The Evil Within Your Browser
Another step toward The Doomsday Upon Us
When I presented “The Doomsday Upon Us” at the Marketing Festival this spring, an attendee came to me and literally said, “you scared the shit out of me.” Since then, there were dozens of privacy breaches and data leaks. The likelihood, the number of occurrences, and the scale of data privacy issues will only grow in the future.
We have another example — revealed by the extensive investigation work done by Sam Jadali about a rogue digital marketing player called Nacho Analytics. A detailed account of his discovery can be found in the article below or in his DataSpii Report.
My browser, the spy: How extensions slurped up browsing histories from 4M users
When we use browsers to make medical appointments, share tax returns with accountants, or access corporate intranets…
This is particularly interesting for me for two reasons. First, I’m a data analyst growing more worried than ever about our industry malpractices. Second, I’m the creator of two browser extensions which could easily have fallen on the evil side.
The Darker Side of Browser Extensions
In short, this is how the full report is introduced (edited for clarity):
Imagine if someone could see what employees at thousands of companies were actively working on in near real-time. Imagine, further, this person could access your sensitive personal data in much the same way. Moreover, what if you and/or your colleagues were, yourselves, unknowingly leaking such data?
DataSpii (pronounced data-spy) denotes the catastrophic data leak that occurred via eight Chrome and Firefox browser extensions. This leak exposed personal identifiable information (PII) and corporate information (CI) on an unprecedented scale, impacting millions of individuals. The collected data was then made available to members of an unnamed service, which we refer to in our report as Company X. Both paid and trial members of this service had access to the leaked data. After we reported our findings to Google and Mozilla, the browser vendors remotely disabled the extensions. Furthermore, the online service is now defunct.
Note: the “unnamed service” and “Company X” is Nacho Analytics — which home page currently state this:
Talk about some BS… Someone can never claim to “do no evil.” It’s akin to asking a dictator if they are, indeed, evil. Of course, they will resort to all kinds of justifications: they do it for the good of their people, they have no other choice, etc. In this case: it is legal, users opted in, we take privacy seriously. Yeah, right!
As someone said in a forum, speaking about Nacho Analytics:
Marketing me: This is so amazing. How do they do this and how can I have the data for targeting.
Normal me: This is so scary!
Which is essentially the same question I asked the audience about My Encounter with Christopher Wylie, the Cambridge Analytica whistle-blower: which digital marketer, analyst or data scientist would lift his/her nose on millions of high-quality data records? The simple truth? Those who say no are lying to themselves.
How Did They Do It?
- install a companion browser extension which has a legit purpose and value — at no cost;
- the extension asks for some permission which are required to do whatever it has to do:
- an extension works intimately with your browser and behind the scenes, can do almost anything: collect navigation details, username & passwords, or any other PII information — voluntarily or by accident;
- create or integrate with multiple extensions to grow the data feed;
- send the data to an endpoint — in the case of Nacho Analytics, they were sending the data to Google Analytics;
- once collected, harvest and monetize the data — in the current case, Nacho claimed to be able to “see anyone’s analytics account” and made it available with a monthly subscription fee.
Remember when you install a browser extension — any extension — you open permissions for this extension to view and alter the pages you visit and the traffic between your browser and the interwebs. Only install browser extensions coming from trusted sources and those which offer transparency about what they do. Note whenever a new release of an extension is published, the Chrome Web Store automatically runs a vast number of validations to ensure the extension doesn’t do any harm. But this process obviously doesn’t catch everything.
My Take (and a little story)
The whole setup was sketchy and badly executed. In 2008, when I created WASP, the first ever tool built specifically to audit the quality of digital analytics tracking, I was collecting normal usage info of the extension — which was perfectly legit and totally anonymous. At the time, I wasn’t asking for opt in as this wasn’t the norm — today, with my new Da Vinci Tools project, I’m not even collecting usage data unless the user specifically opt in.
Shortly after WASP launched, someone suggested I could gather market share info — which I did very carefully by collecting only the domain name and the trackers founds on the 1st hit to the site, and not if it was under a username/password protected area — and sending it to GA. Similar to what Nacho did, but I was much more conscious about the privacy risks. This data allowed me to publish web analytics vendors market shares. Shortly after, someone else suggested I could create a consumer version of WASP just to block tags — which I thought at the time was counter-intuitive to the role of WASP, which was to help marketers gather quality data.
Ghostery came out shortly after, in 2009, and I could swear the very first incarnations of Ghostery had some WASP code in it… but I didn’t have the time nor the resources to go after its creator and he carefully avoided ever answering any of my inquiries. Today I would act very differently if someone stole the intellectual property of Da Vinci Tools. While Ghostery allowed you to block tags, it was silently collecting all this info and selling it back to advertisers… On one hand, Ghostery advertised being there to protect your privacy, on the other, they were happily selling your data. It eventually reached millions of users and was purchased for an undisclosed amount of cash. Ghostery has over 2.6M users on Chrome and another 1.2M on Firefox and still does the same… if you opt in. Today I have much more respect for how Ghostery turned out: you can opt in for their “GhostRank” feature which will, indeed, collect your data, and the code is now open source so anyone can inspect it. Plus, they are not stupid enough to make the data visible to outsiders in the way Nacho did.
We Saw It Coming — and we did nothing
In specialized forums such as the #Measure Slack channels, we raised the flag about what we felt was marketing malpractices of Nacho Analytics — how they claimed to be able to access anyone’s data and showed the Google Analytics reporting interface, luring and confusing people. Some members even contacted Nacho to get more info and the answers were typically vague and misleading. We had many conversations where we suspected something was wrong but didn’t go as far as investigating like Jadali did. I see two main reasons for that:
- We hesitate to call out rogue players and mention the names of vendors who are leaning toward the evil side;
- It takes time and resources, and despite our desire to “uncover the truth through data”, we are collectively very weak when it comes to pear review and proper investigation of suspicious activity.
People like those who built Nacho Analytics are not only putting your personal data at risk and luring unsuspicious marketers to give them their money, they also harm the digital marketing and analytics industry as a whole. Yet, there were still some people seeing value in what they offered, even after many of us raised the flag.
It’s too bad we still do not have a good, unified and strong industry voice. The Digital Analytics Association would be best positioned to put out a statement denouncing such practice but typically remains silent on those topics. The most it did was put out a Code of Ethics years ago which is out of date and has absolutely no legal impact or consequences.
So where do we go from here? Beyond the legal aspects of GDPR and others, there are many rogue, unethical, stupid, and risky digital marketing catastrophes lurking in the dark.
Stéphane Hamel is a seasoned independent consultant, innovator, teacher and speaker. He shares his passion for digital marketing and analytics — be it technical ‘how to’ or assessing organizations’ digital capabilities and maturity.