This week, Ars Technica and How-To Geek released some pretty startling news: a lot of browser extensions are either injecting ads into the sites you visit, or are tracking your entire browsing history—possibly without you knowing. Here's what's going on.
Update: There is now a Chrome extension called ExtShield that will notify you if you're using any other privacy-breaching extensions. Read more about it here.
As Ars notes, a lot of these extensions started as good, honest, independent extensions that were bought by adware companies. Then, through automatic updates, they added tracking features and/or ad injection and have been collecting data ever since. This is pretty easy, since they already required permissions that were so broad. They may have checkboxes in the settings that let you turn this behavior off, or they may have disclosures located on the extension's download page. But if you didn't read the fine print or downloaded the extension before it updated, you probably had no idea this was happening.
From the How-To Geek's explainer:
These extensions are "allowed" to engage in this tracking behavior because they "disclose" it on their description page, or at some point in their options panel. For instance, the
HoverZoom extension
, which has a million users, says the following in their description page, at the very bottom:
"Hover Zoom uses anonymous usage statistics. This can be disabled in the options page without losing any features as well. By leaving this feature enabled, the user authorize the collection, transfer and use of anonymous usage data, including but not limited to transferring to third parties."
Where exactly in this description does it explain that they are going to track every single page you visit and send the URL back to a third party, which pays them for
your
data? In fact, they claim everywhere that they are sponsored through affiliate links, completely ignoring the fact that they are spying on you. Yeah, that's right, they are also injecting ads all over the place. But which do you care more about, an ad showing up on a page, or them taking your entire browsing history and sending it back to somebody else?
This particular extension has had a long history of bad behavior, going back quite some time. The developer has recently been caught
collecting browsing data including form data
but he was also caught last year
selling data on what you typed in
to another company. They've added a privacy policy now that explains in further depth what is going on, but if you have to read a privacy policy to figure out that you are being spied on, you've got another problem.
To sum up, a million people are being spied on by this one extension alone. And that's just
one
of these extensions — there are a lot more doing the same thing.
The How-To Geek is putting together a solid list of extensions that practice this behavior, including many that we've featured on Lifehacker (before they became adware), including Hover Zoom, CrxMouse, Hola Unblocker, SmoothGestures, and tons of others. (Update: Hola Unblocker tested ads in December, but has since removed them). Google has already removed a few of the higher profile ones, but as long as their policies allow for this, it will continue to be a problem. Mozilla has a few extensions that fall into this category too, though it seems to be less of a prominent issue for Firefox users.
I highly recommend reading the full article over at How-To Geek. It has a lot more detail on what happened and how to investigate the extensions you have installed. In addition, you should check out their list and see if you're using any of the extensions on it.
Warning: Your Browser Extensions Are Spying On You | How-To Geek
List of Tracking Extensions | How-To Geek Discussions
Adware Vendors Buy Chrome Extensions to Send Ad- and Malware-Filled Updates | Ars Technica