention on the Web concerns many, many topics and many tools are available, too many of both to begin a resume which would require chapters to describe but which are developed here on Ghacks (yeah: I like the place!) but also on several other good sites and I guess one has to be and committed to his own privacy and hunt, search for and find all information in this regard.

        Concerning the cure there is always the vacuum cleaner : regularly clean a browser’s cache/history with the built-in browser’s tools. From there on, aiming to cure what only needs to be cured (no point in decapitating for a simple headache) that’s where it gets slightly more complex of course. I hardly manage myself and because I’m more a self-made Web user than a graduated one I will lack a global view, that of enough global knowledge to fit what I know in that global puzzle…

        It’s tough but not that tough. There’s always better privacy and security but there’s always worse than doing nothing to keep our privacy… private. Security is IMO more important, both are tied most often on the Web as in life, it even happens that they are incompatible.

        If you’re concerned, b, and it seems you are, keep that good concern alive by visiting Ghacks regularly (I’m not GHacks advertiser!), by “sniffing” the Web for all you can find to satisfy that most valuable concern. Here people help people (most more than I can possibly do) so stay tuned :)

      2. b said on November 2, 2016 at 3:37 pm
        Reply

        @ Tom Hawark
        I totally agree. I often check privacy policy and,as stated by you, that of github is clear. still too much tracking but thats another story.my concern is, that the issue with add-ons seem out of reach for me to control or overview. it’s obscure and I don’t know exactly what to do. powerlessness, to me, is the worst case. not being able to act.

  14. Brian Williams said on November 2, 2016 at 2:08 pm
    Reply

    I stopped using WoT when it became apparent that SJWs had hijacked it and were categorizing conservative sites as unsafe but left wing liberal sites which pushed the cultural Marxist agenda were A-OK.

    1. Claude LaFreniere said on November 3, 2016 at 1:34 pm
      Reply

      You wrote : “categorizing conservative sites as unsafe”

      Unsafe for brains… (except for the brainless who vote for Trump…)

      Disclosure: I have a “cultural GrouchoMarxist agenda” :D

  15. Inolvidable said on November 2, 2016 at 11:48 am
    Reply

    Great piece of information. Martin, your articles are usually very helpful and IMHO Ghacks is totally worth my Patreon support. I encourage the readers who value this website to support it trough Patreon.

    1. Tom Hawack said on November 2, 2016 at 2:24 pm
      Reply

      Or through PayPal. Otherwise positive thoughts, good vibrations as they say in California.

  16. Disgruntled Finnish resident said on November 2, 2016 at 9:48 am
    Reply

    Shitty Finland, again! With its racsim, killing opposition newspapers, discrimination, hatred towards foreigners and accusing ones critique them of being Russian is finally surfacing to show its real face. Has anyone ever investigated what nokia did or their sailfish os thingy or any other finnish shit? Im not surprised! Fuck WOT, Fuck Finland!

    1. Finn S. said on November 2, 2016 at 4:29 pm
      Reply

      Found the paid Russian troll.

      1. Disgruntled Finnish resident said on November 3, 2016 at 3:06 pm
        Reply

        Haahah! It was me who wrote that and as predicted the same old shit “blame to russia”, “disapprove anything bad about finland” resurrects again and again… Bro, im literally a non-white, non russian foreigner living in finland who has heard approved stories of your shit from pretty much everyone. all you have got is team finland wasting money everywhere to make you look good. thats all. you’re no different than pakistan. fuck all of you. check migranttales.com for a change for evidence. shitty finnish people. proven!

      2. MdN said on November 2, 2016 at 6:24 pm
        Reply

        @Finn S. Yeah, Putinbot alert. Not the first one here. Probably because the Russia/Finland news today.

