Web of Trust (WOT) privacy scandal

I’m a bit surprised there is nearly no news surrounding this in English news, especially on tech sites, considering the scale and amount of users of WOT that aren’t limited to German market only.

Researchers of German NDR (Norddeutscher Rundfunk or Northern German Broadcasting) found out that WOT browser add-on was (and as things stand now, still is) gathering user data beyond what they were promising, ranging beyond only visited websites, they are gathering entire user history from browser, usernames, e-mails and more and selling it to 3rd parties. And they are doing this in such sloppy way external researchers were able to identify individuals by accessing open resources from WOT without even illegally (via hack) accessing their servers. You can apparently do it without any of that!

What’s even worse, after researchers asked developers of WOT about these things, all they got back was… silence, pretty much. Just a very vague reply that you can read here. When someone, instead of being open about the issue veils in silence, that’s a sign that something is going on. And nothing good will come from that.

I liked WOT a lot, because it was good resource to identify unknown websites and what experience others had with it. I’m not aware of any other service that has such level of user involvement in user rating and commenting of webpages. But as things stand now, I recommend users to at least block all public views of their ratings in WOT profile. What they’ve transferred to the 3rd party has already been done, but I think blocking will prevent cross-linking of users to the data. Also make sure to delete all cookies in browser under name “mywot” and quite frankly, deleting your WOT profile at this point wouldn’t be a bad idea either considering all the weird things going on around this service.

I now prefer avast! rating add-on (avast! Online Security) which comes with avast! Antivirus which I already use. Chrome users can even install it separately via Chrome Store even without avast! Antivirus. There is no commenting, but it has extra features like tracking blocking and the fact that avast! as company is very open about their product. When there were privacy concerns about it, they instantly provided answers to any questions by users. They also in detail explained how their rating and resource sharing system works and you can even opt out sharing of properly anonymized data with 3rd parties.

More links, mostly in German with greater details. Use Google Translate to read them.

In depth information from the researcher who uncovered all this:

https://www.kuketz-blog.de/wot-addon-wie-ein-browser-addon-seine-nutzer-ausspaeht/

Think whatever you want, but something fishy is going on and I’m not going to stand around as the smell spreads. Until developers come clean, this thing should not be on any computer.

I’ll keep you posted how things develop in the following days or weeks…

4 thoughts on “Web of Trust (WOT) privacy scandal

  1. After a few days of it still missing from the English media, I emailed the info to the “Office of Inadequate Security”. Once he collected a bit more English info it was posted.
    https://www.databreaches.net/web-of-trust-wot-add-on-taken-down-by-chrome-firefox/

    I covered it on my live radio show last Friday night, and at that point ghacks may still have been the only English coverage.
    The BBC finally posted about it on Tuesday, but I doubt it will be a TV item
    http://www.bbc.co.uk/news/technology-37909126

    Contrary to the reported news, WOT took down the other extensions after Mozilla removed it
    https://www.mywot.com/en/forum/70818-to-the-wot-community

    For now all we can do is wait until they rebuild the data cleaning process.

    Like

  2. This news was a real shock for me. I trusted them and even recommended the addon to others and now this. I would probably not install the addon again even if they fix these flaws and am seriously considering deleting the account. The switch to closed source development in 2015 should be a warning sign, but since I didn’t follow their GitHub repo this change just went pass me.

    Like

    1. At this point, I don’t think you can really go wrong by deleting the account. I have, with a heavy heart knowing how much time I’ve invested writing warnings or positive descriptions for webpages that had no prior description, but I had great experiences with them as well as marking trusted webpages as such. It’s really a shame because the service was really helpful to me and other users. And they fuck it all up with such lame handling of user data.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s