Browser extensions are a huge privacy risk


This morning, I logged on after having a coffee and read this column over on The Washington Post about how Chrome and Firefox extensions are selling out their users' data, which is a fascinating tale of the price of "free" in web browsers:

Some extensions have a side hustle in spying. From a privileged perch in your browser, they pass information about where you surf and what you view into a murky data economy. Think about everything you do in your browser at work and home — it’s a digital proxy for your brain.

Browser extensions are incredibly powerful and nobody seems to realize just how much access they are often able to grab. Have you ever bothered to read the permission pop-ups when adding one to your browser? I'd hazard a guess that the answer is no—yet these permissions are much more powerful than we'd ever allow on our phones.

Two particular permissions in Chrome are incredibly broad, but often required to actually enable useful functionality. One in particular, which many ad-blockers and site-enhancing tools use, allows extensions to 'read and change all your data on the websites you visit'—without it, they couldn't do their job, but there appears to be little policing about how that's actually used vs what the developer says they're doing.

Many extensions start their lives as innocuous tools doing useful things for people, like allowing the ability to zoom images when hovering over them, or enhancing a particular website's poor layout. But, as they amass hundreds of thousands of users and look to monetize their tools, the most obvious choice is selling the data they have access to.

The worst thing about this is once the extension is on your machine, it can often update silently to add extra scripts or tracking without permission, provided the right API was used when it was first approved. What's crazy to me is that people are suspicious that Facebook is accessing their phone's microphones for advertising, but it's likely often scarier than that: scooping up data en-masse right from your browser.

Google and Firefox do 'curate' their extension stores, often revoking the rights of add-ons abusing their platforms, which removes them from user machines. But, they don't really proactively vet them, either, with an incredible amount of documented cases where the companies only pull dodgy extensions after news organizations point them out.

Web browsing activity is so personal and the permissions involved are blunt instruments, which don't give you or I proper control over what's going on. Google is working on a way to resolve this by restricting its APIs to not allow direct access to browsing habits—but developers have pushed back on it, despite privacy benefits for users.

Browser extensions are a privacy disaster waiting to happen, even if many of them are useful, and we need better tooling in general to understand what's going on behind the scenes. It will require a compromise, and I'm not sure there's enough motivation to change it.

Until then, check what extensions you're using! If you aren't sure about one, and it's absolutely not necessary, remove it! The risk just isn't worth it.

Tab Dump

Have we reached peak podcasting?
The answer is no, not at all, but we have reached the point where throwing together a crappy show won't cut it—and there aren't that many creators putting in enough effort.

WeWork's co-founder has cashed out $700M from his company ahead of IPO using loans
Everything is fine and totally normal.....yup.

Microsoft's earnings are in and it
$33.7B in revenue, a big jump up year-over-year, all driven by 'cloud.' Unfortunately, since they don't break out Azure and Office from that number, it's not particularly insightful. The Xbox hardware business, however, shrank 48% as we reach the end of a generation of hardware.

Good read: How Amazon Go, the 'cashierless store', has become the company's most ambitious research project