    2. Tom Hawack said on November 2, 2016 at 1:53 pm
      Reply

      Finland, Finns are not to support the original sin of WoT, come on!
      I remember a Finn student in Lausanne, gorgeous young lady with dark, dark black hair and amazing eyes, a strong character and a developed sens of humor. I crushed for her but I never got close to either her lips or her heart… Hum, I’m off-topic again :)

  17. A or B, not C. said on November 2, 2016 at 8:56 am
    Reply

    If a browser addon can collect so much privacy data n sell them, imagine what M$ are collecting with their “anonymized” Telemetry data “addons/updates” in their OS, ie Win 10/8.1/7.

    1. A different Martin said on November 2, 2016 at 7:14 pm
      Reply

      This was my second thought. My first was to pat myself on the back for never trusting Web of Trust in the first place. (That one guy — “Pianosa,” I think — who gives two thumbs up to every data-sucking, user-tracking site ever built, didn’t help.) My third was to wonder how my ISP is analyzing, using, and marketing my Internet history. And my fourth was to be grateful for Tor Browser and the Tor Project.

      Speaking of my second thought (viz., what Microsoft is doing with its telemetry data), some of you may remember that I’m planning to switch from Windows 7 to Linux when Linux Mint 18.1 comes out. But I’ve recently read seriously high praise for Chapeau Linux, which is based on Fedora with Gnome 3. I installed it in VirtualBox, and so far, so good, although Gnome is kind of alien to me. (Seems like it has some pretty demanding hardware requirements, too. It’s pretty slow on my underpowered laptop with integrated graphics. To really try it out, I may need to wait until I get a new laptop that’s powerful, sturdily built, easy to service, and reasonably priced. And no, you can’t have some of whatever I’ve been smoking ;-)

      Anyway, PRIVACY: it’s not just for criminals and pervs. Journalists and their sources, lawyers and their clients, doctors and their patients, political activists and their associates, and just plain ordinary folks value it, too.

  18. Hy said on November 2, 2016 at 7:21 am
    Reply

    Martin,

    Is it worth it (or even possible) to update older articles which recommended Web of Trust?

    Just ran across one, below:

    https://www.ghacks.net/2009/10/15/top-5-security-plugins-for-firefox-chrome-and-internet-explorer/

  19. Hy said on November 2, 2016 at 5:31 am
    Reply

    Quick thoughts:

    This raises more questions for me than it answers. What other add-ons are known to be engaging in this? Is any testing of add-ons even being done to determine which add-ons are doing this?

    We’ve known for years of the possibility of add-ons having access to some types of data—do all add-ons have such capability, or only certain add-ons designed like WOT (which scans all links visited, presumably)?

    “Your browsing history may have been sold already: …Web of Trust logs collected information such as time and date, location, web address and user ID.”

    Is it, properly speaking, one’s “browsing history” being collected and sold? If so, would having private browsing mode always enabled be sufficient to prevent some types of add-ons from being able to collect things like browsing history, cookies, cache, etc.? (Although it seems link-scanning-type add-ons such as WOT are by their very nature obviously still able to have access to a list of all sites visited, and thus collect and sell it, etc.…)

    Presumably a VPN prevents one’s true location from being accessed, collected, and sold, no?

    What exactly is the “user ID” being collected? Any ways to block or obscure this? Any ways to block or obscure the time and date being collected?

    Finally, taking a moment to savor the oxymoronic, Orwellian irony that Web of Trust is the first add-on named which cannot be trusted… :)

    1. earthling said on November 2, 2016 at 4:24 pm
      Reply

      Oh, and no, using private browsing mode would not help in those cases either. Nothing apart from getting rid of such addons will. Disable cache, disable history, disable everything – if you send every request to a remote server, nothing will prevent that. I guess you could block the connections to that server but that would make the addon even more useless than it already is.
      If you understand a bit of javascript you could look at the source code and search for certain function calls, ie. functions used for storing data and more importantly functions used to make web-requests.

