Six Popular Chrome and Firefox Extensions Funnelled User Browsing Data to Nacho Analytics arstechnica.com

Dan Goodin, Ars Technica:

When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people’s browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head.

DataSpii begins with browser extensions — available mostly for Chrome but in more limited cases for Firefox as well — that, by Google’s account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as “God mode for the Internet” and uses the tag line “See Anyone’s Analytics Account.”

I’d be willing to bet that most people don’t think twice after installing a browser extension, and don’t fully consider the implications of its level of access. Extensions are a security and privacy risk, especially when you consider how much work is done through web browsers by employees with elevated access.

For their part, the CEO of Nacho Analytics responded weakly:

In an interview, Nacho Analytics founder and CEO Mike Roberts reiterated that the service is fully GDPR compliant and that the millions of people whose data is collected have expressly agreed to this arrangement.

“You absolutely do” click an agree button, Roberts said of all users whose data is published. What’s more, he said, “we spend quite a bit of time processing every URL that we see to remove all the personally identifiable information.” Ars has confirmed that in many cases, the URLs published by Nacho Analytics have had names, Social Security numbers, and other personal information removed. However, Ars was also able to find numerous instances of names and other personal information remaining in published URLs.

[…]

But Roberts defended the basic practice of publishing links that, when clicked, lead to private data — so long as that data isn’t viewable in the URL itself as published by Nacho Analytics.

I truly don’t believe Roberts intends to do wrong here, but the ease with which his company’s product can be abused at scale suggests that he underestimated the risk of anyone doing so. It also reinforces my contention that the valuation of collecting and exchanging data like this is a deeply corrosive industry.