Google is becoming more transparent about how major corporations like Capital One and PayPal harvest consumer data through browser extensions. Within the past week, Google quietly updated its Chrome Web Store to include a “privacy practices” tab for extensions, shining a new light on one of the most aggressive ways that companies have been tracking online behavior. Users willingly install these popular web extensions to their browsers since they provide benefits like applying discount codes while shopping online, but privacy advocates warn that users may not be aware of just how much data they can be giving away.
“You’re essentially allowing an outside entity access to information that you would otherwise consider private within your browsing window,” says Brian Bartholomew, principal security researcher, Kaspersky.
On February 6, Google added a “privacy practices” tab to the Chrome Web Store after Ad Age inquired about the practices of major financial firms that operate browser extensions. Last year, Google promised it would adopt the in-depth labels, but the changes were quietly implemented last week. In response, Google said: “Starting February 6, every extension is able to publicly display its ‘privacy practices’ which use clear visuals and simple language to explain the data they collect and use. We’ve also limited what developers can do with the data they collect.” Google says the timing of the rollout is coincidental.
Companies have been turning to browser extensions to collect user data as other sources run dry, fueled by a privacy backlash and recent legislation. Third-party cookies are increasingly restricted by most popular browsers. Apple sparked a wave of privacy labeling, beginning with new notices in its App Store. Meanwhile, Google is working on a replacement for third-party cookies that complies with guidelines it calls the Privacy Sandbox.
Browser extensions, specialized programs that can be installed into browsers, are in many ways the middle child of ad tech. They provide a trove of personally identifiable user information, but their usage remains niche because they require a user to actively install and consent to their use. They're not as widely used as third-party cookies, yet they are capable of collecting just as much, if not more data, than cookies. Extensions can collect everything from websites visited to keystrokes and mouse clicks, an especially important concern as everything from work to online shopping is done on browsers. By requiring user installation, they’re not considered as invasive as cookies, but users can be unaware of the information they’re trading for discounts and deals.
The capabilities of browser extensions as data-harvesting machines have set off alarm bells among privacy watchdogs.
“Browser extensions have access to essentially everything that’s on your browser screen,” says Ashkan Soltani, former chief technologist for the FTC.
Bartholomew says there aren’t enough warnings about the breadth and scope of information the extensions collect from either the extension or the browser. “There’s nothing in your face saying this is what we’re asking to access. I don’t know if it would come across to the normal internet user," he says. "Most users want cool whizz-bangs. Talking about GDPR and privacy issues, most people don’t really care about that, unfortunately.”