My browser, the spy: How extensions slurped up browsing histories from 4M users

When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets, we usually trust that the pages we access will remain private. DataSpii, a newly documented privacy issue in which millions of people’s browsing histories have been collected and exposed, shows just how much about us is revealed when that assumption is turned on its head.

DataSpii begins with browser extensions—available mostly for Chrome but in more limited cases for Firefox as well—that, by Google's account, had as many as 4.1 million users. These extensions collected the URLs, webpage titles, and in some cases the embedded hyperlinks of every page that the browser user visited. Most of these collected Web histories were then published by a fee-based service called Nacho Analytics, which markets itself as “God mode for the Internet” and uses the tag line “See Anyone’s Analytics Account.”

Web histories may not sound especially sensitive, but a subset of the published links led to pages that are not protected by passwords—but only by a hard-to-guess sequence of characters (called tokens) included in the URL. Thus, the published links could allow viewers to access the content at these pages. (Security practitioners have long discouraged the publishing of sensitive information on pages that aren't password protected, but the practice remains widespread.)

According to the researcher who discovered and extensively documented the problem, this non-stop flow of sensitive data over the past seven months has resulted in the publication of links to:

• Home and business surveillance videos hosted on Nest and other security services
• Tax returns, billing invoices, business documents, and presentation slides posted to, or hosted on, Microsoft OneDrive, Intuit.com, and other online services
• Vehicle identification numbers of recently bought automobiles, along with the names and addresses of the buyers
• Patient names, the doctors they visited, and other details listed by DrChrono, a patient care cloud platform that contracts with medical services
• Travel itineraries hosted on Priceline, Booking.com, and airline websites
• Facebook Messenger attachments and Facebook photos, even when the photos were set to be private.

In other cases, the published URLs wouldn’t open a page unless the person following them supplied an account password or had access to the private network that hosted the content. But even in these cases, the combination of the full URL and the corresponding page name sometimes divulged sensitive internal information. DataSpii is known to have affected 50 companies, but that number was limited only by the time and money required to find more. Examples include:

• URLs referencing teslamotors.com subdomains that aren’t reachable by the outside Internet. When combined with corresponding page titles, these URLs showed employees troubleshooting a “pump motorstall fault,” a “Raven front Drivetrain vibration,” and other problems. Sometimes, the URLs or page titles included vehicle identification numbers of specific cars that were experiencing issues—or they discussed Tesla products or features that had not yet been made public. (See image below)
• Internal URLs for pharmaceutical companies Amgen, Merck, Pfizer, and Roche; health providers AthenaHealth and Epic Systems; and security companies FireEye, Symantec, Palo Alto Networks, and Trend Micro. Like the internal URLs for Tesla, these links routinely revealed internal development or product details. A page title captured from an Apple subdomain read: "Issue where [REDACTED] and [REDACTED] field are getting updated in response of story and collection update APIs by [REDACTED]"
• URLs for JIRA, a project management service provided by Atlassian, that showed Blue Origin, Jeff Bezos’ aerospace manufacturer and sub-orbital spaceflight services company, discussing a competitor and the failure of speed sensors, calibration equipment, and manifolds. Other JIRA customers exposed included security company FireEye, BuzzFeed, NBCdigital, AlienVault, CardinalHealth, TMobile, Reddit, and UnderArmour.

Clearly, this is not good. But how did it happen?

The data spy

The term DataSpii was coined by Sam Jadali, the researcher who discovered—or more accurately re-discovered—the browser extension privacy issue. Jadali intended for the DataSpii name to capture the unseen collection of both internal corporate data and personally identifiable information (PII). (Ars has more technical details about DataSpii here.)

As the founder of Internet hosting service Host Duplex, Jadali first looked into Nacho Analytics late last year after it published a series of links that listed one of his client domains. Jadali said he was concerned because those URLs led to private forum conversations—and only the senders and recipients of the links would have known of the URLs or would have the credentials needed to access the discussion. So how had they ended up on Nacho Analytics?

