Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Saturday November 12 2016, @06:36PM   Printer-friendly
from the web-of-deceit dept.

Submitted via IRC for TheMightyBuzzard

Web of Trust's browser was pulled for being, well, untrustworthy.

When you include the word "trust" in your internet company's name, you're under more pressure than most to respect the privacy of your customers... and one firm is learning that lesson the hard way. Web of Trust Services' browser add-on has left the extension libraries for Chrome, Firefox and Opera after a German broadcaster's investigation revealed that Web of Trust was collecting and selling users' web histories to third parties. While the company said that it was anonymizing data, that didn't hold up under scrutiny. The broadcaster managed to identify over 50 people from sample data, and uncovered everything from active police investigations to the implied sexual orientation of a judge.

Also, a German data protection commissioner chastised WoT for not doing enough to get the consent of its users (and there are many of them, with 140 million downloads) before gathering and selling info. Moreover, there's evidence that the software can run the code it wants on any web page. There aren't any known in-the-wild exploits, but that's not exactly reassuring.

To its credit, WoT is taking steps to mend its ways. It's reexamining its privacy policy, offering an opt-out for the data you share and revamping the way it 'cleans' data to get rid of potentially identifying info. Its previous approach "may not have been sufficient" to fully anonymize your data, a spokesperson tells The Register. The company is quick to add that only Mozilla pulled the add-on -- WoT says it voluntarily yanked the add-on from the Google and Opera portals to "make appropriate changes."

Source: https://www.engadget.com/2016/11/08/web-of-trust-sold-browser-history/


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by Anonymous Coward on Saturday November 12 2016, @07:49PM

    by Anonymous Coward on Saturday November 12 2016, @07:49PM (#426112)

    I mean, anyone with two functioning brain cells can rub them together and figure out that any addon that does a "check" for you of a website you're visiting can and will in fact be able to see the sites you visit intentionally or not, maybe even the page of the site as well depending on how they do their lookups, its right there in the server logs. it's the reason all of those old "toolbars" have been flagged as malware by various protection products, they do the exact same shit. some companies have even made a business out of harvesting the sites people visit (Alexa).

    for instance, the addon works as follows, user installs said addon and visits some sites, the addon makes a separate check during the GET req from your browser to their server, something along the lines of http(?s)://(addon_url)/?lookup=http://page-you-are-on.tld/

    all of that can be harvested from their servers, it has nothing what so ever to do with the addon itself, and no amount of anonymization in the addon itself can actually prevent that, because you're still sending them your IP, along with the site you are visiting, as well as but not limited to the page you clicked on before, and the specific page you've requested at the time of performing the lookup. so of course advertising companies want to buy that data, its analytics like anything else, and as we all know, data is money to them. you've have to be a complete moron to ever use an addon like this unless the company providing said addon was actually paying you to do so.

    Starting Score:    0  points
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  

    Total Score:   2  
  • (Score: 1, Informative) by Anonymous Coward on Saturday November 12 2016, @08:22PM

    by Anonymous Coward on Saturday November 12 2016, @08:22PM (#426121)

    In all honesty, even if you were being paid by them to do so, you'd still be a complete moron to use it. As most likely their little addon will be doing a lot more than what they're paying you for to earn some extra cash on the side.

  • (Score: 2, Informative) by Anonymous Coward on Saturday November 12 2016, @11:11PM

    by Anonymous Coward on Saturday November 12 2016, @11:11PM (#426150)

    I mean, anyone with two functioning brain cells can rub them together and figure out that any addon that does a "check" for you of a website you're visiting can and will in fact be able to see the sites you visit intentionally or not

    No, it does not. That is the lazy way and obviously lends itself to privacy invasion, but there is at least one privacy preserving method to do the same thing.

    Instead of phoning home for every website you visit (which, BTW, would be damn slow), you just periodically download a database of hashed URLs of known bad sites. Then whenever you load a URL you just hash it and check the local database. Collision handling makes it more complicated, but you can mitigate that - hits in the "bad" list will be rare so if you do get a hit, then you can phone home, give the server the hash and ask it to give you back the full URL from their database and you can compare against that. So the server operator will only know about websites you visit that are in their hash list (and even then they can't be 100% confident it wasn't a collision, only you know for sure).

    You could probably go even further and download the entire database, since it is manually curated it can't be terribly big, maybe 10GB? Just guessing. Might not be suitable for mobile, but on the desktop everybody's got terabyte sized disks nowadays.