Your browsing history may have been sold already

Discussion in 'privacy problems' started by ronjor, Nov 1, 2016.

  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    120,768
    Location:
    Texas
  2. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,001
    Location:
    Among the gum trees
  3. emmjay

    emmjay Registered Member

    Joined:
    Jan 26, 2010
    Posts:
    1,413
    Location:
    Triassic
    I use TrafficLight. It is not the same as WOT - no user participation.
     
  4. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,001
    Location:
    Among the gum trees
    Cool, thanks! I'll check it out. It's BitDefender, right?

    I've changed my router's DNS setting from my ISP's servers (which are the fastest for me) to Norton ConnectSafe for now.
     
  5. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,001
    Location:
    Among the gum trees
    It seems to slow Cyberfox and there is no icons next to Google Search Results, but I tested it at the AMTSO Phishing Test Page and it did pop up and block a "phishing attempt".

    BD Trafficlight.PNG

    Undecided for now.
     
  6. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    How does TrafficLight work? Does it perform cloud queries and/or phone home other information? If so, what is sent?
     
  7. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,001
    Location:
    Among the gum trees
    From the Chrome version of their Privacy Policy (PDF):

    The site icon / annotations seems to only show up on the second page of search results on for some reason.
     
  8. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    977
    Location:
    UK
    WoT was never good in the first place, I would come across various sites that had been marked as untrusted simply because someone didnt like the site's content.
     
  9. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,001
    Location:
    Among the gum trees
    I had to remove BD Trafficlight because I noticed a few times that I couldn't open the Cyberfox Menu from the hamburger button. :thumbd:

    ... NEXT?!
     
  10. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,286
    Now the users are penalizing the WOT-addon on AMO with 1-star ratings.
     
  11. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,001
    Location:
    Among the gum trees
  12. ProTruckDriver

    ProTruckDriver Registered Member

    Joined:
    Sep 18, 2008
    Posts:
    1,314
    Location:
    USN Retired 1969 ~ 1992
    Yeah, that should be interesting.
     
  13. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Well thanks for posting the link and quote, but what I really meant was: Have any users (and/or prospective users) here done some assessment of their own? For example, by examining traffic reported by their browser or another extension, by looking over the addon source, etc. To identify and verify specific things of importance (and which privacy policies often ignore or gloss over). Such as:
    1. Does it eliminate or at least reduce phone home by utilizing downloaded lists?
    2. Does it leverage hashing techniques or send actual browsing data to the cloud?
    3. Does it send just hostnames, or URLs sans query string, or full URLs to the cloud?
    4. Does it send any POSTed data to the cloud?
    5. Does it utilize internal whitelisting, filtering, or the like to avoid or reduce the collection of particularly sensitive information (personal info, financial transactions, health care reports, etc)?
    6. Are cloud queries accompanied by a cookie or GUID that ties the queries and exposed information together?
    7. Is there a social networking component that utilizes social platform APIs in a way that causes greater privacy issues? For example, does it gather viewing and/or sharing information that is not necessary for protective purposes?
    8. Is there analytics and/or error reporting that exposes more information?
     
  14. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,001
    Location:
    Among the gum trees
    Yeah, sorry about that. I should have known that is what you wanted. :oops:
     
  15. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    No worries, mate. In fact, I feel pretty good about it. Someone momentarily overlooked the fact that I am like a broken record on the subject! :geek:
     
  16. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    3,165
    Location:
    Slovakia
    Good thing, that browsers/installers show, what extensions can do. I have only one, which can read history, search related, obviously. I might remove it. :cautious:
     
  17. Joxx

    Joxx Registered Member

    Joined:
    Sep 5, 2012
    Posts:
    1,633
    This is terrible, I've been using WOT since I can remember ... :(
     
  18. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    14,569
    Location:
    The Netherlands
    LOL, I've always said that these kind of tools should not be blindly trusted, and I guess I was right again. I never liked these kind of tools anyway. But I do wonder how trustworthy certain extensions like for example ABP annd Ghostery are. Extensions are the perfect spying tools, besides the browser itself of course.
     
  19. summerheat

    summerheat Registered Member

    Joined:
    May 16, 2015
    Posts:
    1,901
    But what about network requests? When I was still using Google Chrome, I noticed in uMatrix that an addon (unfortunately I can't remember anymore which one - I think it was one to control referrers) contacted a specific website every time I opened a new website. Since I had uMatrix configured to block behind-the-scene requests by default, that other addon had no chance to spy my browsing data out. Unfortunately, in Chrome v. 47 there was a change in the chrome.webRequest API with the result that uMatrix (or uBlock Origin) was no longer able to monitor and control network requests of other addons.

    In other words: Not knowing what addons which are known to make cloud requests are doing exactly is bad enough. However, in Chrome you even cannot easily see if addons make network requests at all - and if you do you can't stop this behaviour. That's one important reason why I went back to Firefox: In this browser uMatrix (or uB0) is still able to monitor and block network requests by other addons. I sincerely hope that Mozilla won't change that, either.
     
  20. mood

    mood Updates Team

    Joined:
    Oct 27, 2012
    Posts:
    40,286
    :eek:
    Good to know. The last time i checked these requests, was long time ago and uMatrix was able to see them.
    I tried it today with Chrome, and uMatrix can't see request from other addons. Only it's own behind-the-scene-request.
    That's not nice :(
     
  21. Azure Phoenix

    Azure Phoenix Registered Member

    Joined:
    Nov 22, 2014
    Posts:
    1,331
    Have you tried Netcraft or Avira Browser Safety?
     
