Incogni, a company which offers a personal data removal service, said that its research team examined 238 AI-powered Chrome browser extensions and found that 67% of them collect user data, while 41% collected personally identifiable information.
Some of them even collected sensitive information. These extensions tracked user activity (collected by 22%), personal communications (collected by 15%), and financial information (collected by 7%).
More than a third of the extensions examined have a high-level risk impact – meaning that they seek permissions to inject code into websites or run on all pages the user’s browser opens.
The user activity that these extensions were capturing could range from sensitive company information, keystrokes, passwords, timestamps, and even behavioural patterns.
Each of the Chrome extensions that Incogni researched had more over 1,000 users. The research team analysed the data that the extension’s publishers admitted to collecting, and then used the findings to create a ranking based on the level of risk they posed to user privacy.
Programming assistants ranked the worst, followed by personal assistants and general-purpose extensions and integrating and connecting extensions.
The team also ranked some of the most popular extensions which had at least 2 million users each, and ranked them according to their data collection and permission request practices.
Among them, DeepL was found to be the most privacy-invasive. Incogni noted that DeepL required the highest number of sensitive permissions (four), including scripting and webRequest. It collects five data points, including personal communications and user activity, and requires five permissions.
The second most privacy-invasive, AI Grammar Checker & Paraphraser, also collects five data points, and requires a high number of sensitive permissions (scripting and activeTab).
Sider ranked third, requiring the highest number of sensitive extensions (four), including offscreen and all URLs.
The company noted that DeepL, Sider and Grammarly, have a high-risk impact, which means that, theoretically, they have the ability to exfiltrate or compromise a lot of sensitive user data or encroach upon users’ privacy.
“There’s probably an AI extension for almost any use-case you could think of. While this is very exciting, it could also be risky if users don’t stop to consider whether the extensions they add to their browser may be logging their every keystroke, or injecting code into the sites they visit,” said Darius Belejevas, head of Incogni.
“Unfortunately, we have more reason than ever to be cautious — from hackers looking to exploit systems to scammers targeting just about everyone. It’s essential consumers carefully weigh the benefits against the potential risks of AI-powered extensions and choose more privacy-friendly options.”
A report by National Australia Bank in October last year, said that two-thirds of Australians surveyed experienced a cyber-attack or data breach over past 12 months.
Among the respondents, 62% stated they were ‘concerned’ or ‘very concerned’ about their personal cyber security, and a further 31% said that they were at least ‘slightly concerned’.
While 85% of Australians claimed to be ‘quite familiar’ or ‘very familiar’ with basic cyber security practices, only 16% reported consistently following these practices.
