Web of Trust, Downloaded 140M Times, Pulled From Extension Stores After Revelations That It Sells Users' Data

According to multiple reports, Web of Trust, one of the top privacy and security extensions for web browsers with over 140 million downloads, collects and sells some of the data of its users -- and it does without properly anonymizing it. Upon learning about this, Mozilla, Google and Opera quickly pulled the extension off their respective extension stores. From a report on The Register: A browser extension which was found to be harvesting users' browsing histories and selling them to third parties has had its availability pulled from a number of web browsers' add-on repositories. Last week, an investigative report by journalists at the Hamburg-based German television broadcaster, Norddeutscher Rundfunk (NDR), revealed that Web of Trust Services (WoT) had been harvesting netizens' web browsing histories through its browser add-on and then selling them to third parties. While WoT claimed it anonymised the data that it sold, the journalists were able to identify more than 50 users from the sample data it acquired from an intermediary. NDR quoted the data protection commissioner of Hamburg, Johannes Caspar, criticising WoT for not adequately establishing whether users consented to the tracking and selling of their browsing data. Those consent issues have resulted in the browser add-on being pulled from the add-on repositories of both Mozilla Firefox and Google Chrome, although those who have already installed the extension in their browsers will need to manually uninstall it to stop their browsing being tracked.

No big deal

[Jack9]

It was in their terms of service. It's common and benign (most sites do it to some extent without explicitly stating that). I don't understand what else you could imagine the business model was or why this would be surprising.

Re:

[Anonymous Coward]

But...but it was called "Web of Trust"! I trusted it!

Re: No big deal

[xxxJonBoyxxx]

That's why people pick deceptive names for nasty stuff. For example, "Affordable Care Act" or "Patriot Act"

Re:

[Anonymous Coward]

Or "Telemetry", "Genuine Advantage", "User Experience", "Digital Rights Management", and specially "Privacy Policy".

Sticky fingers

[Spazmania]

Webs are sticky. They catch the spider's prey and don't let go.

Greg, how come you don't like cats?

[Thud457]

Jack Byrnes is sooooo disappointed in them.

Re:

[Anonymous Coward]

Lots of things are happening that you don't realize, like what Natalie Portman is doing right now.

Natalie is currently sucking my dick while I read Slashdot. Why is that your fucking business?

-Benjamin Millepied

Re:

[Nadella Onions]

who says it's benign? ask a cat if swallowing a canary is benign, see what it says. there are so many astroturfers around........but just it's your world too jack, you too have to live in what you help create.

Re:

[omnichad]

meow?

Re:

[Jack9]

People have a reasonable choice to not use WOT (regardless of the stores pulling it or not). I didn't have to read the TOS (this isn't a new method or even scheme for data monetization). In this way, it's similar to finding a hilt-less blade. I chose not to possibly hurt myself by using with it because I've seen it before (yahoo toolbar anyone?).

Apple, Google, Oracle, IBM, this is basic digital advertising 101 stuff. They all have some api to read your cookie and pull your information via api, you just don'

Re:

[Nadella Onions]

fair enough jack.......but still, that doesn't mean it is benign.

Re:

[EvilSS]

Normally I would agree. Collecting aggregated, anonymous data, and informing the users of such, isn't always a big deal. But in this case it sounds like the data most certainly wasn't anonymous enough since the reporters were able to identify individual users from the data they acquired. That is a big deal.

Re:Free Software Business Model Fail..

[chipschap]

We paid Microsoft for Windows 7 and 8 and they still backported all their telemetry. Unfortunately paying for software is no guarantee of anything.

Re:

[barc0001]

No guarantee, but it lowers the chances from 100%. If you're getting something for free, YOU are the commodity. I cannot believe that people don't get this still.

Re:

[Nutria]

No guarantee, but it lowers the chances from 100%.

Whatever evidence do you have for that assertion?

Re:

[barc0001]

Simple logic? If I have a "free" service that it costs me money to maintain, I must somehow make it profitable despite not getting money from end users or I go bankrupt. Which generally means ads (monetizing the end users for views and clicks) or selling telemetry to interested buyers. If I sell software for a profit up front, or a fee I don't necessarily need to sell anything to keep the lights on. Examples - Blizzard and World of Warcraft, Salesforce.com, many game companies, AV companies, etc. If it

Re:

[barc0001]

Examples? If there are "thousands" surely it would be pretty easy to rattle off a few well known ones. Ubuntu? Oh wait.. Mozilla? Nope, they love that Google money way too much. MySQL AB, oh maybe not... Google? Facebook? Twitter? (favorite webmail service) ? (favorite hosting service) ?

