Are you ok with advertisers having access to your web surfing? Are you ok with them knowing your search terms, translated texts, visited websites, and clicked Facebook profiles?
If not, you might want to have a quick look at your browser extensions. Browser extensions are plug-ins designed to give web browsers additional capabilities. Toolbars giving you features such as specialized search functions, web page analytics, and similar capabilities are popular examples of browser extensions. In most cases, they’re freely available for download from websites, making them a great way to improve the user experience of your favorite web browser(s).
But browser extensions found themselves in the spotlight last week after an investigation by Northern German Broadcasting exposed the data collection and sharing practices of the popular Web of Trust (WOT) browser extension. According to reports about the investigation, WOT, which was designed to inform users whether or not the websites they visit are trustworthy, was collecting and selling data about their user base.
However, the investigators claim that they were able to match “anonymized” data shared by WOT with specific individuals. And this highlights a significant problem with monetizing user data: completely anonymizing data is very difficult and is an ongoing challenge.
WOT is not the first company to fall down this slippery slope. In 2006, an employee at America Online (AOL) released search data for hundreds of thousands of users. The data was anonymized by replacing names of users with numbers. But this wasn’t enough to protect the identity of affected AOL users. In less than a week, the New York Times was able to correctly link a user with their AOL search records.
So anonymizing data isn’t as straightforward as it seems. But what does all of this have to do with browser extensions? Well, browser extensions are a common source of something called potentially unwanted applications (PUA). The criteria defining what is/is not a PUA can be quite intricate. But basically, PUAs are programs that have harmful effects for devices/users, but do not qualify as malware. They often mix genuine value with negative “side effects” that can be well-hidden or perhaps even undisclosed.
This doesn’t mean browser extensions are automatically PUAs (in fact, some security solutions like F-Secure SAFE’s Browsing Protection are actually browser extensions). Web browsers will often provide a well-curated selection of browser extensions to help users find good ones that enhance the capabilities of browsers in order to improve the user experience. And since browsers are most people’s gateway to the internet, improving the experience offered by browsers can improve people’s experience across a wide range of online services and websites.
So you shouldn’t be afraid to trust browser extensions, including things like WOT. They often have significant benefits to users. However, you should be aware of how “free” pieces of software (not just extensions, but basically any free software) stay afloat. Companies that develop these products and services need to make money of them. And if they’re not charging you or relying on other sources of revenue, they’ve probably found a way to build their business using your data.
Contains information translated from Der Spion in meinem Browser.
[Image by Terry Johnston| Flickr]
This is a guest post by F-Secure trainee Mari Mäkinen. The cyber security market is…
July 19, 2017
On a recent trip to the Finnish Archipelago, F-Secure security advisor Sean Sullivan scanned the…
July 13, 2017