New Chrome extension spots unencrypted tracking

29.01.2015
A new Chrome extension highlights tools embedded in websites that could pose privacy risks by sending data unencrypted over the Internet.

It's hard to find a major website that doesn't use a variety of third-party tracking tools for online advertising, social media and analytics. But if the trackers send data unencrypted, it is possible for those who have network-level access -- such as an ISP or government -- to spy on the data and use it for their own tracking.

It's partly the fault of websites that have not yet enabled HTTPS, which encrypts data sent between a computer and server, as well as companies that have not enabled it in their tracking tools.

Documents leaked by former U.S. National Security Agency contractor Edward Snowden showed the spy agency was using cookies in order to target users, according to a December 2013 report in the Washington Post. Cookies are small data files created by online trackers that are stored within a person's Web browser, recording information such as a person's browsing history.

The Chrome extension, called TrackerSSL, alerts users when a website is using insecure trackers and gives them an option of tweeting a message to the website letting it know of the issue. TrackerSSL was created by Open Effect, a digital privacy watchdog, and Citizen Lab, a technology-focused think tank at the University of Toronto.

"As demand for secure technology grows, most websites will not be able to protect their readers unless they stop using insecure ad trackers," wrote Andrew Hilts, executive director of Open Effect and a research fellow with Citizen Lab.

TrackerSSL shows a list of trackers embedded into a website. Websites that don't use HTTPS show more warnings, as some trackers would be more secure if it was used.

Other trackers simply don't ever encrypt data transmissions, which puts users at risk that data could be intercepted and misused.

"For content-driven websites such as online newspapers, such snooping can take the form of what's known as 'pattern of life analysis'," Hilts wrote. "Analysts may compile the web browsing history of a target and build the profile of a target by inferring from the target's lifestyle, demographics, political views and more."

For the best security, both the website and the individual trackers should use HTTPS. It's a tall order, especially for sites that use many trackers, and HTTPS can be tricky to set up sometimes. Hilts wrote that "if just one out of a dozen third-parties on a website do not use HTTPS, then a gaping security hole is left open."

Send news tips and comments to jeremy_kirk@idg.com. Follow me on Twitter: @jeremy_kirk

Jeremy Kirk