Web of Trust Data Breach: Accident or Money-Grab?

Gavin Phillips 22-11-2016

The Web of Trust browser extension has been silently and forcibly removed by popular web browsers Mozilla Firefox and Google Chrome. German news outlet NDR conducted an independent investigation into Web of Trust’s (WOT) data handling practices, reporting that the widely-used privacy and security extension was collecting and selling user data to third-parties.


Breach the Web of Trust

NDR journalists managed to gain access to a massive database containing the browsing history of some 3 million German internet users. The investigation mentioned only one browser extension directly — Web of Trust — but also alluded to data collection issues with a number of other extensions. Nonetheless, the data obtained by the investigation contained over ten billion web addresses Keep Up With The Latest Data Leaks - Follow These 5 Services & Feeds Read More .

The number of web addresses in the data is huge, but isn’t the main issue.

Web of Trust Privacy Policy

It’s worth taking a look at the Web of Trust privacy policy to see just what they say about the collection of your data.

The information we collect is aggregated, non-personal non-identifiable information which may be made available or gathered via the users’ use of the WOT Utilities (“Non-Personal Information“). We are not aware of the identity of the user from which the Non-Personal Information is collected. We may disclose or share this information with third parties as specified below and solely if applicable. We collect the following Non-Personal Information from you when you install or use the Product or use the WOT Platform:

  • Your IP address.
  • Your geographic location (e.g., France, Canada, etc).
  • The type of device, operating system and browsers you use.
  • Date and time stamp.
  • Browsing usage, including visited web pages, clickstream data or web address accessed.
  • Browser identifier and user ID.

The WOT Privacy Policy clearly sets out their data collection practices. It continues:


We do not collect from you or share any individually identifiable information, namely information that identifies an individual or may with reasonable effort be used to identify an individual (“Personal Information“) when you install or use the Product. However, we might collect Personal Information solely in the following events:

  • Personal Information that was voluntarily provided by you if and when you contact us, such as your name and email address, provided that such information will be used solely to communicate with and support you, and will not be shared with any third parties.


  • If you become a registered user on the WOT Platform or provide voluntarily Personal Information through the UGC (as defined below) via the various forums, all as detailed below.


What Type of Data?

Web of Trust clearly emphasize their data collection and anonymization policies. However, NDR found significant amounts of the data they obtained not fully anonymized 6 Reasons You Should Be Using an Anonymising Proxy Server Online privacy is important, but you don't have to remain exposed. You can use an anonymizing proxy server to remain hidden from prying eyes, granting you a little more security in your online affairs. Read More . Furthermore, they managed to identify people by correlating basic information available to them.

For instance, a URL check revealed user ID’s for that particular site. These further linked directly to email addresses, or individual names of WOT users. This example is common for PayPal, Skype, or online airline check-ins.

In addition, some data directly linked to police investigations, the sexual preferences of a judge (and numerous other users), internal financial data for a number of companies, alongside regular searches for drugs, prostitutes, or diseases. This certainly contributes to the worry and almost definitely underlines the depth of the data stored as well as sold to third parties.


Only Anonymous

Web of Trust policy maintains that any data collected will be properly anonymized. Additionally, the policy clearly states that collected data will be sold to third parties. This is absolutely no surprise. WOT explained their situation to MakeUseOf in a direct statement.

It always has been, and remains, our intention to inform our users, clearly and accurately, as to what data we collect from them and how it is used. We never intend to collect or share data which can be used to identify our users, and we have developed extensive data cleansing techniques to ensure our users remain anonymous.

After a review of some of the information recently reported and a thorough investigation of facts and circumstances, we now believe that our data cleaning techniques may not have been sufficient to fully anonymize the browsing data WOT users shared with us. While we deployed great effort to remove any data that could be used to identify individual users, it appears that in some cases such identification remained possible, albeit for what may be a very small percentage of WOT users.

We don’t know what that “very small percentage” means. Therefore, we cannot put an exact figure on the number of affected users. Regrettably, the numbers we do have access to don’t allow us to extrapolate a solid figure. While the dataset seen by the reporters only contained German users, it is highly likely that similar databases exist for other regions.

WOT Do I Do?!

WOT appears to be surprised by this revelation. Without details of their anonymization process, it is difficult to draw conclusions as to what went wrong, where, and how. Nonetheless, even a minute number of users may still equate to millions affected.

If the data allows the identification of even a small number of WOT users, we consider that unacceptable, and we will be taking immediate measures to address this matter urgently as part of a full security assessment and review.

At this point, if you haven’t already, head on up to your extensions menu The 13 Best Chrome Extensions by Google You Probably Aren't Using Personalize your browsing with these must-have extensions from Google. Among the thousands of Chrome extensions in the Google Web Store, some are developed by Google. These are the best picks from Google itself. Read More and uninstall Web of Trust from your browser You Should Uninstall Web of Trust Right Now You should consider uninstalling WOT right now. Why? Because Web of Trust has been caught collecting and selling user data. Even worse, this data hasn't always been successfully anonymized. Read More . Furthermore, if you have the Web of Trust mobile app, I would uninstall that, too. It is unlikely to be exempt from the issues facing the browser extension.



Will WOT Be Back?

The Web of Trust extension will indeed return to your browser. I mean, it won’t magically reinstall itself, but you’ll have the option to give WOT a second chance.

We hope to earn back the trust of the community by implementing a set of measures which will ensure that those who prefer not to share their data can easily choose to keep their data private while still participating in the WOT community.

WOT will return with increased user input over exactly what data is collected and sold. It’ll be interesting to see exactly how this impacts their user base. Data breaches like this always awake and provide ammo for champions of open-source software Open Source Software and Forking: The Good, The Great and The Ugly Sometimes, the end-user benefits greatly from forks. Sometimes, the fork is done under a shroud of anger, hatred and animosity. Let's look at some examples. Read More , and rightly-so. There are several excellent open-source browser security options you should consider Understanding How to Stay Safe Online in 2016 Why do some users blindly wander the Internet with the bare minimum of online security software installed? Let's look at some commonly misconstrued security statements, and make the right security decisions. Read More (ignoring Web of Trust, of course. It was a handy tool when I wrote that article!). Furthermore, a short browser security audit Is Your Browser Leaking Your Online Secrets? Is your browser leaking your online secrets? Could it be letting your train spotting obsession out of the bag, without even an inkling of remorse? And if it is, how on earth would you know? Read More would also be worthwhile.

Web of Trust “are now preparing to re-launch an updated version” of its browser extension which “will include the appropriate measures to regain the trust of our users.”


Sounds good, right? But is it too little, too late?

Will you give WOT a second chance? Or has their breach of trust forced your hand? What will you install instead? Let us know your thoughts below!

Related topics: Browser Extensions, Google Chrome, Online Privacy.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *