How deceptive browser extensions snaffled up 4m users' browsing history, including Nest videos, medical history and tax returns

Nacho Analytics sells browsing data from more than 4m users (they advertise "See Anyones Analytics Account"), a service it calls "God mode for the internet." The data is harvested by embedding Nacho's spyware (dubbed "Dataspii") in a variety of browser extensions, mostly for Chrome, but also some for Firefox.

Nacho -- and the browser extensions it relies on to harvest data -- claim that everyone involved opts in, provides full consent, and can be assured that the data that Nacho gathers provides to its customers is anonymized first.

But as an in-depth Ars Technica report demonstrates, all of these claims are highly dubious. The "consent" is often obtained through click-throughs that accede to lengthy sets of terms, which include cryptic notices about having your data harvested in this way.

The supposed anonymization is even more problematic: though the company excises obvious personal identifiers from the URLs it harvests, many services unwisely embed personal information in their URLs, and still more rely on secret URLs as the only way of keeping personal data private -- researcher Sam Jadali found that it could use Dataspii/Nacho's "anonymized" URLs to log in to people's electronic health records, internal company documents, tax returns and other extremely sensitive data, including corporate trade secrets and sensitive information from Tesla, Blue Origin, Amgen, Merck, Pfizer, Roche, AthenaHealth, Epic Systems, FireEye, Symantec, Palo Alto Networks, Trend Micro, Amazon, FireEye, BuzzFeed, NBCdigital, AlienVault, CardinalHealth, TMobile, Reddit, and UnderArmour.

Some of the blame for this is on web developers who put sensitive info in URLs and rely on URL secrecy to protect user data. Read the rest