If you're talking about GPL projects or similar then yes. WOT was NEVER that. Quit being a dick.

Re:

[TangoMargarine]

Ubuntu is indeed an example. It was initially funded by Mark Shuttleworth's private fortune, and they don't sell software as far as I'm aware. I would assume they're like Red Hat and probably sell support contracts, but you explicitly said "pay for your software."

Mozilla doesn't sell their software either, mister words lawyer.

Re:

[Nutria]

Simple logic? If I have a "free" service that it costs me money to maintain, I must somehow make it profitable

That's not answering my question.

If I sell software for a profit up front, or a fee I don't necessarily need to sell anything to keep the lights on.

Shit. Even in this election season, that's the dumbest thing I've read this month.

Why? Because the purpose of business (especially a publicly traded one) is to make lots of money, not just "keep the lights on."

If it was discovered that Salesforce.com was selling anything on its users to 3rd parties there'd be a massive shitstorm that could put the company under.

If it was explicit in the EUA/TOS that they could do it, there would be a bit of a storm, but not much.

Companies are already cagey enough about having that sort of critical data in a 'trusted" 3rd party's hands to begin with.

Stop smoking so much dope. Or believing in fairy tales.

If businesses really cared about that kind of thing, then hosted services wouldn't be so popular.

Re:

[Raenex]

No guarantee, but it lowers the chances from 100%. If you're getting something for free, YOU are the commodity.

So where's your evidence that Debian is selling out its users?

Re:

[TangoMargarine]

That's the great thing about fools making absolute statements: You only have to find a single counterexample :)

Re:

[barc0001]

That's the great thing about arguing on the internet, you can twist someone's original statement to make yourself look clever. As I mentioned elsewhere I was talking about companies, not foundations or OSS projects. That said, being a foundation didn't stop Mozilla from selling default search engine placement to Google for a billion dollars over 3 years, now did it? Some may make the argument that would constitute them "selling out their users".

Re:

[TangoMargarine]

Yet again. You need to start _PAYING_ for your software.

As I mentioned elsewhere I was talking about companies, not foundations or OSS projects.

Red Hat. You don't pay them for their software; you pay them for support. And they're an open-source company, not a foundation.

Whoops, no longer 100%.

Re:

[TangoMargarine]

As I mentioned elsewhere I was talking about companies, not foundations or OSS projects.

Umm...aren't you kind of setting up a tautology here? What sort of company sets out to not make any money? By definition that's a nonprofit organization or charity. Privately-held companies whose owners just don't give a shit? The rest have to worry about the shareholders.

So yes, if you only count the group that axiomatically needs to make money, that group needs to make money. Congratulations.

Re:

[barc0001]

> So yes, if you only count the group that axiomatically needs to make money, that group needs to make money

That's the group I was talking about yes. I forgot that /. is packed to the gills with pedants who take a general piece of advice and look for every possible exception to start an argument. All I was warning people about is if some company is giving you a product or service, don't be surprised when it turns out that they're doing something extremely shady with your usage of it to make a buck.

Re:

[TangoMargarine]

I'm not surprised, but you're the one busting out "100%" lines.

Re:

[TangoMargarine]

That's the great thing about arguing on the internet, you can twist someone's original statement

When you make blanket statements without properly qualifying them, people finding counterexamples is basically the only way to disagree with you.

As I mentioned elsewhere I was talking about companies, not foundations or OSS projects.

After rereading your (assuming you're also that AC) initial statement, I'm not sure why you're making this distinction...except perhaps for the part where not doing so means you're trivially wrong.

Re:

[barc0001]

I'm talking about for-profit companies, not foundations.

Jesus.

Re:

[Raenex]

I'm talking about for-profit companies, not foundations.

Jesus.

You made no such distinction in your comment, and neither did the AC who started this who insisted we needed to start paying for software. In a world with open source software to cover practically every basic need in computing, your statement on its face was dumb. That's your fault for using terms like "100%" and not considering the obvious counter-examples.

You also haven't considered the "freemium" model, where the base package is given away for free and premiums are sold on top of it.

