Web of Trust (WOT) scandal

Originally reported in Germany (http://www.ndr.de/nachrichten/netzwelt/Nackt-im-Netz-Millionen-Nutzer-ausgespaeht,nacktimnetz100.html) and picked up by PCMag (http://www.pcmag.com/news/349328/web-of-trust-browser-extension-cannot-be-trusted).

From the German site (apologies for the translation errors): “In the background, however, the extension also logs and transmits the data for the surfing behavior of the user to a server abroad. A profile is created where the date, time, location, and controlled web address are stored together with a user ID.”

Further: “These data then go to intermediaries. From one of these intermediaries, Panorama and ZAPP got their record.”  It is unclear to me whether the ‘data’ that is shared with ‘intermediaries’ includes that user ID.

And: “Reporters from the NDR have been able to personally identify more than 50 users, for example via e-mail addresses in which the name is located, logins, or other components of the called URLs.”

And: “To reach the information, the NDR Reporters have founded a dummy company, which is supposedly active in the “big data” business. Several companies were ready to sell the web data of German Internet users – a company offered the data now evaluated as a free sample. Data packages like this offer countless companies.”

According to pogowasright, WOT have stated that “We take our users’ privacy rights very seriously, and for that reason we go to great lengths to anonymize and aggregate the data we collect to run our service, and we of course never license or disclose user registration information.”

This is a timely reminder that if you collect and share information about web sites visited, you need to be cautious about the inadvertent collection and sharing of PII that may be embedded in a URL.

It’s also a timely reminder that a unique ID may not actually be anonymous. All depends on what that unique ID can potentially be combined with.