An ad for Nacho Analytics.

Jadali suspected that the links were collected by one or more extensions installed on the browsers of people viewing the specialized URLs. He forensically tested more than 200 different extensions, including one called "Hover Zoom"—and found several that uploaded a user's browsing behavior to developer-designated servers. But none of the extensions sent the specific links that would later be published by Nacho Analytics.

Sam Jadali

Credit: Donald Carlton

Still curious how Nacho Analytics was obtaining these URLs from his client’s domain, Jadali tracked down three people who had initial access to the published links. He correlated time stamps posted by Nacho Analytics with the time stamps in his own server logs, which were monitoring the client’s domain. That’s when Jadali got the first indication he was on to something; two of his three users told him they had viewed the leaked forum pages with a browser that used Hover Zoom.

Web searches such as this one have reported the extension’s earlier history of data collection. Suspicious that Hover Zoom might be doing the same thing again, Jadali set out to more rigorously test the extension.

He set up a fresh installation of Windows and Chrome, then used the Burp Suite security tool and the FoxyProxy Chrome extension to observe how Hover Zoom behaved. This time, though, he found no initial sign of data collection, so he remained patient. Then, he said, after more than three weeks of lying dormant, the extension uploaded its first batch of visited URLs. Within a couple of hours, he said, the visited links, which referenced domains controlled by Jadali, were published on Nacho Analytics. Soon after, each URL was visited by a third party that often went on to download the page contents.

Jadali eventually tested browser extensions for Firefox and also set up test machines running both macOS and the Ubuntu operating system. In the end, he said, the extensions that he found to have collected browsing histories that later appeared on Nacho Analytics include:

• Fairshare Unlock, a Chrome extension for accessing premium content for free. (A Firefox version of the extension, available here, collects the same browsing data.)
• SpeakIt!, a text-to-speech extension for Chrome.
• Hover Zoom, a Chrome extension for enlarging images.
• PanelMeasurement, a Chrome extension for finding market research surveys
• Super Zoom, another image extension for both Chrome and Firefox. Google and Mozilla removed Super Zoom from their add-ons stores in February or March, after Jadali reported its data collection behavior. Even after that removal, the extension continued to collect browsing behavior on the researcher’s lab computer weeks later.
• SaveFrom.net Helper a Firefox extension that promises to make Internet downloading easier. Jadali observed the data collection only in an extension version downloaded from the developer. He did not observe the behavior in the version that was previously available from Mozilla’s add-ons store.
• Branded Surveys, which offers chances to receive cash and other prizes in return for completing online surveys.
• Panel Community Surveys, another app that offers rewards for answering online surveys.

While Jadali can’t be certain how Nacho Analytics obtained URLs for pages that can only be accessed by people authorized by companies like Apple, Tesla, Blue Origin, or Symantec, the most likely explanation is that one or more of them had a browser with an affected extension. Jadali has confirmed with four affected companies that employees did, in fact, have one or more of the extensions installed. Palo Alto Networks also confirmed to Ars that browsers inside its network used an affected extension. All five companies have since removed the extensions. Google, citing violations to its terms of service, has also removed the six extensions it hosted in its Chrome Web Store.

Ars contacted a small sample of affected companies, including Apple, Symantec, FireEye, Palo Alto Networks, Trend Micro, Tesla, and Blue Origin. Symantec, Trend Micro, and Palo Alto Networks were the only ones who provided a comment.

Symantec's statement read: "We want to thank the researcher for alerting us to this issue and sharing his findings. We have taken immediate steps to remediate this issue." Trend Micro officials said: "Trend Micro appreciates being made aware of this and has remedied the issue." A Palo Alto Networks representative wrote: "On the day we were notified of the issue, Palo Alto Networks deleted the browser extensions and blocked the outbound traffic associated with the add-on extensions to prevent any further potential impact."

Investigating DataSpii over the past six months has eclipsed Jadali’s full-time job and much of his personal life.

