Web Of Trust Browser Add-On Withdrawn By Mozilla After Privacy Violation

An investigation has uncovered a serious breach of privacy by Web of Trust (WoT), a Finnish firm that specialises in a browser add-on for secure web browsing.

The findings have already prompted Mozilla to remove the WoT add-on from its store. Following that, the firm voluntarily removed the WoT add-on from all other platforms, including the Chrome and Opera store.

Hand In Cookie Jar

Web of Trust (WoT) is essentially a website review and reputation service that since 2007 has been helping people make informed decisions about whether to trust a website or not.

It has been downloaded over 140 million times, and is a popular browser add-on for Firefox, Google Chrome, Opera and Internet Explorer. It uses a crowdsourcing approach to rate websites based on trustworthiness and child safety.

But the German TV channel NDR discovered some worrying privacy issues with WoT.

Firstly it seems that WoT has been collecting the browsing history of its millions of users and has been selling this data to third parties.

Secondly, and even worse, it seems the firm did not properly anonymise the data it collects on its users, which potentially allows others to expose the identity of the users and all their personal details.

This is in direct violation of WoT’s own privacy policy.

That policy does admit that the firm collects the user’s IP address, geo-location, the type of device, operating system, and browser, as well as the date and time, web addresses, and browser usage. But it said that this data in stored in a  “non-identifiable” format.

However the NDR investigation found it was very easy to link the anonymised data to its individual users.

For example, the investigators, using the sample data from just 50 WoT users, were able to identify a raft of high personal information including the account name, mailing address, shopping habits, travel plans, possible illnesses, sexual preferences, drug consumption, confidential company information, ongoing police investigations, and finally the entire browser surfing activity including all the websites visited.

Policy Overhaul

WoT has promised a ‘complete overhaul’ of its data cleaning process, but only for those users whose data it uses.

“We take our obligations to you very seriously,” it said in a statement. “While we deployed great effort to remove any data that could be used to identify individual users, it appears that in some cases such identification remained possible, albeit for what may be a very small number of WOT users.”

The firm said it was now reviewing its privacy policy to determine which changes need to be made; and will give users the ability to opt out from the data stored in its database.

It said those people who opt to continue to allow WoT to use their browsing data, “we will implement a complete overhaul of our data ‘cleaning’ process, to optimize our data anonymisation and aggregation objectives to minimise any risk of exposure for our users”.

“We will spend the coming weeks making the changes to WOT which will ensure we are back on the right track,” it added.

It now remains up to WoT users to decide whether to trust the firm, or uninstall the add-on completely.

Mozilla last week also disabled an API in Firefox over concerns it could be used to track users. It said it had disabled the ability of websites to access the Battery Status API in Firefox 52, after warnings from security researchers that the feature could allow the user to be tracked.

Think you know all about online privacy? Try our quiz!