    2. earthling said on November 2, 2016 at 4:02 pm
      Reply

      There’s absolutely nothing that mozilla can do when a user chooses to install an addon that works by sending every request to a remote server ‘to check if it’s trustworthy’ (unless the addon and servers are provided by mozilla themselves)
      I didn’t have to read the privacy policy of WoT to know that it’s not to be trusted.
      There was a time when the Addon was heavily advertised, in popular magazines and websites, and I always felt a pity for the users who will fall for that. I think they even added the addon to certain setup files, i.e. they paid someone to include their WoT addon, so by definition that makes WoT ad-ware, and they spent all that money to protect their beloved users – yeah right!
      The same is true for the built-in safebrowsing feature in FF, although then again they say the requests are anonymized, but quite frankly, the only thing IMO worse than sending every request to a remote server is sending every request to a Google server!
      If you can rely on one thing and one thing only, it’s that there will always be enough idiots to make money off of.

      1. earthling said on November 2, 2016 at 4:31 pm
        Reply

        Yeah that’s a good indicator that the developers will receive some kind of data, otherwise there’s simply no need for a privacy policy.

      2. Tom Hawack said on November 2, 2016 at 4:23 pm
        Reply

        I totally agree. This is why I systematically avoid Firefox add-ons featuring a privacy policy as this implies possible tracking. I only hope that there is no available add-on on AMO free of a privacy policy when in fact the add-on would nevertheless have tracking features…

    3. Parker Lewis said on November 2, 2016 at 2:09 pm
      Reply

      – I don’t know which add-ons do this, but as I said in another comment Mozilla does manual reviews and it’s going to be hard for an add-on to send more data than what is advertised in its own privacy policy.

      – An add-on doesn’t need the browser’s history feature to make a list of all websites you visit once it is installed and enabled.

      – The ID is one built by the Web of Trust add-on. (It’s in their privacy policy.)

      – A (good) VPN hides your location from websites, but has access to your browsing data. You are trading something for something else when using a VPN. Read carefully the VPN’s privacy policy and choose whether you trust it, because if it wanted it could sell everything just the same as Web of Trust. (Or it could be hacked and whatever data it stored go to the black market, which is taped into by legit companies through intermediates.)

      1. Stacy said on November 3, 2016 at 5:00 pm
        Reply

        Yeah your right, I subscribe to PureVPN i am able to hide my original IP address

      2. Hy said on November 2, 2016 at 10:36 pm
        Reply

        Ah, I didn’t know that all add-ons are technically able to catch network requests and make their own. That’s what I was wondering about. Thanks!

      3. Parker Lewis said on November 2, 2016 at 10:12 pm
        Reply

        The only source of technical limitations for an add-on is what kind of add-on it is, i.e. XUL/XPCOM, SDK, bootstrapped or WebExtension. In our case there’s no need to make a distinction because they are all technically able to catch network requests and make their own.

        So they can all extract data from you…if they are able to sneak through Mozilla’s manual review process. (Or if they do it openly and admit it in their privacy policy like WOT.)

      4. Hy said on November 2, 2016 at 9:05 pm
        Reply

        @Parker Lewis:
        Thanks for the reply! I was hoping the user ID was a WOT thing and not something else. And I’m sure an add-on like WOT doesn’t need the browser’s history feature to make a list of all websites visited, because it seems that the very nature of an add-on like WOT is for scanning for and intercepting all links in the first place. I was just wondering if it was possible that any type of add-on had the same capabilities to do what WOT does…

      5. earthling said on November 2, 2016 at 4:37 pm
        Reply

        Web Extensions still allow for web-requests, every possible addon format in the past, present and the future will allow for that. If the concept of an addon is just fucking stupid then even the best, most locked down APIs can’t prevent that.

      6. Tom Hawack said on November 2, 2016 at 2:40 pm
        Reply

        “propensity”, not “prosperity” … thanks WordReference, again and sorry for the mistake.

      7. Tom Hawack said on November 2, 2016 at 2:30 pm
        Reply

        Regarding an add-on’s prosperity to follow it’s users, perhaps the new Web Extension add-on format will reduce it, limited API’s for the best when we may focus on this limit as the worst.