Jadali said the new vocation has so far cost him nearly $30,000 in personal expenses, since the research is not tied to his responsibilities at Host Duplex. Jadali estimates that about 60% of the cost has been in fees from Nacho Analytics. The rest has been for travel and for various consultants.

“It became my number one priority,” he said. “Almost as if it was out of my control.”

Reading the fine print

Principals with both Nacho Analytics and the browser extensions say that any data collection is strictly "opt in." They also insist that links are anonymized and scrubbed of sensitive data before being published. Ars, however, saw numerous cases where names, locations, and other sensitive data appeared directly in URLs, in page titles, or by clicking on the links.

The privacy policies for the browser extensions do give fair warning that some sort of data collection will occur. The Fairshare Unlock policy, for example, says that the extension “collects your digital behavior data and shares it with 3rd parties to enable better survey targeting and other market research activities.” (This and other policies mentioned in this article were recently taken down.)

The collected information expressly includes “URLs visited, data from URLs loaded and pages viewed, search queries entered, social connections, profile properties, contact details, usage data, and other behavioral, software, and hardware information.” At the same time, the policy promises that Fairshare will take steps to anonymize the data.

“For our primary use-case of research, PII scrubbers attempt to remove all personally identifiable information before analysis and archiving,” the Fairshare Unlock policy states. “Individual users are regularly re-assigned randomly generated identifiers which, when combined with PII scrubbing, provides anonymity.”

Privacy policies for SpeakIt!, PanelMeasurement, Hover Zoom, Panel Community Surveys, and Branded Surveys contain language that’s largely identical to that cited above. Savefrom.net’s policy also makes clear it will collect the “URL of the particular Web page you visited.” (The policy for Super Zoom is no longer available.) Below are images that some of the extensions display when being installed:

Nacho Analytics, for its part, has this to say in a YouTube promotion, which starts out asking "Is this legal?"

Yes, it’s 100 percent legal and completely complies with google’s terms of service. We aren’t actually hacking google or anyone’s google analytics account, though it might seem that way. Instead we are gathering data from millions of opt in users, individuals from around the world that agreed to share their browsing data anonymously. Nacho analytics scrubs this data so all personal information is deleted and so it’s GDPR compliant. This type of data gathering is far from a new innovation. On the contrary, it’s kind of how the Internet runs.

(GDPR is a reference to the strict General Data Protection Regulation that went into effect in the European Union 26 months ago. The video was removed from YouTube after this post went live.)

Jadali's research found that Fairshare Unlock, PanelMeasurement, SpeakIt!, Hover Zoom, Branded Surveys, and Panel Community Surveys did redact some information on end users' computers before sending it to the developer-designated servers. But he said that an examination of data packets sent to the servers and links published on Nacho Analytics makes it clear that not all types of sensitive information were removed. Redaction seemed to happen only when Web developers use certain query string parameters in their URLs.

When a URL designated a surname with the parameter "lastname," extensions replaced the name with asterisks. This redaction failed when URLs used less standard parameter names such as "passengerLastname."

Credit: Sam Jadali

As the image above shows, strings that used "lastname=x" seemed to successfully cause last names to be replaced with asterisks. Strings that used "passengerLastName=y," however, were not removed. None of Jadali's research shows that Super Zoom or SaveFrom.net Helper performed any redactions at all.

What's more, some links published by Nacho Analytics contain what appear to be the personal information of real people. Examples of such personal information included passenger names in links from airline Southwest.com, pick-up and drop-off locations of people using the Uber.com website (but not the phone app) to hail rides, and email addresses from Apple's password reset service. While Jadali redacted sensitive information from the following screenshots, none of it was removed from the links published by Nacho Analytics.

What's more, even when the URLs published by Nacho Analytics removed names, social security numbers, or other sensitive information, clicking on the links often led to pages that revealed the same redacted information.

