
Show HN: Local Sheriff – Browser extension to show PII leaks to third-parties - kkm
https://github.com/cliqz-oss/local-sheriff
======
pythux
Very nice, and scary at the same time... I feel that too often we consider
that by using some content-blocking extensions (e.g.: uBlock Origin, Privacy
Badger, etc.) we are 100% safe and privacy leakages are a thing of the past.
But from what I understand this is not the case and some PII leakages still
happen. As long as we are not aware of them it's hard or impossible to close
the gap and I guess the first step to improve those tools is bringing more
transparency. Local Sheriff seems to go in the right direction. Thank you for
this work.

From your perspective, how well do the most popular privacy-protection
extensions protect us from the kind of PII leakage identified by Local
Sheriff. And how could we improve those tools to increase the protection?

~~~
kkm
afaik, extensions will not provide you with 100% protection in this case.

It could be for multiple reasons: 1\. The 3rd party domain is not on the list:
a. Could be because the presence is not huge. b. The domain is too new, and
not available on any lists right now. 2\. The user might have whitelisted a
3rd party domain because it breaks some component on the web.

They always need to catch-up, so it's a whack-a-mole game.

Along the same lines, a user can also control the referrer. for example in
Firefox based browser you can control(globally) what info should be sent in
the browsers itself. -
[https://wiki.mozilla.org/Security/Referrer](https://wiki.mozilla.org/Security/Referrer)
. But this will also come with some breakage.

Similarly, blocking third-party cookies also does not help, as the leaks the
telltale URLs will still pass on.

The legit use cases of these third-parties actually do not require the first-
party to share these sensitive details. 1\. Google analytics actually states
that in their privacy policy -
[https://support.google.com/analytics/answer/6366371?hl=en](https://support.google.com/analytics/answer/6366371?hl=en)
2\. To load a font from CDN, I don't see why a company needs to send my
booking ID and/or token to them. In some cases, domain might be needed but
definitely not booking ID.

So, imo, the websites should take onus when implementing 3rd parties or
atleast be transparent about what information is being shared and with whom.

~~~
donaltroddyn
Given that this analyses network traffic on the client side, Local Sheriff is
probably playing the same catch-up game that a blocker targeting that same PII
is.

------
kkm
More details on what kind of issues it tries to detect:
[https://threatpost.com/def-con-2018-telltale-urls-leak-
pii-t...](https://threatpost.com/def-con-2018-telltale-urls-leak-pii-to-
dozens-of-third-parties/134960/)

------
jaxn
Will be interesting to run this my own app, just to see what various third
parties show up.

~~~
smt88
Uh... shouldn't you already know?

~~~
samstave
Yes, but ___every_ __dev should run this regardless - and should have a badge
system to certify compliance against 3rd party revelatory leakage...

Maybe we should for them PPP: Protectorate of Personal Privacy -- like the
BBB, but rating systems/orgs/apps on their ability to protect PII

------
gcb0
not "Chrome extension" but a "WebExtension"

~~~
AlphaWeaver
Agreed, can we have the title changed to maybe "a browser extension"?

~~~
kkm
Thanks for the suggestion, updated the title.