  22. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,001
    Location:
    Among the gum trees
    No I haven't but I think I'll give them all a miss for now and instead trust the malware lists in uBO and Norton ConnectSafe in my router, oh and my gut instinct.

    The story only mentions WoT by name but says there are others doing the same thing. Until we find out what the other extensions are I'll find it hard to trust any.
     
  23. inka

    inka Registered Member

    Joined:
    Oct 21, 2009
    Posts:
    426
    I did so, but last check was probably 2+ years ago.

    Few people posting to this thread probably know/remember the history. Time-wise, WebOfTrust emerged in the wake of the SiteAdvisor sellout. Prior to its acquision (and gutting) by McAfee(sp), SiteAdvisor had an active, vibrant user community. Many of the SA participants drifted, emigrated, to WOT ~~ we had high hopes, high spirits. One of the WOT principals (IIRC named "Timo") was a brilliant, capable, PhD-level programmer & expressed his commitment toward "getting it right" in terms of creating and maintaining an effective reputation system.

    Timo explained (correctly, IMO) that in order to avoid gaming, an effective "Reputation" system must consider both the reps of individual raters as well as the products (websites in this case). The WOT system would, we were told, permit anonymous participants to submit site reviews (textual, anecdotal, observations and opionion) but WOULD NOT "count" the numerical rating associated with any such anonymous review/report.

    POINT: from inception, if one opted-in by creating a mywot site login account... and installed browser extension in order to gain easy ability to submit ratings, CLEARLY one would be personally-identifiable ~~ at least to the extent of one's activity being associated with email address used (and confirmed, at time of registration)(which was not-so-common at the time) with mywot site account.

    On paper, in theory... everything sounded great. Oops, Timo's bidness partner set out and solicited investors; they hired a PR/Marketing person & set out on an "advertising spend" campaign and travelled to tech shows/conventions...

    ...with that new/paid wave of popularity came droves of CLUELESS new users, asinine "reviews" (dont hardly visit this site cuz it sux it got my cat pregnant!) as well as paid-to-slander review submissions. Apparently the WOT "business model", as pitched to investors, was that the service would be free to users & would be paid for by businesses/sites coughing up $$$ to have any less-than-glowing reviews adjudicated and/or removed. {rolleyes}

    POINT: The WOT principals apparently caved to "business interests" early in the game, now many years ago. Most of us SiteAdvisor raters/emigrants became disillusioned with WOT, and left, within the first year or two. For me, the camelback -breaking straw was observation that the user forum was being purged of any less-than-peachy posts. I wrote "observation"; what I meant was "first-hand" ~~ I witnessed removal of WOT posts I had written and discussion threads I had participated in.

    POINT: I'm surprised that it took this long, this many years, until public awareness (and outcry) caught up with WOT and bit them in the ass.

    No, and the realtime mechanism (vs periodically dl/ed blacklists) was touted as a beneficial design feature. "If a site becomes compromised, our users need to know right away..."

    I recall that their RESTful API used a ping.pong to retrieve a "nonce" via plain http, and...

    ...and regardless what else I correctly/incorrectly recall, my hands-on observations are now outdated.

    a "nonce" token (if you've setup a WOT site account, and a valid login cookie is present)

    Amid our privacy discussion, I'll reiterate the point tha "effectively maintaining a reputation system" demands this.
    I could (and early on, was comfortable doing so) enable the restartless WOT extension "as needed", in order to report a badsite... then clear cookies and/or disable the extension. Ultimately, I wound up removing the extension and just occasionally visited the mywot site to check rep for a given site.

    Still holds today, but was moreso a factor back in the day: hostname or domain -based blocking/rating is way too inaccurate and leaves us with a users, hosters, badbuys scenario of "lose-lose-win". Naw, I'm not gonna chase my tail maintaining blocklist(s) containing inexhaustible hostname permutations like "phentermine94a.ual.com.br", nor am I keen on outright blocking "blogspot.com" just because its free hosting continually breeds maggots...

    In the Google (and if you believe it is separate, Mozilla) safeBrowsing and antiphishing mechanisms, they are using hashing and periodically-downloaded blocklists -- but only as a first line of defense, right? Unless you change default prefs, Mozilla would have your browser calling out real-time, reporting to mothership what file/attachment you're downloading and querying "izzit SAFE?", right?

    Is there a social networking component?
    More worrisome question (to me) was: Are they (WOT) now providing openAuth services?
    "Hi. For your protection, and for your convenience, this site doesn't support user account login.
    You can login with Google | login with WOT | login with FaceTwit" ...or you can stand out in the cold.
     
  24. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    9,001
    Location:
    Among the gum trees
    Interesting read... while it's still there.

    https://www.mywot.com/en/forum/70396--virus-spyware-do-not-install-uninstall-as-soon-as-possible

    Also, a statement:

    https://www.mywot.com/en/forum/70476-user-update-from-wot

     
  25. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    It sounds like the business model came to involve secondary use and sharing of the data they acquire. Do you remember hearing anything about that aspect? Have any personal thoughts as to when that may have started?

    In any form, I mean. Regardless of whether or not they consider[ed] it to be aggregated, anonymous, non-personal, etc.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.