Meet the DataSpii players

DDMR

Google’s Chrome Web Store lists the developer of PanelMeasurement as DDMR.com with a mailing address in Walnut, California. The store doesn’t identify the developer of Fairshare Unlock, Hover Zoom, SpeakIt!, or Super Zoom, but the privacy policy for Fairshare Unlock also lists DDMR.com and the same Walnut, California, mailing address in a Contact Us section. The policies for Hover Zoom, SpeakIt!, and Panel Community Surveys also contain language and organization almost identical to those for the PanelMeasurement and Fairshare Unlock extensions.

Another link to DDMR: domains that received browsing data from all eight of the extensions resolved to the same two IP addresses—54.160.162.145 and 52.54.192.223. This page from SSL Labs, a research project by security firm Qualys, shows that 54.160.162.145 is tied to a security certificate belonging to DDMR domain ddmr.com (viewers first must click the "click here to expand" for certificate #2).

This LinkedIn profile lists Christian Rodriguez as the founder and CEO of DDMR. A 2015 article—reporting an earlier round of data collection by Chrome extensions—identifies Rodriguez as working in business development for Fairshare Labs. Fairshare Labs’ contact page lists the same Walnut, California, mailing list.

Rodriguez told me that Fairshare Labs is an abandoned project and that Fairshare Unlock is no longer actively developed (although he said it does continue to receive security and GDPR compliance updates). He pointed to the bottom of this page, which he said provides "very clear, pre-installation disclosure to users."

Rodriguez described DDMR as a "passive metering technology company" that provides market research companies with "passive metering browser extensions that they distribute to their research panelists." He went on to write in an email:

Our customers are responsible for recruiting end-users into their panels and directing them to our landing pages.

It is our responsibility to (1) ensure that we provide end-users with clear disclosure of what data is collected and how it is used, and (2) receive appropriate consent. Once consent is given, we collect the behavioral data, scrub it for sensitive information like phone numbers, social security numbers, credit card numbers, and email addresses, and then make it available to market researchers to use in their research.

If it is brought to our attention that sensitive information is leaking, we immediately take action to improve our filters and eliminate that data from our dataset.

Responsible use of behavioral data allows market researchers and the companies they serve to build better products and experiences for consumers, but it is necessary to recognize the value of this data in the context of its potentially sensitive nature.

He declined to say if Nacho Analytics was a customer, business partner, or had any other relationship with DDMR.

Nacho Analytics

Nacho Analytics, meanwhile, promises to let people “see anyone’s analytics account” and to provide “Real-Time Web Analytics For Any Website.” The company charges $49 per month, per domain, to monitor any of the top 5,000 most widely trafficked websites, although certain domains—including those for Google, YouTube, Facebook, and others—aren’t available for monitoring. For sites below this premium threshold, it costs $49 per month to monitor one domain, $99 per month for up to five domains, and $149 per month for up to 10 domains.

Once someone signs up, Nacho Analytics uses a Google-provided programming interface to deliver data to a Google Analytics account designated by the user. Ars installed several extensions identified by Jadali, visited sites with long-pseudorandom strings in them, and then observed Nacho Analytics populating those unique URLs into the designated Google Analytics page.

The previously mentioned video promoting Nacho Analytics on YouTube says that the service is “100-percent legal and completely complies with Google’s terms of service.” The video also asserts that the Nacho Analytics service is "GDPR compliant."

In an interview, Nacho Analytics founder and CEO Mike Roberts reiterated that the service is fully GDPR compliant and that the millions of people whose data is collected have expressly agreed to this arrangement.

“You absolutely do” click an agree button, Roberts said of all users whose data is published. What's more, he said, "we spend quite a bit of time processing every URL that we see to remove all the personally identifiable information." Ars has confirmed that in many cases, the URLs published by Nacho Analytics have had names, Social Security numbers, and other personal information removed. However, Ars was also able to find numerous instances of names and other personal information remaining in published URLs.

A Nacho Analytics video called "FAQ: Is This Legal?" It was removed after this article went live.

