WoT pulls browser extension after privacy failure

wot

Are you one of the 140 million people who have downloaded Web of Trust (WoT)? If you are, you might want to uninstall it – for the time being at least.

Why? Because WoT has been caught getting up to some not-so-trustworthy antics. According to Tech Week Europe:

First, it seems that WoT has been collecting the browsing history of its millions of users and has been selling this data to third parties.

Second, and even worse, it seems the firm did not properly anonymise the data it collects on its users, which potentially allows others to expose the identity of the users and all their personal details.

If you’re not familiar with WoT, it’s a free browser extension that tells you which websites you can trust. The WoT website reputation and review service uses a crowdsourcing approach to collect ratings and reviews from its users based on their personal experiences. WoT provides traffic light icons next to search engine results, links in social networking sites, email and other popular sites such as Wikipedia. As it explains on its website:

A green traffic light means users have rated the site as trusted and reliable, red warns about potential threats and yellow indicates that you need to be cautious when using a site.

WoT’s antics were discovered by German TV channel NDR. The broadcaster got hold of some of the data that WoT had sold to third parties. Make Use Of reports that this included:

…browsing histories, travel plans, health issues, and ongoing police investigations.

A BBC story reveals that the data also contained:

…personal data, including email addresses and phone numbers, that were not obfuscated.

In its own privacy policy, however, WoT does explain that it collects:

  • Your IP address
  • The country you’re in
  • The type of device, operating system and browsers you use
  • Date and time stamp
  • Browsing usage – including visited web pages, clickstream data or web address accessed
  • Browser identifier and user ID

But that it does not…

… collect from you or share any individually identifiable information, namely information that identifies an individual or may with reasonable effort be used to identify an individual (“Personal Information”) when you install or use the Product.

However, NDR was able to link some of the information it obtained back to the original user.

Mozilla responded quickly, pulling the WoT add-on from its store. WoT then voluntarily pulled its software add-on from all other browser platforms.

WoT also apologized in a statement on its community forum, saying that what has happened is not acceptable:

If the data allows the identification of even a small number of WOT users, we consider that unacceptable, and will be taking immediate measures to address this matter urgently as part of a full security assessment and review.

The immediate measures it’s taking?

  • Reviewing its privacy policy to users’ privacy rights are properly addressed.
  • Providing an opt-out from having such user browser data saved in its database or shared.
  • Implementing a complete overhaul of its data-cleaning process.

We recommend uninstalling your WoT add-on until a new and improved version becomes available – hopefully within the next few weeks.

In the meantime, these events are a reminder to all companies that we entrust with our data that it is not enough to talk the talk. If they don’t also walk the walk then we will walk, leaving their business models in tatters.