  20. Shame said on November 2, 2016 at 2:16 am
    Reply

    Assume the worst and you still may only see the top of the iceberg. This misery will go on because no one in charge has an interest to protect the little guys privacy since they are the ones who profit from it. People would have to wake up and realize they are being sold. Unfortunately the common herd is blessed with too much ignorance to understand the momentousness of their privacy carelessness. It is an absolute shame what’s happening and it makes me more and more wonder about the mental state of our society.

    1. earthling said on November 2, 2016 at 5:09 pm
      Reply

      Wow, I couldn’t have said it better! double-plus good for that one! ;-)

  21. Anonymous said on November 2, 2016 at 1:16 am
    Reply

    That’s why I never installed an add-on with a “Privacy Policy”.

    1. Hy said on November 2, 2016 at 11:53 pm
      Reply

      To each his own… Unfortunately, it’s not that simple, and doing so would cause a user to reflexively, categorically reject some add-ons which they may find useful, such as NoScript, Decentraleyes, EFF’s HTTPS Everywhere and Privacy Badger, and uBlock Origin, etc., to name a few.

      In short, the mere existence of an add-on having a “privacy policy” does not necessarily definitively prove that that add-on is stealing your personal data; and conversely, the mere lack of a privacy policy for an add-on does not necessarily definitively guarantee that no personal data whatsoever is being collected by the add-on.

      1. Hy said on November 3, 2016 at 3:19 am
        Reply

        Thanks for saying so, Tom. :) As usual, I’ve learned a lot from Martin’s article, and from our subsequent discussion of it in these comments. Long live ghacks! :)

      2. Tom Hawack said on November 3, 2016 at 12:27 am
        Reply

        Looks like I’ve been mistaking on the very meaning of an add-on’s privacy policy availability, linking this policy with the fact such add-ons would inevitably include home calls, be they honest or not. I’ve mistaken to the point that I’d check the existence of an add-on’s privacy policy after I had suspected it from establishing connections and not before. The consequence is that I have several of the add-ons you mention as providing indeed a privacy policy even though these add-ons do not follow me as my shadow. This is a perfect example of an idea so deeply anchored in mind that you may forget elementary checking

        Hence : the privacy policy availability is not limited to add-ons “phoning” wherever.

        Good thing you mentioned this, Hy. Very good. Thanks. I should have checked….

  22. Tony said on November 2, 2016 at 12:39 am
    Reply

    All sorts of companies claim they only collect “anonymized data”. This is what happens if you believe them.

    1. Parker Lewis said on November 2, 2016 at 1:48 pm
      Reply

      When you read “aggregate”, “anonymous”, “anonymized” and “non-personally identifiable”, you can safely consider that you play some kind of lottery. Should you lose, you’ll be personally identifiable despite all the service provider’s “precautions”.

      Some methods are blatant jokes, others make honest attempts to protect people, but I don’t think it’s ever a 100% guarantee since it’s an automated process.

      Differential privacy is by far the current best way to do it that I’m aware of, but it’s definitely not widespread at all. (yet, I hope)

    2. Corky said on November 2, 2016 at 8:11 am
      Reply

      Honestly very little data is truly anonymised, or maybe i should say can’t be easily de-anonymised.

      The more data you have the easier it becomes to connect the dots, something like 87 percent of all Americans can be uniquely identified using only three bits of information: ZIP code, birthdate, and sex.

  23. Guest703 said on November 1, 2016 at 11:37 pm
    Reply

    WOT already getting hammered by bad reviews on the Firefox AMO. I had this installed several years back, but removed it when I noticed it slowing Firefox down considerably. I’ve occasionally used the WOT website to check a link I find suspect – this is probably the safer way to go about things, rather than having the addon installed.

    Someone needs to develop a similar tool, but one that uses an open source URL scrambler, allowing users to request URLs anonymously (TOR network, perhaps)

  24. meepmeep said on November 1, 2016 at 11:21 pm
    Reply

    “the anonymization does not work as intended”
    Maybe it’s working exactly as intended. Maybe.

  25. jern said on November 1, 2016 at 11:18 pm
    Reply

    The Firefox watching the chickens. From this point on, I’m going to be suspicious of any add-ons that need to phone home.

