,
13 tweets,
5 min read
Read on Twitter
This is a compelling account of data leakage through dodgy but popular browser extensions. To do a small useful task -- like letting you easily zoom in a picture on a web page -- an extension will ask for full permissions to read and modify everything you see as you surf. ...
... Thousands of extensions ask for and get that access from users who have no reason to know that, say, the URLs they click on will be shared for "marketing" purposes, eventually finding their way to brokers like Nacho Analytics, who then sell the data to anyone who pays ...
It turns out a lot of private data ends up in a URL. Long, un-guessable URLs are ways of referring to private Google Drive or OneDrive docs. They contain record locators and passenger names for airline flights. And those extensions read it all and pass it along. 
Nacho Analytics's cheery testimonials describe the value of such raw, granular data from "millions and millions of people all over the world."
Would those people agree to install a zoom-webpage-pictures extension if they knew that their entire, revealing, ongoing browsing history would be recorded and sold? Have they meaningfully opted in? Of course not. (And given the numbers, "they" quite possibly = "you.")
The company's declaration about privacy is artful. "We can't see passwords, logins, or even keystrokes." True. And the dangers of smoking ten packs a day can be put to rest because there is absolutely no link between smoking and shark attacks.
What makes this data useful -- saleable -- is not separable from what makes it invasive. This is a peek into a pervasive but hidden ecosystem. A duck's feet madly paddling beneath the surface, while all most see is it serenely gliding across a pond. Read the marketing:
That's right. "This isn't the same data you'd see from SpyFu, SEMrush, or ahrefs." Not household names. By design.
This system can't be patched or retrofitted. Its success depends on the lie of informed consent, on obscurity, and on dismissing invasive pieces as rounding errors.
This system can't be patched or retrofitted. Its success depends on the lie of informed consent, on obscurity, and on dismissing invasive pieces as rounding errors.
The company's web site today has a splash screen crafted in response to @geoffreyfowler and @sam_jadali's worthy spadework. It's chef's-kiss level denial and counter-charge. "...an individual exploited our tool specifically to seek out security flaws in less-secure web sites."
Imagine hearing of a car model with bad steering, and the journalist and researcher who test it and confirm the problem are dismissed because they were "specifically seeking out flaws." With blame placed on web sites' too-common practice of using URLs for sensitive info.
It's like a service that rummages through millions of people's curbside garbage -- "They put it out there! They consented!" -- digitizes all the tossed paperwork, and sells the contents. Is the problem that the people were "less secure" by not burning their receipts and bills?
They say that they -- and their unnamed "3rd party data provider" -- take privacy seriously. At bottom the splash screen says, "Thank you for your understanding." Then, a bit on the nose: a button to click with no other option, labeled "I UNDERSTAND."
We understand very well.
We understand very well.
Some fascinating technical detail from @dangoodin001 about the browser extensions that slurp up and share browsing data: arstechnica.com/information-te….
What jumps out are the extensions's obfuscations of their activites, such as by waiting a couple weeks before sending telemetry back.
What jumps out are the extensions's obfuscations of their activites, such as by waiting a couple weeks before sending telemetry back.