Roberts said that he was unaware Nacho Analytics published links to webpages hosting tax returns, Nest Videos, car buyer information, and an extensive amount of other personally identifiable information. Nacho Analytics already excludes domains for Google, Facebook, YouTube, and many other services out of privacy concerns, he said, and may exclude others.

"Your report is personally disturbing to me–and [publishing sensitive data] is definitely not the purpose of Nacho Analytics," he said. "We work hard to remove personally identifiable information from URLs and page titles, and exclude sites with serious security issues. When we learn of a new issue, we have a system to remove it immediately. We’ve stopped all new sign-ups for Nacho until we can get more information on this issue. If you give me a list of the sites that have these issues, we’ll immediately disable those sites and work on a permanent solution."

He also pushed back on the idea that Nacho Analytics had ever been used by customers to harvest sensitive information. Jadali, he claimed, was the only one who had done so. (He also claimed that Jadali had violated Nacho Analytics' terms of service in doing the research.)

"Jadali looked at hundreds of websites, only a tiny fraction of which any legitimate Nacho Analytics customer ever viewed," he said. "In fact, none of the sites with the issues you’ve made me aware of have been viewed by any legitimate Nacho Analytics customer."

But Roberts defended the basic practice of publishing links that, when clicked, lead to private data—so long as that data isn't viewable in the URL itself as published by Nacho Analytics.

He put it this way:

Those pages are available. It’s just that you didn’t know how to discover them. This is just something that you’re now able to see that you weren’t able to see before. But we’re not creating a loophole. There’s no backdoor or anything. We’re just showing links that you didn’t know about before and maybe weren’t indexed, but they do exist...

That link by obfuscation thing, I don’t like it. I wish it didn’t exist because I definitely don’t want to be enabling anybody to do anything bad, only good. I’m trying to create good things in the world. And there’s the opportunity there for some people to do some damage.

Roberts said he was also unaware that Nacho Analytics was publishing links and page titles from the non-public, internal networks of companies. But, while he questioned the analytics value of this data, he didn't necessarily think publishing it was a bad thing.

"I don’t think I personally see much value in it," he said. "But just because a company may want to keep it private, I’m not sure that’s where the best value is."

He said he had never heard of any of the extensions that Jadali had identified as collecting data that later ended up on Nacho Analytics, but he declined to identify any software that collects end-user browsing data, nor would he name any companies that Nacho Analytics works with to obtain this data. (In a later email, he clarified that the data "comes from third-party data brokers. We certainly didn’t invent the method of data collection.")

"Using Nacho to look at private information or to try to hack into websites is an explicit violation of our terms of use," Roberts added. "[Nacho is] a marketing product that puts small businesses and entrepreneurs on a level playing field with large corporations that have and will continue to have access to this type of data."

"Honestly, I think you have the wrong villain here."

On July 8, five days after Google remotely disabled the extensions Jadali had reported, Roberts said on Twitter that Nacho Analytics "had an upstream data outage." A day later, Roberts said Nacho Analytics' "data partner has ended operations." Shortly after that, the Nacho Analytics front page said the service was "halting all access to any potentially sensitive data."

One of many Nest.com URLs leaked by DataSpii. Ars has redacted faces, computer and video screens, and posters.

DataSpii and the law

Despite the data collection disclosures and the fact that the companies make efforts to scrub personal information from the results, it’s clear that DataSpii published highly sensitive data. What remains unanswered is whether any of the individual parties involved breached any legal or contractual obligations. One issue clouding such questions is the murky relationship between the browser extension makers and Nacho Analytics.

“We know the end is not good,” Eric Goldman, a Santa Clara University law professor specializing in Internet issues, told Ars. “Now how did we get there, and who do we blame? We might never get a clear answer to any of that because we don’t even know exactly who did what to whom.” He continued:

There are a lot of disclosures in the Fairshare privacy policy that say: ‘We’re going to do some things that on reflection you probably shouldn’t agree to.’ But do they say enough to describe the exact chain of data flows? I don’t think we’ll ever be able to answer without having proof of those data flows.

