Extension Developers Sell The Data of At Least 6.5 Million Users - And It’s All Completely Legal - LayerX
layerxsecurity.com
Your Extensions Sell Your Data - And It's Perfectly Legal
  • A network of 24 media extensions that are installed on 800,000 users and collected viewing data and demographic information on major streaming platforms such as Netflix, Hulu, Disney+, Amazon Prime Video, HBO, Apple TV, and others
  • 12 separate ad blockers with a combined install base of over 5.5 million users openly selling user data
  • Nearly 50 other extensions, with over 100,000 users in aggregate, that collected and resold users’ browsing data
  • Jiral@lemmy.orgEnglish
    1·
    31 minutes ago

    In the US maybe, I doubt this is legal in the EU. It is most definitely illegal with sensitive data like health data.

  • _haha_oh_wow_@piefed.socialEnglish
    62·
    5 hours ago

    Nobody should still be using Chrome after they killed proper ad blocking. The browser is a legitimate security threat.

    • reksas@sopuli.xyzEnglish
      5·
      1 hour ago

      when i uninstalled chrome long time ago, i immidiately noticed that my pc performance improved. it slows down your computer even if its not on

    • gapa@feddit.nuEnglish
      31·
      1 hour ago

      I use chromium for some sites since i have written an extension that gives me dark mode for all sites. And firefox demands that all extensions have to be signed.

    • Lemmyng@lemmy.worldEnglish
      51·
      3 hours ago

      They killed uBlock Origin. Fortunately uBlock Origin Lite has been working with Cromite, but I’m holding onto my Ungoogled Chromium install with full uBlock Origin till my dying breath.

      • grue@lemmy.worldEnglish
        7·
        2 hours ago

        But why do you love helping Google control web standards, when you could just be using a Mozilla-based browser instead?

        • Lemmyng@lemmy.worldEnglish
          1·
          9 minutes ago

          Now hold up there, pardner! I didn’t mention that I also use IronFox and LibreWolf/Mullvad! And honestly, Cromite has been crashing on me so much that I’ve switched my primary browser to IronFox.

    • fxdave@lemmy.mlEnglish
      31·
      3 hours ago

      Nobody should use any browsers other than servo. But it’s not ready yet 🤷‍♂️

  • DahGangalang@infosec.pubEnglish
    43·
    6 hours ago

    Props to the article for listing some of the extensions.

    Sure do wish they’d list all that they investigated and publish as a “sells data / doesn’t sell data”

  • Exeous@lemmy.worldEnglish
    391·
    6 hours ago

    The largest extensions in the network:

    • Custom Profile Picture for Netflix (200K users)

    • Hulu Ad Skipper (100K)

    • Netflix Picture in Picture (100K)

    • Ad Skipper for Prime Video (60K)

    • Netflix Extended (60K)

    • Stands AdBlocker (3M users) sells browsing data to third parties for “market analytics purposes.”

    •	Poper Blocker (2M users) discloses selling identifiers, browsing activity, behavioral profiles, and inferred sensitive data – including health conditions, religious beliefs, and sexual orientation, all inferred from the URLs you visit.

•	All Block, an ad blocker for YouTube (500K users), sells anonymized data “for analytical and commercial purposes.” Published by an entity called Curly Doggo Limited, based in London.

•	TwiBlocker (80K users) discloses transferring browsing data to third parties who “process or sell it for analytical purposes.”

•	Urban AdBlocker (10K users) routes browsing data and AI conversations through the BiScience data broker.

•	Career.io Job Auto Apply (10K users) states in its policy that it may use personal data collected from your resume to sell to third parties, including data brokers, for targeted advertising and profiling. A job application tool that sells your resume.

•	Dog Cuties (6K users) is a cute dog wallpaper new-tab extension. Confirmed data seller through the Apex Media network.

•	EmailOnDeck (10K users) is a temporary email service – a tool people use specifically when they don’t want to share their real information. Its policy states it may sell, rent, or share its mailing list.

•	Survey Junkie discloses selling URLs visited, clickstream data, and “modeled information” about consumer preferences to market research agencies, ad agencies, and data analytics providers.

    • Dashy New Tab (10K users) has its Chrome Web Store listing marked “does not sell your data.” Its actual privacy policy marks data as “Sold or Shared: Yes.” We believe this is CCPA compliance language for standard analytics, not commercial data sales – which is why we left it out. But the contradiction between the store listing and the privacy policy is real. If a publisher’s own policy says “Sold or Shared: Yes” and the store listing says the opposite, which one should users trust?

  • Dyskolos@lemmy.zipEnglish
    284·
    6 hours ago

    As if chrome users would give a fuck. I mean, they use chrome and probably all else that is google.

    • XLE@piefed.socialEnglish
      4·
      2 hours ago

      People who aren’t experts in privacy and web browsing.

      1.6 million people installed this ad blocker that claims to be open-source, but has no published source code.

      Is it malware? Probably not.

      Is it worth installing? Hell no.

      Oh, and it’s a Firefox extension.

    • BigJohnnyHines@lemmy.caEnglish
      1·
      1 hour ago

      There are a LOT of people out there who honestly have no idea that a website is capable of collecting data. Maybe even the majority. The fact these numbers are not higher is due to most people sticking with defaults rather than them making a privacy decision.