Lauren's Blog: "Beware the Browser Extensions Privacy Trap!"

["DAVID FARBER" <dfarber () me com>]

Begin forwarded message:

> From: Lauren Weinstein <lauren () vortex com>
> Date: August 2, 2017 at 1:12:58 PM EDT
> To: nnsquad () nnsquad org
> Subject: [ NNSquad ] Lauren's Blog: "Beware the Browser Extensions Privacy Trap!"
>
>
>           Beware the Browser Extensions Privacy Trap!
>
> https://lauren.vortex.com/2017/08/02/beware-the-browser-extensions-privacy-trap
>
>
> There's a story going around currently about a group of researchers
> who claim to have de-anonymized a variety of browser users' search
> data. The fact that proper anonymization of data is a nontrivial task
> is quite well known. Sloppy "anonymization" can be effectively as bad
> as no anonymization at all.
>
> But the interested observer might wonder ... where did these
> researchers get their search data in the first place?
>
> It turns out that the main source of this data are the individuals or
> firms behind third-party browser extensions and apps, which provide or
> sell the user data that they collect to data brokers and to other
> entities.
>
> And so we open up a very big can of worms.
>
> The major browsers (e.g., Google's Chrome) provide various means for
> users to install extensions and applications to extend browser
> functionalities. While the browser firms work extensively to build
> top-notch security and privacy controls into the browsers themselves,
> the unfortunate fact is that these can be undermined by such add-ons,
> some of which are downright crooked, many more of which are sloppily
> written and poorly maintained.
>
> Ironically, some of these add-on extensions and apps claim to be
> providing more security, while actually undermining the intrinsic
> security of the browsers themselves. Others (and this is an extremely
> common scenario) claim to be providing additional search or shopping
> functionalities, while actually only existing to silently collect and
> sell user browsing activity data of all sorts.
>
> The manner in which these apps and extensions end up being installed
> can be insidious, and relates to the fundamental complexity of the
> underlying security models, which are not understood by the vast
> majority of users, especially non-techie users. For the record,
> similar confusion exists regarding smartphone app security models,
> e.g. for Android.
>
> The bottom line is that most users, faced with a prompt to install an
> extension or app that claims to provide useful functions, will simply
> grant the requested permissions, no matter how privacy and/or security
> invasive those permission actually are.
>
> And why should we expect these users to do anything differently?
> Expecting them to really understand what these permissions mean is
> ludicrous. We're the software engineers and computer scientists --
> most users aren't either of these. They have busy lives -- they expect
> our stuff to just work, and not to screw them over.
>
> I recently helped an older Chrome user whom I know clean out their
> Chrome browser on Windows 10. As is routine for me, I used Chrome
> Remote Desktop for this purpose (please see: "Google Asked Me How I'd
> Fix Chrome Remote Desktop -- Here's How!" -
> https://lauren.vortex.com/2017/07/24/google-asked-me-how-id-fix-chrome-remote-desktop-heres-how ).
>
> He must have had 25 or 30 "crap" extensions installed that I needed to
> individually remove (some of which appeared to have been "slave"
> extensions installed by other "master" extensions). He claimed not to
> have knowingly installed any of them. Almost certainly, these were all
> prompted installations at sites he visited once or twice, with which
> he could have easily interacted without installing any of these
> add-ons at all.
>
> But these sites push users very hard to install these
> privacy-invasive, data sucking extensions, and as noted above most
> users will grant requested permissions, implicitly assuming that
> they're protected by the browser itself.
>
> Underlying browser security models can complicate the situation. For
> example, one of the most common -- and most easily abused --
> categories of permissions requested by extensions and apps is one that
> grants read and write access to all data at all websites you visit --
> or even that *plus* all data on your computer!
>
> Now, here's the kicker. While these sorts of permissions are the
> golden ticket for abuse by crooked and sloppy extensions or apps,
> there are many legitimate, well-written add-ons that also require such
> permissions to operate.
>
> But how is the average user to make a reasonable determination in this
> context, faced with a site urging them to install an add-on that is
> being portrayed as necessary? Most users don't have a site reputation
> database at hand for reference -- they just want to get on with what
> they're trying to do online.
>
> I will note here that I know of various corporate environments where
> security policies absolutely prohibit the installation of apps or
> extensions with such broad permissions, with few if any exceptions
> (e.g. unless they're of internal origin and have passed rigorous
> internal security and privacy audits).
>
> I don't have a brilliant "magic wand" solution to this set of
> problems.
>
> Personally, I install as few browser extensions and apps as possible
> unless I am absolutely confident in the reputation of their origins,
> and I absolutely minimize the installation of any add-ons that require
> broad permissions either to websites or the local machines. Sometimes
> there are situations where an app or extensions looks very useful and
> enticing -- but I still need to say "no go" to them the vast majority
> of the time.
>
> One last thing. I urge you to check right now to see what extensions
> and/or apps you have installed, and remove the ones that you don't
> need (or worse, don't even recognize). For most versions of Chrome,
> you can do this by entering on your browser address bar:
>
>    chrome://extensions
>
> and:
>
>    chrome://apps
>
> On the extension list, a little trash can at the right is where you
> click to remove an extension. On the app list page (page select is at
> the bottom of that page), right click to access the menu that includes a
> "Remove from Chrome" entry. On Chrome OS, you may not be able to access
> the app page(s) using the link above. If the link doesn't work in this
> case, click on the white circle in the bottom of screen toolbar to bring
> up the app page.
>
> Is this all too complicated? Yep, it sure is.
>
> Be seeing 



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20170802132719:D40560AE-77A7-11E7-A41B-F88BB2AF206F
Powered by Listbox: http://www.listbox.com