Another complication: even if an extension user fully consented to having her browsing history collected and shared, does that consent extend to third parties whose sensitive information is viewed by the consenting user and subsequently published? Ultimately, Goldman said, lawyers would need to have much more information before they could say if anyone did anything wrong in the eyes of the law.

He added:

Even if you can get the users’ consent to gather all the URLs that they visit, is that still an ethical choice? Because it will sweep up personal information, and it will pick up information from third parties who never consented, and there’s nothing that can be done to avoid either of those two outcomes.

Whitney Merrill, a privacy and security attorney who previously worked at the Federal Trade Commission, largely echoed Goldman's assessment.

"It’s hard to say any one actor is the main contributor to what seems like a very unethical practice," she said. The issue arises, instead, from a whole ecosystem of companies.

Falling down the rabbit hole

The number of browsers shown to use each extension has varied over the past six months, in part because browser makers took action after learning about DataSpii.

In February, after Jadali reported the Super Zoom data collection to Mozilla and Google, both organizations removed the extension from their add-ons offerings. Jadali’s version of Firefox even displayed a notification that Super Zoom was being “disabled due to security or stability issues.”

As for the two more recently discovered Firefox extensions collecting data—Savefrom.net and Fairshare Unlock—they were available only on developer websites. At the time this post went live, both were still available on those third-party sites. As mentioned earlier, Jadali found no evidence that a version of Savefrom.net that was (but is no longer) available from Mozilla collected data.

Beginning on July 3—about 24 hours after Jadali reported the data collection to Google—Fairshare Unlock, SpeakIt!, Hover Zoom, PanelMeasurement, Branded Surveys, and Panel Community Surveys were no longer available in the Chrome Web Store. Installations of all six of those extensions were also remotely disabled on Jadali's lab computers, a move that, after more than six months, finally curtailed the data collection.

A notice that appeared on Jadali's lab computer on July 3.

While the notices say the extensions violate the Chrome Web Store policy, they make no mention of data collection nor of the publishing of data by Nacho Analytics. The toggle button in the bottom-right of the notice allows users to "force enable" the extension. Doing so causes browsing data to be collected just as it was before.

“We want Chrome extensions to be safe and privacy-preserving, and detecting policy violations is essential to that effort," company officials said in a statement. "Recently, we announced technical changes to how extensions work that will mitigate or prevent this behavior, and new policies that improve user privacy."

In response to follow-up questions from Ars, a Google representative didn't explain why these technical changes failed to detect or prevent the data collection they were designed to stop. Ars also asked twice if company officials planned to notify Chrome users that their browsing data was collected and published by extensions that Google hosted. The representative said that Google had nothing else to add.

Credit: Sam Jadali

But removing an extension from an online marketplace doesn't necessarily stop the problems. Even after the removals of Super Zoom in February or March, Jadali said, code already installed by the Chrome and Firefox versions of the extension continued to collect visited URL information. Below is a screenshot showing Nacho Analytics publishing a visit by one of Jadali's Firefox browsers running Super Zoom (“ext=SZ&brow=FF" means that the extension is Super Zoom and the browser is Firefox) on February 23—15 days after Mozilla removed the extension.

Credit: Sam Jadali

Eventually, the data collection performed by the Firefox version of Super Zoom stopped, at least on the computers Jadali was testing. But the Chrome version of Super Zoom continued to collect the data, months after Google removed it from the Chrome Web Store. The collection only stopped in early July, around the same time that Google remotely disabled the other extensions Jadali reported. As noted earlier, Google also disabled the other extensions, but it continues to give users the option to re-enable them.

Jadali gives Mozilla credit for eventually preventing the data collection and for providing this explanation, even if it is vague and requires infected users to actively find it. In the end, he said, he would prefer that Mozilla and Google be more explicit about the data collection—and make remote disabling a standard practice for extensions that are caught collecting sensitive information.

“They need to remotely deactivate this from people’s computers and let people know why,” he said of both companies. “Removal [from the store] is completely insufficient in this case.”

