You probably knew there was something going on behind those browser extensions you use to add features to Chrome and Firefox, right? I mean, no one really offers anything for free on the internet--there's always a cost. Well, you were right, and it's probably higher than you thought.
A new investigative report from The Washington Post's Geoffrey Fowler, who previously shared how your iPhone is leaking personal information while you sleep, now details how the extensions you add to your browser are not only capturing an extraordinary amount of your personal information, but are selling it online as marketing research.
Fowler says he reported his findings, obtained through an outside security firm, to both Google and Mozilla, the makers of the affected browsers, and both immediately deactivated the suspect plug-ins. Still, according to the report, as many as four million people's Web browsing history was available online as a result of those extensions alone.
More personal information than you might think.
You might think browsing history alone isn't nearly as bad as having your personal credit card or banking information exposed, but consider for a moment that the URL of the sites you visit often contains a lot more information than you might think.
In fact, according to Fowler, they were able to view medical information that included the names of patients, doctors, and prescriptions. They also had access to flight confirmation numbers, cloud-based documents stored in Microsoft's OneDrive, and even sensitive work projects that employers probably aren't too interested in having out in the open.
That's a lot of personal information for a browser extension presumably designed to make it easier to zoom in on photos, as one of the examples called HooverZoom claimed was its purpose.
Fowler worked with a researcher named Sam Jadali, who the report says identified six plugins that were collecting user data and then selling that information online. Those six were called Hover Zoom, SuperZoom, SpeakIt!, SaveFrom.net Helper, FairShare Unlock, and PanelMeasurement.
If you installed any of those, there's nothing to do now about the offending extensions, they've already been disabled by Google and Mozilla.
But what about your information? That's another question altogether. Unfortunately, the answer is not great news.
There's more bad news.
In addition to those six extensions, another survey referenced in the report said that North Carolina State University researchers found as many as 60 million people are using browser extensions that leak data. They may not be as egregious as selling your Web history online, but they collect personal information, often without transparent disclosures about exactly what they do.
This kind of leak of personal information is why Google says it's changing the way extensions work in Chrome, so developers won't have access to your Web traffic. Although, in fairness, it's worth pointing out that Chrome still has access to that information, and Google most certainly uses it for its own purposes.
What do you do now?
The most obvious step to take is to be sure that if you're adding any kind of browser plugin or extension that it's from a developer you consider reputable. Then, even when that's the case, look at exactly what you are agreeing to, in terms of access to your information. If a browser claims it needs access to view or change your Web history, it's probably best to steer clear unless there's a good reason otherwise.
And if you've been using extensions that are selling your information, there's probably not a lot you can do about it. Most of the time, it's hard to figure out exactly where it went, and even if you do, you probably agreed to let them have access. All the more reason to consider this a very difficult lesson in how the internet works.
Digital marketers continue to look for new ways to identify and target you with relevant ads, and some of them are less-than-transparent about how they do that. Your job is to be informed and vigilant. After all, if you won't guard your personal information, you certainly can't count on your technology to do if for you.