Re:

[Chmarr]

It's probably something lodged up your nose. See your doctor.

Lawsuit?

[ilsaloving]

Is a class action lawsuit available in such cases? While I can understand that they need to make money, siphoning full browser histories is sketchy. Failing to properly anonymize the data is criminal negligence that can put people at risk of all sorts of things, the least of which being spam and identify theft.

Re:

[slack_justyb]

No.

The details would easily be a multi-page article in of itself, but the short answer is that the legal system is nowhere near a point where any of this could be called "criminal negligence". Just to give you a jumping off point, in the spectrum of culpability there needs to exist a legally defined "reasonable expectation", currently in the realm of your personal information, there's next to nothing in the form of what is legally the minimum a reasonable person would do to protect it. In fact, your perso

Addons mean not trusted

[WillAffleckUW]

Seriously folks, don't do addons.

You can only trust the trusted. Not stuff that runs on them.

Computers mean not trusted

[TangoMargarine]

Seriously folks, don't do computers.

You can only trust the trusted. Not stuff that runs on them.

How can you trust an operating system you haven't read the code of yourself? How can you trust chips running firmware you haven't read the code to? How do you know the precious metals in the hardware wasn't mined using slave labor in Africa? How do you know the computer companies you bought it from aren't paying lobbyists to oppose your interests?

Hell, look up "Reflections on Trusting Trust." You could read and u

Remember this rule of thumb

[tkrotchko]

Everybody always says the opposite of what they mean.

If they call themselves the "web of trust", then it means exactly the opposite.

Real blockers like uBlock Origin don't try so hard to convince you of what they're doing.

Re:

[Nadella Onions]

doublespeak and big brother are the reality in this age, as well as paid liars posting fake comments and content. but spying cuts both ways, at the end of the day no one has exclusive technology. there is no reason for there to be any back room politics anymore, no more secret meetings and secret deals. the old question used to be "who watches the watchers?" the answer has become clear, "the watched watch the watchers". eventually all this spying capability will be used against those doing the spying.

Known this for some time: with proof.

[Chmarr]

I found this very thing out as a result of a email-based survey I'd sent to about 500 people. Here's a copy of the email I'd sent out to those affected:

-----

tl;dr version:

* The “Web of Trust” plugin is highly likely to be sending your browsing history, after it reaches the Web of Trust servers, to advertising companies.

* It’s likely that they’re _not_ sending personal details, but simply the list of URLs that you visit. This includes “private” urls such as what you received for the survey, but could also include things like the URLs you send when you share files via Dropbox, Hipchat, etc.

* If you’re not okay with this behaviour, I recommend you un-install the Web of Trust plugin.

* If you haven’t yet responded to my question of “do you have Web of Trust” installed, I’m still interested in hearing from you.

Detailed version:

* Shortly after folk started to respond to the survey, by chance I noticed unusual requests hitting the web server. An hour or two after the flurry of requests that I’d consider normal, I saw another request to _just_ the main URL, all from the same IP address (52.71.155.178), and the same user agent (Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.1.25 (KHTML, like Gecko) Version/8.0 Safari/600.1.25)

To me, this implies that the supposedly secret URLs were not very secret.

* The address 52.71.155.178 has a DNS entry "nat-service.aws.kontera.com”. Kontera is an advertising company (remember those “in text” ads with the double underscore? Kontera was one of the players in that), which was bought by Amobee, a market research company. Amobee own the kontera.com domains and likely is related to the above activity.

* From some research, I discovered that others have seen these requests too, all to private URLs, and that the plugin “Web of Trust” was implicated.

https://www.abuseipdb.com/chec... [abuseipdb.com]
http://www.liveipmap.com/52.71... [liveipmap.com]

* I saw 15 of these requests. I contact each of the 15 people and received 11 responses. 9 of the respondents were using the Web of Trust plugin.

* I don’t know what could explain the other 2. Certainly, Web of Trust can’t be the only company sending Kontera/Amobee data. Unfortunately attempts to replicate the issue for those two users have failed: it may be that Kontera have some kind of limit on how many URLs per domain they’ll probe per time period? I’d certainly want to do that if I wanted to stay under the radar, or thwart further analysis.

Conclusion:

Given that 9/11 is far, far above the expected install base of Web of Trust. It is very likely that Web of Trust is indeed forwarding your browser history to at least one advertising company: Kontera/Amobee

Sharing “non personal information” is not inconsistent with Web of Trust’s privacy policy: they do not consider the URLs you visit to be “personally identifiable information”.

