Google’s Chrome browser isn’t exactly known for its privacy protections. Google has also been accused of leveraging its monopoly to interfere with web standards and has, understandably, fought tooth and nail to stop the use of ad blockers on its browser and across the web. “Understandably,” because Google doesn’t make money from selling its browser, it makes money through advertising.
Perversely, Chrome users may be justified in expecting Google to at least protect their private data from third parties. Google collects this data for its own purposes, so it seems reasonable to expect it to protect its spoils from others. Recent revelations have shattered even that illusion, though.
At the very end of 2024, it was revealed that at least 35 Chrome extensions—many coming from reputable developers—were compromised, potentially exposing the data of over 2.6 million users. This is a very concrete example of the risks involved in installing Chrome extensions: Chrome may well be secure (even if not private), but extensions can effectively undermine that security.
Incogni’s researchers analysed the privacy risk posed by “AI-powered” Chrome extensions, using various metrics to develop a ranking. They focused on extensions claiming some sort of connection to so-called AI partly because of the incredible boom this niche is experiencing. The “AI Chrome extension” market was valued at $1.5 billion in 2023 and is projected to reach $7.8 billion in value by 2031.
With growth like this and very few checks and balances in place, the stage is set for potential abuse. And with personal data said to be worth more than crude oil, any abuse is likely to be focused on harvesting user data. Raising awareness of the risks is a crucial first step towards reining in sectors of the market like this one.
To this end, Incogni’s researchers analyzed a subset of 238 so-called AI Chrome extensions to estimate the privacy risk associated with each one. To do this, they employed five key metrics: the data collected by these extensions, the permissions required, the sensitive permissions required, the “risk impact,” and the “risk likelihood.”
Also read:
•
How Long Will Big Tech Companies Take to Pay Off Billions in Fines?
•
Your Old Device Is A Goldmine: 26% of Americans Skip Wiping Data Before Recycling
Information concerning the data collected by these extensions is based on self-reporting by the extensions’ publishers, so it’s safe to assume that these numbers may even be higher in reality. Collected data points fell into one of nine categories: personally identifiable information (PII), financial and payment information, authentication information, personal communications, location data, web history, user activity, website content, and health information.
Permissions required included only those permissions that the extensions requested at the time of installation, they can always request additional permissions during updates. So, again, these numbers represent the minimum number of permissions that these extensions can require. Permissions fell into one of two categories: sensitive permissions and non-sensitive permissions. It’s the sensitive ones that represent the greater risk, so they were weighted more heavily in determining the rankings.
The numbers of data points collected were also weighed more heavily in Incogni’s calculations: they and the numbers of sensitive permissions required were multiplied by a factor of 2 to reflect the outsized privacy threats they represent.
The “risk impact” and “risk likelihood” metrics were taken from Chrome-Stats. Risk impact speaks to the damage an extension could do if it was turned against its users, whether by the current owner, a new owner or a malicious third party. It’s based on the number of permissions required. Risk likelihood is an attempt at quantifying the probability that an extension turns malicious. It’s based on an analysis of each extension’s and publisher’s reputation on Google’s Chrome Web Store.
So an extension with a high risk impact and low risk likelihood could do a lot of damage—for example by exposing a lot of personal information—but isn’t likely to do so, given its publisher’s reputation on the Chrome Web Store. But as the recent Chrome-extension hacks have shown, even a legitimate, reputable extension publisher can have its extension compromised.
Image: Incogni
Looking at Incogni’s ranking of just the most popular extensions (those with user bases of at least 2 million people each), we can see the outsize effect that data collected and sensitive permissions have on privacy risk.
The most and third-most privacy-invasive popular “AI-powered” Chrome extensions in Incogni’s study—“DeepL: AI translator and writing assistant” and “Sider: ChatGPT Sidebar + GPT-4o, Claude 3.5, Gemini 1.5 & AI Tools”—each required four sensitive permissions. “DeepL: AI translator and writing assistant” required, among others, the scripting and webRequest permissions, potentially allowing the extension to inject code into websites and intercept, block, and modify requests in flight. “Sider: ChatGPT Sidebar + GPT-4o, Claude 3.5, Gemini 1.5 & AI Tools” (yes, that’s all one name) required, among others, the sensitive all_urls permission, which can allow this extension to run on all pages the user’s browser opens.
The second-most privacy-invasive popular extension, “AI Grammar Checker & Paraphraser – LanguageTool,” collects 5 data points and requires two sensitive permissions: scripting and activeTab. The activeTab permission grants extensions temporary access to the currently active browser tab.
Head of Incogni, Darius Belejevas, had this to say:
Our web browsers have become like mini operating systems in and of themselves—there’s so much we do in our browsers, whether on websites or through web apps, that they’ve become both critical and invisible to us at the same time. Browsers vary a lot in how well they respect users’ privacy, but all the major browsers are reasonably secure when it comes to protecting user data from third parties. That is, until users start effectively bypassing security measures by installing add-ons or extensions that require excessive or risky permissions.
Adding:
Our latest research shows how even a secure browser like Chrome can expose users’ personal information to third parties if special care isn’t taken when installing extensions. AI extensions might be particularly risky simply because they’re so popular right now, and most are new-to-market, making assessing their trustworthiness more difficult. There’s also the sad fact that even the most trustworthy extensions can be compromised by bad actors.
Incogni’s full analysis (including public dataset) can be found here.
Read next:
• Navigating the Future: How Small Businesses Are Investing in Technology for Growth
• Projected Growth in Tech Sectors: Blockchain And AI Drive Massive Expansion Through 2030
• Is Your Diet Speeding Up Aging? The Must-Know Vitamins for a Healthier Life
by Irfan Ahmad via Digital Information World
