
Web of Trust caught selling private browsing history of millions - jaredtking
http://www.pcmag.com/news/349328/web-of-trust-browser-extension-cannot-be-trusted
======
flashman
It looks like WOT was capturing browsing activity and selling an 'anonymised'
version to other vendors. NDR then purchased some of this data and was able to
de-anonymise it by examining the URLs for personally identifying information
such as phone numbers and email addresses.

Here's the original report in German:
[http://www.ndr.de/nachrichten/netzwelt/Nackt-im-Netz-
Million...](http://www.ndr.de/nachrichten/netzwelt/Nackt-im-Netz-Millionen-
Nutzer-ausgespaeht,nacktimnetz100.html)

"Um an die Informationen zu gelangen, haben die NDR Reporter eine Schein-Firma
gegründet, die vorgeblich im "Big Data"-Geschäft aktiv ist. Gleich mehrere
Firmen zeigten sich bereit, die Web-Daten deutscher Internet-Nutzer zu
verkaufen - ein Unternehmen bot die nun ausgewerteten Daten schließlich als
kostenlose Probe an."

------
kkirsche
Thanks for sharing this. This type of behavior is really bothersome and sadly
many general internet users probably won't see this post

~~~
jaredtking
There definitely needs to be more awareness about this. Just from a quick read
of the WOT forum it seems most users are completely shocked that their data
was being sold, even though this is outlined in the WOT terms of service.

Here is what the WOT terms of service say about sharing their users' browsing
data:

    
    
      The information we collect is aggregated, non-personal non-identifiable information which may be made available or gathered via the users' use of the WOT Utilities ("Non-Personal Information"). We are not aware of the identity of the user from which the Non-Personal Information is collected. We may disclose or share this information with third parties as specified below and solely if applicable. We collect the following Non-Personal Information from you when you install or use the Product or use the WOT Platform:
      
         Your Internet Protocol Address;
         Your geographic location (e.g., France, Canada, etc.);
         The type of device, operating system and browsers you use;
         Date and time stamp;
         Browsing usage, including visited web pages, clickstream data or web address accessed;
         Browser identifier and user ID;

~~~
whyever
Calling it non-identifiable is a lie.

------
iMarv
Everything with extensions is about trust, we recently started developing an
extension for our customers to improve their experience with our product.
While in theory you could look at the source code from your browser, the only
solution for proving that we do not track their data is to publish the
extension as an open-source project.

By the way: while testing around with extensions, I happened to realize that
Kasperskys safe-form-input thingy does not work at all with other extensions,
in fact: everyone can track your passwords, no matter what you do.

------
jack9
Am I the only one not surprised by this, or frankly not caring?

I thought the business model was obvious and honestly admirable. It's a non-
trivial amount of data they are working with. This Non-Personal Information is
what almost every website ever, collects at some granularity (even if it's
just in apache logs). It's kind of the basis of advertising and one of the
only ways to monetize data other than ads eating up the real estate.

------
cheiVia0
Some details in the Debian bug report:

[https://bugs.debian.org/842939](https://bugs.debian.org/842939)