    1. Hy said on November 2, 2016 at 5:23 am
      Reply

      How will you know which add-ons are phoning home? (I’d like to know which, if any, of mine are phoning home, too.)

      1. Tom Hawack said on November 2, 2016 at 11:09 pm
        Reply

        Gee, maybe I’ll make it into the Guinness Book!
        Well, I may have many add-ons but on the other hand I don’t keep a hundred tabs opened (for whom ever it may concern!).
        Back to the topic : of course more add-ons you run more you’re likely to have an intruder in the band, even if you avoid add-ons with a privacy policy, such as add-ons found everywhere now which seem to hunt for all situations which would legitimate a connection to a server, be it for price comparisons, site comparisons, assistance for this or for that… just like a commercial TV which would consider the programs best fitted to carry the advertisements … and not the other way around. Business is great but sometimes it makes its living on upside-down logic, and that ain’t good, and doesn’t announce a context of discoveries, innovation which require passion, not devotion.

      2. Parker Lewis said on November 2, 2016 at 10:42 pm
        Reply

        Now that I have the list (thanks!), the next step in my research is to figure out whether or not you are the person on Earth with the most Firefox add-ons.

      3. Tom Hawack said on November 2, 2016 at 9:38 pm
        Reply

        I saw you, Parker, I read your insinuation, that about my 75 add-ons … I know, it’ll never stop surprising you :)

      4. Parker Lewis said on November 2, 2016 at 9:33 pm
        Reply

        You can rule out legitimate website traffic of your research more easily if you block all third party requests through uBlock Origin or another content blocker. That should reduce the noise in whatever tool you use to check network activity. I just hope you don’t have 75 add-ons :P

      5. Hy said on November 2, 2016 at 8:57 pm
        Reply

        Thanks for the suggestions. I was hoping I could get away with not having to fire up Wireshark or a sniffer, but perhaps that’s the only way. My firewall (Online Armor) logs indicate lots of requests from browsers being used, of course, but don’t seem to indicate a level of detail greater than that (i.e, if any add-ons themselves are making requests). Glasswire, too, shows connections, but again, not in a level of detail greater than which browsers the requests came from. Hopefully a sniffer will clearly show if the add-ons themselves are making connections.

        I’ll start by going through all my add-ons one-by-one and seeing if they have a privacy policy…

      6. PaoloPì said on November 2, 2016 at 2:05 pm
        Reply

        dnsmasq as dns-proxy
        you will see ALL the DNS request, nice view… ;-)

      7. Parker Lewis said on November 2, 2016 at 1:33 pm
        Reply

        Use a network sniffer, or your firewall logs if it’s good enough and you don’t want to install extra software.

        You can also check the privacy policy of add-ons you installed. Reading Web of Trust’s I wouldn’t have trusted it in the first place.

        Also add-ons are reviewed manually by trained people at Mozilla. It’s going to be hard to make them validate an add-on that blatantly disobeys its own privacy policy by sending out more data than advertised.

        (Add-on owners can do whatever they want once the correct, advertised data is sent out, of course)

  26. wonton said on November 1, 2016 at 11:16 pm
    Reply

    everyone needs to visit the addon page and press the report abuse link they breached there own privacy policy.

  27. Tom Hawack said on November 1, 2016 at 10:56 pm
    Reply

    Only one add-on explicitly mentioned by Panorama, Web Of Trust. I doubt there may be many more, at least any more than those publishing — at least on Mozilla’s AMO — a Privacy Policy, always relevant of collected information, be it anonymous or not. I think it’s an obligation with Mozilla extensions, I don’t know how it goes with Chrome.

    Always searching for an add-on’s Privacy Policy is a good reflex I think, especially when it leads to avoiding the add-on.
    Are there add-ons, Mozilla add-ons for my concern since I don’t run Chrome, that would collect a user’s data without having displayed the existence of a Privacy Policy, that is what I wonder when reading here the revelations of Panorama.

