The Web of Trust browser extension has been silently and forcibly removed by popular web browsers Mozilla Firefox and Google Chrome. German news outlet NDR conducted an independent investigation into Web of Trust's (WOT) data handling practices, reporting that the widely-used privacy and security extension was collecting and selling user data to third-parties.
Breach the Web of Trust
NDR journalists managed to gain access to a massive database containing the browsing history of some 3 million German internet users. The investigation mentioned only one browser extension directly -- Web of Trust -- but also alluded to data collection issues with a number of other extensions. Nonetheless, the data obtained by the investigation contained over ten billion web addresses.
The number of web addresses in the data is huge, but isn't the main issue.
Web of Trust Privacy Policy
It's worth taking a look at the Web of Trust privacy policy to see just what they say about the collection of your data.
The information we collect is aggregated, non-personal non-identifiable information which may be made available or gathered via the users' use of the WOT Utilities ("Non-Personal Information"). We are not aware of the identity of the user from which the Non-Personal Information is collected. We may disclose or share this information with third parties as specified below and solely if applicable. We collect the following Non-Personal Information from you when you install or use the Product or use the WOT Platform:
- Your IP address.
- Your geographic location (e.g., France, Canada, etc).
- The type of device, operating system and browsers you use.
- Date and time stamp.
- Browsing usage, including visited web pages, clickstream data or web address accessed.
- Browser identifier and user ID.
The WOT Privacy Policy clearly sets out their data collection practices. It continues:
We do not collect from you or share any individually identifiable information, namely information that identifies an individual or may with reasonable effort be used to identify an individual ("Personal Information") when you install or use the Product. However, we might collect Personal Information solely in the following events:
- Personal Information that was voluntarily provided by you if and when you contact us, such as your name and email address, provided that such information will be used solely to communicate with and support you, and will not be shared with any third parties.
-OR-
- If you become a registered user on the WOT Platform or provide voluntarily Personal Information through the UGC (as defined below) via the various forums, all as detailed below.
TO CLARIFY, IF YOU SOLELY USE THE PRODUCT WITHOUT REGISTRATION, WE WILL NOT COLLECT, STORE OR SHARE ANY PERSONAL INFORMATION FROM YOU.
What Type of Data?
Web of Trust clearly emphasize their data collection and anonymization policies. However, NDR found significant amounts of the data they obtained not fully anonymized. Furthermore, they managed to identify people by correlating basic information available to them.
For instance, a URL check revealed user ID's for that particular site. These further linked directly to email addresses, or individual names of WOT users. This example is common for PayPal, Skype, or online airline check-ins.
In addition, some data directly linked to police investigations, the sexual preferences of a judge (and numerous other users), internal financial data for a number of companies, alongside regular searches for drugs, prostitutes, or diseases. This certainly contributes to the worry and almost definitely underlines the depth of the data stored as well as sold to third parties.
Only Anonymous
Web of Trust policy maintains that any data collected will be properly anonymized. Additionally, the policy clearly states that collected data will be sold to third parties. This is absolutely no surprise. WOT explained their situation to MakeUseOf in a direct statement.
It always has been, and remains, our intention to inform our users, clearly and accurately, as to what data we collect from them and how it is used. We never intend to collect or share data which can be used to identify our users, and we have developed extensive data cleansing techniques to ensure our users remain anonymous.
After a review of some of the information recently reported and a thorough investigation of facts and circumstances, we now believe that our data cleaning techniques may not have been sufficient to fully anonymize the browsing data WOT users shared with us. While we deployed great effort to remove any data that could be used to identify individual users, it appears that in some cases such identification remained possible, albeit for what may be a very small percentage of WOT users.
We don't know what that "very small percentage" means. Therefore, we cannot put an exact figure on the number of affected users. Regrettably, the numbers we do have access to don't allow us to extrapolate a solid figure. While the dataset seen by the reporters only contained German users, it is highly likely that similar databases exist for other regions.
WOT Do I Do?!
WOT appears to be surprised by this revelation. Without details of their anonymization process, it is difficult to draw conclusions as to what went wrong, where, and how. Nonetheless, even a minute number of users may still equate to millions affected.
If the data allows the identification of even a small number of WOT users, we consider that unacceptable, and we will be taking immediate measures to address this matter urgently as part of a full security assessment and review.
At this point, if you haven't already, head on up to your extensions menu and uninstall Web of Trust from your browser. Furthermore, if you have the Web of Trust mobile app, I would uninstall that, too. It is unlikely to be exempt from the issues facing the browser extension.
Will WOT Be Back?
The Web of Trust extension will indeed return to your browser. I mean, it won't magically reinstall itself, but you'll have the option to give WOT a second chance.
We hope to earn back the trust of the community by implementing a set of measures which will ensure that those who prefer not to share their data can easily choose to keep their data private while still participating in the WOT community.
WOT will return with increased user input over exactly what data is collected and sold. It'll be interesting to see exactly how this impacts their user base. Data breaches like this always awake and provide ammo for champions of open-source software, and rightly-so. There are several excellent open-source browser security options you should consider (ignoring Web of Trust, of course. It was a handy tool when I wrote that article!). Furthermore, a short browser security audit would also be worthwhile.
Web of Trust "are now preparing to re-launch an updated version" of its browser extension which "will include the appropriate measures to regain the trust of our users."
Sounds good, right? But is it too little, too late?
Will you give WOT a second chance? Or has their breach of trust forced your hand? What will you install instead? Let us know your thoughts below!