Web of Trust caught selling private browsing history of millions (opens in new tab)

(pcmag.com)

41 pointsjaredtking9y ago10 comments

10 comments

9 comments · 5 top-level

kkirsche9y ago· 4 in thread

Thanks for sharing this. This type of behavior is really bothersome and sadly many general internet users probably won't see this post

jaredtkingOP9y ago

There definitely needs to be more awareness about this. Just from a quick read of the WOT forum it seems most users are completely shocked that their data was being sold, even though this is outlined in the WOT terms of service.

Here is what the WOT terms of service say about sharing their users' browsing data:

  The information we collect is aggregated, non-personal non-identifiable information which may be made available or gathered via the users' use of the WOT Utilities ("Non-Personal Information"). We are not aware of the identity of the user from which the Non-Personal Information is collected. We may disclose or share this information with third parties as specified below and solely if applicable. We collect the following Non-Personal Information from you when you install or use the Product or use the WOT Platform:
  
     Your Internet Protocol Address;
     Your geographic location (e.g., France, Canada, etc.);
     The type of device, operating system and browsers you use;
     Date and time stamp;
     Browsing usage, including visited web pages, clickstream data or web address accessed;
     Browser identifier and user ID;

whyever9y ago

Calling it non-identifiable is a lie.

gnicholas9y ago

Yeah, fortunately once this is yanked from the Mozilla store their install rate will drop dramatically. Installing a non-verified extension triggers tons of warnings, and eventually it will only be possible by editing about:config.

You're absolutely right that this needs to be shared out. Many of the things we do in apps on mobile we do via web browsers on a computer. This means that the browser is a single point of convergence for tons of data, and browser plugins can capture this data and monetize it. While it may be possible to monetize purely in an anonymized way (which might not bother some users), some plugins do use individual data to target ads.

I've been asked to insert tracking code into my startup's browser plugin (with a lowly 75k users) for this purpose, and the $$$ was tempting. It would have paid more in a year than we've made off of all our individual paid accounts—plus we wouldn't have had to build a payment infrastructure. We're very pro-privacy, so it was a definite "no" for us, but I can see how other folks might have gone for it.

It's pretty ironic that a company with a name like "Web of Trust" ended up going this route. Hopefully they can pull themselves back from the dark side and earn back their customers' trust.

angry-hacker9y ago

Can you give us the range of $$$ offered for that kind of user amount? Out of Morbid Curiosity.

1 more reply

flashman9y ago

It looks like WOT was capturing browsing activity and selling an 'anonymised' version to other vendors. NDR then purchased some of this data and was able to de-anonymise it by examining the URLs for personally identifying information such as phone numbers and email addresses.

Here's the original report in German: http://www.ndr.de/nachrichten/netzwelt/Nackt-im-Netz-Million...

"Um an die Informationen zu gelangen, haben die NDR Reporter eine Schein-Firma gegründet, die vorgeblich im "Big Data"-Geschäft aktiv ist. Gleich mehrere Firmen zeigten sich bereit, die Web-Daten deutscher Internet-Nutzer zu verkaufen - ein Unternehmen bot die nun ausgewerteten Daten schließlich als kostenlose Probe an."

iMarv9y ago

Everything with extensions is about trust, we recently started developing an extension for our customers to improve their experience with our product. While in theory you could look at the source code from your browser, the only solution for proving that we do not track their data is to publish the extension as an open-source project.

By the way: while testing around with extensions, I happened to realize that Kasperskys safe-form-input thingy does not work at all with other extensions, in fact: everyone can track your passwords, no matter what you do.

jack99y ago

Am I the only one not surprised by this, or frankly not caring?

I thought the business model was obvious and honestly admirable. It's a non-trivial amount of data they are working with. This Non-Personal Information is what almost every website ever, collects at some granularity (even if it's just in apache logs). It's kind of the basis of advertising and one of the only ways to monetize data other than ads eating up the real estate.

cheiVia09y ago

Some details in the Debian bug report:

https://bugs.debian.org/842939

j / k navigate · click thread line to collapse