Response:

What you do with the sites you visit is up to you. But if you don’t approve of what the company behind the plugin is doing, I suggest you uninstall this plugin. Apart from the risk of “private URLs” becoming non-private, I don’t think there’s any further security risk.

I am disinclined to make a wide announcement about this, especially not on WoT’s forums. From research, the company readily squashes any criticism against it, and a small but vocal fraction of its users have embarked on attacks against any persons or sites that have raised concerns against WoT’s activity. In many ways, WoT has become an extortion engine, such as offering a paid-for “badge of trust” to remove bad ratings.

http://mywot.info/ [mywot.info]

Re:

[ArsenneLupin]

Just out of curiosity, I checked the web server logs for this user agent on 3 servers that I administer, and indeed I found a number of accesses using this user agent on all 3 of them (but in our case unfortunately none that are obviously not public knowledge). The most frequent IP (91 accesses) using this user agent was 52.71.155.178 and this is indeed nat-service.aws.kontera.com. This was followed ex aequo by 54.209.60.63 (also nat.aws.kontera.com) and 99.63.100.174 (99-63-100-174.lightspeed.bcvloh.sbcglo

Re:

[Chmarr]

Blocking that /12 will unfortunately block hundreds of thousands of "perfectly legitimate" sites... essentially anyone deigning to use AWS. Kontera just happens to be one of the users. No idea about the sbcglobal.net one, though.

The user agent is probably a perfectly valid one from some version of Safari (version 8.0, I believe), but one the Kontera coders decided to "appropriate" for their crawling software. However, if it _is_ Safari, Safari users will likely have updated their browsers long since afterwa

Re:

[Chmarr]

Yes. I can do 2**(32-12) as well as the next pythonista... but I said "hundreds of thousands" since the actual number of addresses _used_ in that range is probably only about a tenth of that.

Re:

[ArsenneLupin]

Blocking that /12 will unfortunately block hundreds of thousands of "perfectly legitimate" sites... essentially anyone deigning to use AWS. Kontera just happens to be one of the users.

Well, it's not as if this was any surprise. The WOT issue has been in the news for several days already, and apparently Amazon has not "deigned" to to do anything about it yet. Indeed both still reverse resolve to kontera.com... or did Amazon actually kick Kontera, but just forgot to update their name server?

When choosing a cloud provider, smart users also consider the provider's reactivity, and his willingness to protect his legitimate customers' reputation and Amazon indeed seems to be lacking in this ar

uMatrix + uBlock is all you need

[CrashNBrn]

uMatrix + uBlock covers everything you need, if you are willing to either:

1) Subscribe to the Block-Lists, or
2) Troubleshoot site compatibility manually.

On a site where you need to use both, you allow uMatrix to pass-through what you want fine-grained-control over (e.g. specific scripts, or inline-scripts). Then either:

1) Allow all of the scripts in uBlock, and selectively block some.
2) Block all of the scripts in uBlock, and selectively allow some.

Re:

[account_deleted]

Comment removed based on user account deletion

Chrome: No, Firefox: Yes (for now?)

[CrashNBrn]

Not in Chrome.It will work in Firefox, unless|until they break that feature during their stalwart march to Chrome-Addon compatibility.

Re:

[CrashNBrn]

I doubt any "extension" in Chrome can actually prevent another Addon's internal url requests.
You would want|need to:

• 1. unpack the offending addon
• 2. rip that crap out
• 3. repack, and
• 4. load an extension from disk

In my experience, the Chrome Store (for Chrome) is chock-full of abandoned extensions - that haven't been updated in 3+ years. So not really even any additional work to repeatedly update|merge your changes.

Alternative

[sad_]

Anybody know of an alternative that i can trust. I really like the concept of WoT, i don't use it myself, but for other people it is a great aid to warn them that clicking on a link is safe or not.

curso NR 10

[Instituto Santa Cata]

Curso NR 10 online [institutosc.com.br] curso NR 10 curso NR 10 online

Re:

[Anonymous Coward]

Sorry asshole, I have a policy against using software written by spammers.

Re:

[Big Hairy Ian]

WOT has been broken for years they never really did anything to verify if reviews were accurate or even made by a human so that most phishing email links get a green light from WOT.