As Always, Be *Extremely* Cautious About Installing Browser Extensions
Browser extensions are fraught with danger — which is why I rarely use them — especially those extensions that request your permission to:
- Access your data for all websites
- Access browser tabs
- Access recently closed tabs
- Read and modify bookmarks
- Download files and read and modify the browser’s download history
- Input data to the clipboard
- Display notifications to you
- Read and modify browser settings.
I mean…seriously!?! There is not a snowballs-chance-in-Hell that I would ever give permission to a browser extension to rummage around in my browser and change things, possibly add malware code in to my computer or device’s memory (i.e., the clipboard), as well as essentially look over my shoulder while I use that browser!
As you may have already guessed, I’ve been wary of browser extensions for a long time. I wrote about how dangerous browser extensions are back in 2011: Why We Need a Google Condom for Chrome Extensions and again in 2017: Why Browser Extensions Are Dangerous but there are an increasing number of security experts now recommending caution on your use of browser extensions. One such expert is the cyber investigator Brian Krebs who writes the excellent Krebs on Security blog. His latest post was just published on March 3, 2020 and gives great advice and reasoning behind limiting the browser extensions you install: The Case for Limiting Your Browser Extensions.
Add to that my specific intention to limit (or completely stop) tracking as best I can — which is why I’ve moved from Google’s Chrome to Firefox as my default browser — is why I am not just concerned about malware and rogue extensions, I’m more concerned about third-party trackers and the companies that enable them to flourish to our detriment.
A CRACKDOWN ON EXTENSIONS
Fortunately there is a move by major browser companies (i.e., Google with Chrome and Mozilla with Firefox) to crack down on rogue and dangerous extensions. Ars Technica had this article published January 30, 2020: More than 200 browser extensions ejected from Firefox and Chrome stores:
The crackdowns highlight a problem that has existed for years with extensions available from both Mozilla and Google. While the vast majority are safe, a small but statistically significant sample engage in click fraud, steal user credentials and install currency miners, and spy on end users—in at least one case, millions of users, some of whom were inside large companies and other data-sensitive networks.
WHAT IF THE EXTENSION IS FROM A TRUSTED COMPANY?
“When you use the Websites or Products, we automatically gather information made available by your web browser (such as Microsoft Edge or Google Chrome), Internet service provider (such as Comcast or Time Warner), and device (such as your computer, phone, or tablet), depending on your settings for each. For example, we may collect your IP address, information about the operating system or type of device you use, the date and time you access the Websites or Products, and the location of your device.
Generally, the information addressed under this section is anonymous and does not, standing alone, directly identify you; however, it could possibly identify you when associated with other information. For example, if a third party were to see your IP address, they would not automatically know your name—yet your name could be associated with your IP address by your Internet service provider if you are the named accountholder.“
You could argue that the above is boilerplate and all organizations do some form of this type of data aggregation. But when that data is has specific intents like the following, it shows how they intend to use your data AND allow it to be shared by third parties:
“What about Third Party practices?
Third Party Cookies and Web Beacons: Advertising agencies, advertising networks, and other companies (together, “Third Parties”) who place advertisements on the Websites and on the Internet generally may use their own cookies, web beacons, and other technology to collect information about individuals. Except as expressly provided herein, we do not control Third Parties’ use of such technology and we have no responsibility for the use of such technology to gather information about individuals. It is up to you to familiarize yourself with the privacy practices of such Third Parties.”
Remember this quote when something like this useful extension is free, “You are not the customer. You are the product.”
WHAT EXTENSIONS CAN YOU SAFELY INSTALL?
In my main browser Firefox, I have only one extension installed: the Electronic Frontier Foundation’s (EFF) Privacy Badger. EFF describes Privacy Badger as:
“…a browser add-on that stops advertisers and other third-party trackers from secretly tracking where you go and what pages you look at on the web. If an advertiser seems to be tracking you across multiple websites without your permission, Privacy Badger automatically blocks that advertiser from loading any more content in your browser. To the advertiser, it’s like you suddenly disappeared.“
Though Firefox’s new privacy and anti-tracking capabilities are excellent, Privacy Badger completes the capability I seek to make tracking and surveillance even harder for the hundreds of third-party trackers out there. Firefox’s creation organization, Mozilla, also has a rigorous vetting process for extensions and has a short list of verified extensions that do not violate their Recommended Extensions program guidelines.
Here is the best article from Mozilla that I’ve seen yet on how to determine whether or not a browser extension is worthy of (and safe to) install. but if you already know these tips (or have read Brian Krebs’ article above), at least pay attention to wise advice like this from Dan Goodin, the writer of the previously linked-to article from Ars Technica:
“There’s no sure-fire way to know if an extension is safe. One general rule is that there’s safety in numbers. An app with millions of installs is likely to receive more scrutiny from researchers than one with only a few thousand. Another guideline: apps from known developers are less likely to engage in malicious or abusive behavior. The best rule is to install extensions only when they truly provide value. Installed extensions that are used rarely or not at all should always be removed.”
