An investigation by German public broadcaster NDR revealed that MyWOT (WOT, or Web Of Trust) has been selling user data to third-parties without properly anonymizing user information, which in some cases exposed the user's real identity and details about his browsing habits.

Following NDR's findings, both Google and Mozilla have removed the extension from their add-on portals.

WOT selling poorly anonymized user data

According to the German broadcaster, its reporters were able to get access to a sample that contained ten billion URLs WOT users had accessed.

While WOT claimed it scrambled data to hide the user's identity, reporters said it was easy to identify clues in the URLs that connected the link with a username, email address, or name.

Reporters discovered information about police investigations, a judge's sexual preferences, and user searches for drugs, prostitutes, and medical issues.

WOT claims on its websites that over 140 million users had downloaded and installed the app during its 10+ years history. Ironically, the extension's purpose is to provide information on the reputation of websites that users are trying to access, if they're safe for kids, contain spam, are trustworthy, or don't respect user privacy.

WOT's Privacy Policy states that its extensions will capture data such as:

  •     Your Internet Protocol Address;
  •     Your geographic location (e.g., France, Canada, etc.);
  •     The type of device, operating system and browsers you use;
  •     Date and time stamp;
  •     Browsing usage, including visited web pages, clickstream data or web address accessed;
  •     Browser identifier and user ID;

WOT data collection

Further down the Privacy Policy page, WOT states that "we will capture anonymized click stream data, your browsing usage, domains you browse, all as detailed above."

The NDR report aired on November 1, 2016, and provided evidence that not only WOT failed to properly anonymize the data, but it was also selling it to interested third-parties. The WOT Privacy Policy stated that WOT may "share" user data with its parent company and partners, but did not mention anything about "selling."

WOT data sharing

On November 2, WOT put out the following statement on its forum.

Dear users,
We take our users’ privacy rights very seriously, and for that reason we go to great lengths to anonymize and aggregate the data we collect to run our service, and we of course never license or disclose user registration information.
If there have been instances where any information was not adequately anonymized and protected, we will of course look into it and, where necessary, take measures to ensure adequate protection for our users. We appreciate the users who have contacted us and brought this to our attention.
We will continue to proudly protect our users from countless online threats as we have for the past decade.

WOT statement

After the story had started to gain attention in the international press, both Google and Mozilla removed the WOT Chrome and Firefox extensions from their stores on Saturday, November 5.

The reason why Google and Mozilla removed the extensions is because of lack of transparency between the extension's actions and its Privacy Policy. There are countless of extensions that collect and sell user data on the Chrome Web Store and Firefox Add-on Portal, so when WOT updates its policy, it's very likely that the extension will be allowed back in. It will then be up to users if they'll continue to use it, knowing of its true actions following NDR's exposé.

Related Articles:

Firefox Adding Search Shortcuts for Google & Amazon to Top Sites

Users Forcibly Being Logged Into Chrome When Signing Into a Google Service

Internal Chrome Page Shows All Google Interstitial Warnings

Chrome 71 Will Warn Users about Deceptive Mobile Billing Pages

Chrome 71 Will Block All Ads on Abusive Sites in December