Browser add-on caught selling identifiable web histories
Web of Trust's browser was pulled for being, well, untrustworthy.
When you include the word "trust" in your internet company's name, you're under more pressure than most to respect the privacy of your customers... and one firm is learning that lesson the hard way. Web of Trust Services' browser add-on has left the extension libraries for Chrome, Firefox and Opera after a German broadcaster's investigation revealed that Web of Trust was collecting and selling users' web histories to third parties. While the company said that it was anonymizing data, that didn't hold up under scrutiny. The broadcaster managed to identify over 50 people from sample data, and uncovered everything from active police investigations to the implied sexual orientation of a judge.
Also, a German data protection commissioner chastised WoT for not doing enough to get the consent of its users (and there are many of them, with 140 million downloads) before gathering and selling info. Moreover, there's evidence that the software can run the code it wants on any web page. There aren't any known in-the-wild exploits, but that's not exactly reassuring.
To its credit, WoT is taking steps to mend its ways. It's reexamining its privacy policy, offering an opt-out for the data you share and revamping the way it 'cleans' data to get rid of potentially identifying info. Its previous approach "may not have been sufficient" to fully anonymize your data, a spokesperson tells The Register. The company is quick to add that only Mozilla pulled the add-on -- WoT says it voluntarily yanked the add-on from the Google and Opera portals to "make appropriate changes."
You should see an improved version of the add-on in the weeks ahead. However, questions remain: why sell histories without explicitly warning users, and making absolutely sure there wasn't identifying data? And why not make data sharing opt-in? No matter what the answers, the findings are a reminder that promises of anonymized data by themselves aren't enough. A company has to make sure that your sensitive content remains a secret in practice, not just in theory.