Great Marketing Video for a Service Called ‘Chatbooks’
As you may know from reading this blog, I’ve been using Flickr for my photo albums for years. Once owned by Yahoo, it was sold last year to the family-owned — and very well run photo service website — SmugMug. As you can see from two posts I wrote about preserving digital media here and here, I’m very concerned that photos of family and friends taken today with smartphones will disappear in to the digital ether at some point. If so, they won’t be in some shoebox in the closet 50 years from now for guys like me to scan, digitally clean up, and preserve.
SmugMug will occasionally send me marketing emails, most of which I ignore like I do with most ads of this kind. But I happened to get a marketing email from them and had time to view it and again, SmugMug never spams me so I clicked on the link and ended up on a site called Chatbooks, one of SmugMug’s affiliate partners.
Immediately my thought was, “Oh…just another photo book printer” until I watched the marketing video you see below and found myself laughing and delighted with it. It is an amusing and well-produced video pitching their service called Chatbooks and I smiled just about the entire time the video ran.
The service that caught my eye (and is the subject of the video below) is their Ongoing Photo Book Series which you can set up to publish a new soft or hard cover small book for every 60 photos you take with your smartphone. It’s a no-muss, no-fuss way of preserving photos for future generations, especially if you lose your phone and have never done a backup!!
Of course, I’m not the target market (Moms are for this video) but it still tickled me and made what they’re offering stand out in my mind and seriously consider the book series option. Well done Chatbooks!
Why Cross-Site Tracking for Ads is Disturbing, But Also Badly Targeted
We’ve all had these sorts of experiences: A friend or loved one uses your computer to, for example, look up skateboarding and you soon notice that when you’re on some news site you typically frequent but suddenly the advertisements are now skateboarding related? Then you go to Facebook and the same thing happens with those types of ads appearing?
What’s bothersome to me is BOTH the ads AND the cross-site tracking companies that advertisers use so they can “follow us around” and display what they think are relevant ads. The problem is that my wife and I share a single Amazon Prime account so I logged in to Amazon as her this moring, bought her a new backup hard drive (her current one died), and then looked at my news reader and clicked on this Ars Technica article.
The ads were suddenly for beauty products like this one:
While I get my beauty sleep and care how I look, I do NOT use Clinique so I come across with a “better glow.” 😉
Here’s the thing: Ars Technica is a geek site and highly technical in its articles and why I so enjoy reading it. But I usually only read it in a browser with ad blocking turned on because, after they were acquired in 2008 by Advance, the parent company of publisher Conde Nast, their ads slowly-but-surely became larger and more intrusive like the HUGE one above (which, by the way, is in THREE other places on the page as I scrolled down.
USING AN AD BLOCKER
Ads are intrusive overall regardless, but they are REALLY annoying when I’m reading on my iPad which is what I typically do. Why? Because constantly loading ads in a header or sidebar means that, as I’m reading and maybe halfway down the article, it suddenly jumps to the top of the page! I get SO pissed off that I typically hammer on the publisher through tweets or an email, but they don’t care so never respond.
On my iPad I use 1Blocker to block cross-site tracking and ads, primarily to stop that behavior I just mentioned but also since it is a MUCH better experience to not be punched-in-the-face with ads since they are never discrete…they only want to intrude, interrupt, and completely take over one’s reading experience. They also make their “close boxes” as hard as possible to use so we inadvertently launch the ad’s website so the publisher gets credit for click-through!
Here is the exact-same article on my iPad:
If you’re interested in an ad-blocker (and, in some cases, a cross-site tracking blocker) for iOS, here are some options.
Google’s Chrome browser is the one I use but they are taking NO leadership for us. Only for themselves, advertisers and cross-site tracking companies since Google’s business model is primarily ad-centric and they provide us with all of those “free” services (e.g., Gmail; calendar; voice; and more) to get better-and-better at advertising to us and selling our data to others.
WHAT I DO
I don’t use ad-blockers or cross-site tracking blocking in Chrome usually since it interferes with too many web development activities which I perform within our Innov8Press business. Instead, I create site-specific browsers using Coherence 5 so cookies are self-contained within my “search” browser, for example, since Coherence allows you to turn any website into a full-blown macOS application in seconds. And, using the power of Google Chrome, allows each app to have separate settings and extensions.
STOPPING CROSS-SITE TRACKING
Fortunately there is hope. Apple’s decision to stop the cross-site tracking of advertising companies in the newest version of the Safari browser (version 11) — and put the power back in to the hands of those of us doing things online — has come to the fore with great controversy.
Publishers are obviously upset since their business models are advertiser-centric. While I completely understand their motivation, don’t they know that bitch-slapping us with ads, making them as HUGE as possible, hiring cross-site tracking companies to follow us around, does nothing but make everyone want them to STOP!!
Perhaps if publishers showed some restraint and took the high-road, things would be different. But for now I know I will do WHATEVER IT TAKES to block ads and cross-site tracking companies.