Can browser extensions really protect your privacy?

Illustration of three spies

Browser extensions are programmes that extend the functionality of web browsers like Firefox, Internet Explorer, Chrome and Opera.

Some do wonderful things (like add a moustache to all faces on the web, give you access to an array of web developer tools or simplify terms and conditions)  and some are rather less wonderful

Some of them are also very, very popular indeed with the most popular enjoying quite a few million users each, as this list of the most popular Firefox extensions illustrates. 

One breed of extension that seems to be particularly popular are those offering online privacy protection or greater security when browsing.

Adblock Plus claims over 300 million downloads, Ghostery, over 40 million and Web of Trust, over 132 million. Eight of the twenty most popular Firefox addons (at the time of writing) can be categorised as applications that claim to offer some form of enhanced web browsing security or privacy protection.

What are the threats to your online privacy?

Most of the threats to your online privacy that these browser extensions promise to combat are a combination of phishing (a way to steal your personal or financial information), malware (or virus and spyware) or third party cookie tracking.

Phishing and malware both remain big problems in terms of scale, though it is harder to find stats suggesting the actual impact they have on people. Get Cyber Safe, a Canadian organisation, suggested in 2012 that 156 mllion phishing emails were sent every day, 8 million were opened and 80,000 fell for a scam and shared their personal information. This slightly scary chart from AV gives an indication of the amount of new malware being deployed online

It’s also hard to say how big an issue government or corporate surveillance (in the form of companies tracking your behaviour online) is. However, the Economist reports (paywall) on a huge growth in companies specialising in gathering third-party data, which "allows firms to glean what sites users have visited, what they have shopped for, what postcode they live in and so on".

Research in America by the Pew Research Centre also suggests people are concerned about online surveillance and privacy. Pew found that 93% of adults said that being in control of who can get information about them is important and most want limits on the length of time that records of their activity can be retained by online advertisers and governments.

What options are there? Do they all do the same thing?

... loads! And no!

There are many different types of browser extension offering some form of privacy or security protection and I’ve listed some of the major ones below:

Adblock Plus

Adblock Plus is one of the most downloaded extensions for both Firefox and Chrome. It primarily markets itself as a way to “surf the web without annoying ads” but does claim some privacy and security benefits too. 

The two main claims it makes is that it can disable tracking and disable malware domains. It does this through a set of community maintained blocklist. The default one used is Easylist but these can be customised or you can create your own.

Disconnect

Disconnect is another popular extension. There is a much more comprehensive desktop application (with a free and paid-for version), which makes a number of big claims about helping you defeat internet censorship and blocking "over 5000 malicious trackers, sources of malware and identity theft". However, we’ll just concentrate on the browser extension here. 

The free browser extension allows you to block the "trackers and hackers" by detecting when your browser makes a network request to anything other than the site you are visiting and blocks all of them except those which "would" break the site you are visiting if removed. You can see all blocked requests and add them to a whitelist too.

Ghostery

The Ghostery browser extension provides quite a similar service to Disconnect. However, it does seem to put a greater emphasis on showing you how you are tracked as well as giving you options to block trackers.

Similar to Disconnect, Ghostery monitors all network requests involved in loading any particular web page. If any of these requests match one of the ad or tracking providers on their list they show you which provider is tracking you in a dialogue box. If you choose to block any of these providers then any future network request to this provider will be blocked. 

Ghostery is also quite upfront about how they make money. Their model is to sell data about web trackers to advertisers rather than charging the user. The data is collected via a system called “Ghostrank” that can be turned on or off.

HTTPS Everywhere

The HTTPS Everywhere browser extension is the result of a collaboration between The Tor Project and the Electronic Frontier Foundation (EFF).

HTTPS encrypts the data being passed between a client and server, which means, even if someone intercepts the messages you exchange with a server, they will not be able to read any of the data you send.

The HTTPS Everywhere browser extension enables a website’s HTTPS protection on “supported parts of supported sites”. Essentially, some websites may offer HTTPS support but default to HTTP so it is harder to use. So it is not all encompassing but this extension does mean you will browse many web pages using HTTPS that you wouldn’t by default, which should make your browsing more secure.

Noscript

The NoScript Security Suite aims to stop exploitation of known and unknown security vulnerabilities to make you safer online.

Noscript blocks all executable web content such as Javascript and Java (which may often be used for malicious purposes!) unless the website has been added to a whitelist. This is a different approach to many other privacy/security focussed browser extensions that will block based on a blacklist instead.