Readers who want to ensure they're not running any of the data-collecting extensions in Chrome should navigate to Extensions by typing chrome://extensions into their browser's address bar. (Depending on the version of Chrome, extensions can also be found in either the Tools or Window menus, or by clicking on the three dots in the upper right-hand of the browser and choosing More Tools.) Readers will then find a page like the one below that displays all installed extensions.

Firefox extensions, meanwhile, can be accessed by selecting "Add-ons" from the Tools menu. This will bring up a screen that looks like:

In light of the research showing the collection of browsing data, Ars recommends that users strongly consider permanently removing the following extensions:

• Fairshare Unlock
• SpeakIt!
• Hover Zoom
• PanelMeasurement
• Super Zoom
• SaveFrom.net Helper
• Branded Surveys
• Panel Community Surveys

Unwanted extensions can be removed by clicking the remove button. It's not a bad idea to remove any other extensions that users don't recognize or use often. Given the problematic history of browser extensions, it makes sense to be extra cautious about installing any of them.

Two of the eight extensions identified by Jadali—Hover Zoom and SpeakIt!, with 800,000 and 1.4 million users respectively—have been reported collecting user data before. Hover Zoom (which sometimes is spelled HoverZoom) first prompted privacy concerns no later than 2013, when users observed it engaging in a wide range of unsafe behaviors, including injecting code into visited pages and sending browsing habits to developer-designated servers.

In 2015, security researchers at Sweden-based Detectify reported that both Hover Zoom and SpeakIt!—along with 10 other Chrome extensions—harvested sensitive user data, including complete browsing histories, authentication cookies used to access user accounts, and Oauth credentials. As was the case with DataSpii, the Detectify researchers said, the tracked browsing histories were being openly sold on an analytics service, although the report didn’t identify it. Google, Detectify reported, responded by removing or disabling Hover Zoom and seven other report extensions.

In 2017, researchers identified 212 Chrome extensions with 8 million users that tracked browsing behavior. One of them was SpeakIt!. Google didn't explain why it allowed Hover Zoom and SpeakIt! into the Chrome Web Store following these previous reports.

A systemic problem

DataSpii results from the way that many different individual Internet components work together. The extensions that collect browsing data in a way that's invisible to the naked eye are one key player. So too is Nacho Analytics, which published millions and millions of page links and titles, sometimes in a way that revealed personal information and internal business data.

But other participants are the individual websites—and the people using them—that were swept up by DataSpii. In many cases, webpages stored tax returns, videos, and other sensitive information that could be accessed without a password or other form of authentication. The privacy of these "links by obfuscation," as Nacho Analytics' Roberts calls them, completely breaks down when the URLs are collected and published.

There's also the issue of personal data being embedded into URLs. In February, the security firm Wandera documented a variety of airline e-ticketing systems that needlessly exposed passengers' sensitive data, including first and last names, email addresses, and passport numbers. DataSpii reveals not only how widespread this practice is; it also shows the real-word dangers posed by it.

DataSpii may also provide lessons for developers and users of project management tools and other software that's used by businesses. One possibility is to redesign apps to prevent sensitive information from leaking out of page titles.

The biggest lesson of all, though, is this: under the current system, individuals and businesses must spend much more time and resources scrutinizing the powerful browser extensions they want to install. DataSpii makes clear that up to now, browser extensions haven't been a big enough part of the security threat modeling process that individuals and organizations must perform to develop and maintain an effective security hygiene.

The current system for vetting browser extensions doesn't necessarily protect your data. In the current environment, the most prudent approach is to install extensions sparingly, if at all.

"Every time you allow a browser extension to be installed, you're opening up the door to unknown outcomes," said Goldman, the Santa Clara law professor. "It's unfortunate that the ecosystem has got this inherent lack of trust that discourages all of us from taking advantage of the value that comes from browser extensions. Why can’t we trust the browser makers to ensure that the extensions aren’t bringing along unwanted payloads? We need them to do that work because they’re the best deputies to protect users. And unfortunately we can’t."