Slashdot Mirror

← Back to Stories (view on slashdot.org)

Web of Trust, Downloaded 140M Times, Pulled From Extension Stores After Revelations That It Sells Users' Data (theregister.co.uk)

Posted by msmash on from the shoo-away dept.

According to multiple reports, Web of Trust, one of the top privacy and security extensions for web browsers with over 140 million downloads, collects and sells some of the data of its users -- and it does without properly anonymizing it. Upon learning about this, Mozilla, Google and Opera quickly pulled the extension off their respective extension stores. From a report on The Register: A browser extension which was found to be harvesting users' browsing histories and selling them to third parties has had its availability pulled from a number of web browsers' add-on repositories. Last week, an investigative report by journalists at the Hamburg-based German television broadcaster, Norddeutscher Rundfunk (NDR), revealed that Web of Trust Services (WoT) had been harvesting netizens' web browsing histories through its browser add-on and then selling them to third parties. While WoT claimed it anonymised the data that it sold, the journalists were able to identify more than 50 users from the sample data it acquired from an intermediary. NDR quoted the data protection commissioner of Hamburg, Johannes Caspar, criticising WoT for not adequately establishing whether users consented to the tracking and selling of their browsing data. Those consent issues have resulted in the browser add-on being pulled from the add-on repositories of both Mozilla Firefox and Google Chrome, although those who have already installed the extension in their browsers will need to manually uninstall it to stop their browsing being tracked.

9 of 115 comments (clear)

  1. No big deal by Jack9 · · Score: 2, Insightful

    It was in their terms of service. It's common and benign (most sites do it to some extent without explicitly stating that). I don't understand what else you could imagine the business model was or why this would be surprising.

    --

    Often wrong but never in doubt.
    I am Jack9.
    Everyone knows me.
    1. Re: No big deal by xxxJonBoyxxx · · Score: 4, Insightful

      That's why people pick deceptive names for nasty stuff. For example, "Affordable Care Act" or "Patriot Act"

    2. Re: No big deal by Anonymous Coward · · Score: 2, Insightful

      Or "Telemetry", "Genuine Advantage", "User Experience", "Digital Rights Management", and specially "Privacy Policy".

  2. Lawsuit? by ilsaloving · · Score: 2, Insightful

    Is a class action lawsuit available in such cases? While I can understand that they need to make money, siphoning full browser histories is sketchy. Failing to properly anonymize the data is criminal negligence that can put people at risk of all sorts of things, the least of which being spam and identify theft.

  3. Remember this rule of thumb by tkrotchko · · Score: 2

    Everybody always says the opposite of what they mean.

    If they call themselves the "web of trust", then it means exactly the opposite.

    Real blockers like uBlock Origin don't try so hard to convince you of what they're doing.

    --
    You were mistaken. Which is odd, since memory shouldn't be a problem for you
  4. Re:Free Software Business Model Fail.. by chipschap · · Score: 4, Insightful

    We paid Microsoft for Windows 7 and 8 and they still backported all their telemetry. Unfortunately paying for software is no guarantee of anything.

  5. Known this for some time: with proof. by Chmarr · · Score: 4, Interesting

    I found this very thing out as a result of a email-based survey I'd sent to about 500 people. Here's a copy of the email I'd sent out to those affected:

    -----

    tl;dr version:

    * The “Web of Trust” plugin is highly likely to be sending your browsing history, after it reaches the Web of Trust servers, to advertising companies.

    * It’s likely that they’re _not_ sending personal details, but simply the list of URLs that you visit. This includes “private” urls such as what you received for the survey, but could also include things like the URLs you send when you share files via Dropbox, Hipchat, etc.

    * If you’re not okay with this behaviour, I recommend you un-install the Web of Trust plugin.

    * If you haven’t yet responded to my question of “do you have Web of Trust” installed, I’m still interested in hearing from you.

    Detailed version:

    * Shortly after folk started to respond to the survey, by chance I noticed unusual requests hitting the web server. An hour or two after the flurry of requests that I’d consider normal, I saw another request to _just_ the main URL, all from the same IP address (52.71.155.178), and the same user agent (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25)

    To me, this implies that the supposedly secret URLs were not very secret.

    * The address 52.71.155.178 has a DNS entry "nat-service.aws.kontera.com”. Kontera is an advertising company (remember those “in text” ads with the double underscore? Kontera was one of the players in that), which was bought by Amobee, a market research company. Amobee own the kontera.com domains and likely is related to the above activity.

    * From some research, I discovered that others have seen these requests too, all to private URLs, and that the plugin “Web of Trust” was implicated.

    https://www.abuseipdb.com/chec...
    http://www.liveipmap.com/52.71...

    * I saw 15 of these requests. I contact each of the 15 people and received 11 responses. 9 of the respondents were using the Web of Trust plugin.

    * I don’t know what could explain the other 2. Certainly, Web of Trust can’t be the only company sending Kontera/Amobee data. Unfortunately attempts to replicate the issue for those two users have failed: it may be that Kontera have some kind of limit on how many URLs per domain they’ll probe per time period? I’d certainly want to do that if I wanted to stay under the radar, or thwart further analysis.

    Conclusion:

    Given that 9/11 is far, far above the expected install base of Web of Trust. It is very likely that Web of Trust is indeed forwarding your browser history to at least one advertising company: Kontera/Amobee

    Sharing “non personal information” is not inconsistent with Web of Trust’s privacy policy: they do not consider the URLs you visit to be “personally identifiable information”.

    Response:

    What you do with the sites you visit is up to you. But if you don’t approve of what the company behind the plugin is doing, I suggest you uninstall this plugin. Apart from the risk of “private URLs” becoming non-private, I don’t think there’s any further security risk.

    I am disinclined to make a wide announcement about this, especially not on WoT’s forums. From research, the company readily squashes any criticism against it, and a small but vocal fraction of its users have embarked on attacks against any persons or sites that have raised concerns against WoT’s activity. In many ways, WoT has become an extortion engine, such as offering a paid-for “badge of trust” to remove bad ratings.

    http://mywot.info/

  6. uMatrix + uBlock is all you need by CrashNBrn · · Score: 2
    uMatrix + uBlock covers everything you need, if you are willing to either:

    1) Subscribe to the Block-Lists, or
    2) Troubleshoot site compatibility manually.

    On a site where you need to use both, you allow uMatrix to pass-through what you want fine-grained-control over (e.g. specific scripts, or inline-scripts). Then either:

    1) Allow all of the scripts in uBlock, and selectively block some.
    2) Block all of the scripts in uBlock, and selectively allow some.

  7. Re:Free Software Business Model Fail.. by barc0001 · · Score: 2

    That's the great thing about arguing on the internet, you can twist someone's original statement to make yourself look clever. As I mentioned elsewhere I was talking about companies, not foundations or OSS projects. That said, being a foundation didn't stop Mozilla from selling default search engine placement to Google for a billion dollars over 3 years, now did it? Some may make the argument that would constitute them "selling out their users".