Privacy Badger

Privacy Badger is another tool from EFF that blocks third party servers that seem to be using cookies to track you across more than one website. It is specifically a privacy tool rather than an ad blocker and does not contain a blacklist of sites but blocks domains "if the Privacy Badger code inside your browser actually observes the domain collecting unique identifiers after it was sent a Do Not Track message." 

Web of Trust

Web of Trust is a an extension that provides a reputation rating next to search results based on reliability, privacy and child safety. The ratings are taken from other Web of Trust users in combination with other sources such as phishing or malware blacklists.

The tool doesn’t cover all websites and doesn’t provide a rating for sponsored search results but it does cover over 130 million sites and can provide an additional means to flag untrustworthy content.

Can they actually protect your privacy or make you more secure online?

The answer is yes, partially, with some caveats. 

Human vulnerabilities as important as machine

Phishing attacks will often rely on human rather than machine vulnerabilities and the same goes for malware as browsers and plugins become more secure over time. For instance, you might be sent an email purporting to be from a bank (that’s not actually a bank) that asks you to login in on a website (so that they can then steal your log in details). There is little a browser extension can do to stop you clicking the link even if you’re using webmail.

This is more an issue of digital literacy, though there are a variety of attempts to solve this problem from organisations in the email industry. However, once you are visiting a web page (via a phishing link in your email or not), browser extensions can offer more protection against both phishing attacks and malware being installed.

Noscript may be able to block malicious use of scripts to, for instance, launch a pop-up window while directing users to a legitimate site or hide the real URL of the fake website. It also claims some success in stopping malicious code from one website running on another. 

HTTPS Everywhere can also provide limited protection against other forms of phishing such as data theft when using public wifi. However, evenencrypted connections have vulnerabilities

Disconnect, Ghostery, Privacy Badger and Adblock Plus will also all provide some level of “hacker and tracker” protection, with Web of Trust more of a prevention tool then a way to actively protect your data.

It is hard to say, which is most effective at blocking third-party trackers. This 2011 Stanford University study seems to rate AdBlock Plus and Ghostery as most effective. The study is recreated and kept up to date as areweprivateyet.com – this also rates AdBlock and Ghostery highly (but it is run by Ghostery!).  

Limited protection

All of these tools can also help make users more aware of the amount of tracking and scripts than run when they access a web page, increasing their digital literacy, which can only be a good thing. However, they provide limited protection and there will always be ways round them, especially since more organised attempts at surveillance go well beyond the web browser with evidence of millions of computers being vulnerable to the hacking of their core BIOS software.

It also depends on how far you are willing to go. Edward Snowden recommended Ghostery and Noscript as well as Tor and full disk and network encryption. However, many free online services rely on your data being the price you pay to use them and many (perhaps most) people seem quite willing to pay that price at the moment.

Are there any risks to using browser extensions?

Yes. There are two main risks. Firstly, there are lots of rogue extensions out there that essentially do many of the bad things that the browser extensions above are meant to stop!

Secondly, some might question the motivation and business models of some of the major privacy focussed browser extensions. Specifically, the EFF list this as a motivation for creating their Privacy Badger browser extension: "Several of these extensions have business models that we weren't entirely comfortable with". So users may choose to use Privacy Badger not because it is necessarily the best tool but because they have greater trust in how it will develop bearing in mind the commercial pressures the other companies may operate under.

What is the role of library and information professionals?

Browser extensions can help protect your online privacy but they represent only one method among many.

There are some good tips from the EFF and the Guardian that contain additional methods to protect your privacy online including:

  • Make yourself more difficult to find on social media
  • Choosing a good password. Many don’t.
  • Disable GPS and Wi-Fi on your mobile device until you need them
  • Realize you may be monitored at work, avoid sending highly personal e-mail to mailing lists, and keep sensitive files on your home computer.
  • Don't give out personally-identifiable information too easily

The majority of those listed are social rather than technical. In other words, perhaps the most effective means that users have to protect their privacy online are to do with being digitally literate, aware of the risks and what options they have available to protect themselves.

It is here where there seems to be a growing role for the library and information sector. This is most obvious in calls from some, such as theLibrary Freedom Project, for library and information professionals to be at the forefront of the digital privacy movement. However, it is also evident in some of the innovative projects in the UK and around the world to teach online safety and computer digital literacy skills more generally. 

Library and information professionals are trusted by their users and communities,  work across a wide range of sectors and many have an expert understanding of the implications of information use in a digital environment. They are in a unique position to help empower more people to become confident, informed and digitally literate internet users.

What extensions would you recommend? Is your library running privacy courses? Let us know in the comments below

References

Image source: "A Spy's Spy" by Emory Allen, used under CC BY-NC 2.0 / Original cropped and resized

 

Read our blog comment guidelines