    Using uBlockO on Firefox I’ve removed chrome-extension-scheme from the white-list and added it as follows to ‘My Rules’ :

    chrome-extension-scheme * 3p noop
    chrome-extension-scheme * 3p-frame noop
    chrome-extension-scheme * 3p-script noop

    This limits an add-on’s prosperity — if applicable — to communicate beyond the rules assigned to uBlockO,

    I did the same by the way with behind-the-scene and data-scheme : no blank-check.
    75 add-ons here : it’s not the Russian but rather a Kalashnikov roulette. I better sit down and relax :)

    1. Paranam Kid said on November 2, 2016 at 5:50 am
      Reply

      Tom, your uBlockO measure looks interesting, but bear in mind uBlockO is also a free security extension.

      1. Anonymous said on November 2, 2016 at 8:28 am
        Reply

        It’s open-source, check it out on github

  28. Roger W. said on November 1, 2016 at 10:55 pm
    Reply

    Any good alternative to WOT? Planning to remove it.

    1. Hy said on November 2, 2016 at 7:15 am
      Reply

      P.S. McAfee SiteAdvisor is another add-on which may be similar to WOT. Again: not a recommendation, and I do not know their privacy policy.

    2. Hy said on November 2, 2016 at 7:11 am
      Reply

      Avira makes an add-on called Browser Safety, I think, and Bitdefender also makes one, called Traffic Light. The latter may be most similar to WOT. I’ve no idea about any of their privacy policies, however. Other AV/security outfits (Avast, Panda, etc.) may also have things which will do something similar to WOT.

      Even uBlock Origin blocks a number of, shall we say, disreputable sites, by default.

      The aforementioned are free, but as we know, you get what you pay for, or in this case, if it’s free, you may end up “paying” for it in other ways.

      For paid-protection which is system-wide, there’s Emsisoft realtime protection, which will, among many other things, alert and/or block malware hosts, phishing hosts, PUP hosts, and privacy risks.

      I’ve even had Malwarebytes premium pop up a few times and warn me about a site, but that’s been few and far between. Emsisoft is by far more thorough and customizable.

      1. Hy said on November 4, 2016 at 12:20 am
        Reply

        It’s absolutely true that paying for software in no way guarantees that your data won’t be collected.

        While on this subject, it’s pertinent to note that in the AV Comparatives test “Data transmission in Internet security products,” which Martin wrote about on here awhile back, Emsisoft was one of only two out of 21 security products tested which were found to not transmit any personal information.

      2. Anonymous said on November 3, 2016 at 3:31 pm
        Reply

        uBlock Origin is open source so you can figure out if it phones home yourself. It most likely doesn’t since there are even plans to replace Adblock Plus in Tails with uBlock Origin. And don’t believe for one second that paying for a software is a guarantee to not get your data collected like with WoT. Only way you can be sure is with open source software or not letting the software access the internet.

  29. Anonymous said on November 1, 2016 at 10:54 pm
    Reply

    This is exactly why I hate the retarded argument whenever Mozilla removes a feature from Firefox, that is, “just install an add-on, brah”

  30. Yuliya said on November 1, 2016 at 10:30 pm
    Reply

    WoT, Ghostery.. large companies that want your own good for nothing in return. Yeah, right, avoid them like the plague. The later came through my mind right now, but there are more.

    Funny how you can search for a medical condition, which goes away in a few days, yet you’re still getting spammed with miraculous cures for an entire month, or more.

  31. Velocity.Wave said on November 1, 2016 at 10:19 pm
    Reply

    Oh oh… umm… I hope they don’t notice that everyday I’ve been… sorta… kinda… you know… frequenting… http://www.ghacks.net a little bit, maybe, during my free time. Whelp… I guess I can kiss that job offer at Microsoft goodbye.

  32. Parker Lewis said on November 1, 2016 at 9:39 pm
    Reply

    Nicely put :)
    If all articles had that kind of insight, I doubt there would be many people left saying ignorantly “Why would you mind, if you have nothing to hide ?”. Information can be worth so much, in capable hands.

    I wonder what’s the size of the data black market nowadays.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.