-Here's an awkward call
to make to a colleague.
Hey, Nick.
-Hey, Geoff.
-So, I've got some bad news.
Everything you've been clicking
on in your Web browser
is for sale
on the open Internet,
and I just bought it.
-How could something
like that have happened?
-Um, it's actually pretty easy.
-Okay, now, that's scary.
-How did this happen to Nick?
Through a browser extension.
They're little applications
you install in Chrome, Firefox,
or Opera to make
browsing the Web better.
But it turns out a distressing
number of extensions
are covertly in the business
of spying on you
and selling the data.
Even more disturbing,
what happened to Nick
has also been happening to
at least 4 million other people.
Personal information
and corporate secrets
leaking right
onto the Internet.
And we can't count
on our browsers to stop it.
I had no idea how bad
the problem was
until I heard from this guy --
Sam Jadali.
He's an independent researcher
who's been studying the secret
lives of Web browsers.
A few months ago, Sam discovered
some of his clients' data
was available for sale on a
website called Nacho Analytics.
Anyone who paid the site
at least $49 per month
could get reports on websites,
including exactly what people
were clicking in near-real time.
I had to see it to believe it.
What are we about to see now?
-So, I'm about to show you data
that we can find on
Microsoft OneDrive.
-Microsoft OneDrive --
that's like Dropbox
or local drives
where people store
all kinds of files
for work, for home.
What kinds of files
have you found in there?
-So, you can actually
search by page title.
So you could just run a simple
search query for the word "tax."
And you can, potentially,
find people's tax returns.
And within that, you can see,
I'm sure, if you open it,
I'm sure, all sorts of sensitive
financial information,
personal information,
bank-account information.
-Then Sam showed me
the links to medical records,
exposing the names of patients,
doctors,
and even medications,
which we blurred out here.
We saw people checking in
to flights,
exposing their names and IDs.
We saw people booking Ubers,
leaking their exact pickup
and drop-off locations.
We did not click
on any of these links.
Instead, we ran a test.
I installed a leaky extension,
then looked at a document
in my browser.
Sam was able to find
and open it from Nacho
in as little as an hour.
Then I asked Sam
if he could find data
from "The Washington Post."
That's how we discovered
Nick clicking around
in "The Post's"
internal website.
We watched him logging in and
checking out the summer interns.
Over months, he'd likely
leaked much, much more.
It's shocking to be able
to trace data from the moment
it gets grabbed
to the place it gets sold.
Nacho Analytics
isn't on the Dark Web.
It isn't technically
stolen data.
Nacho bills itself as a
marketing intelligence service,
helping businesses know
what competitors are up to.
Nacho also claims
it's 100% legal.
Here's how one of its employees
described Nacho
in a Web video
a few months ago.
-We are gathering data
from millions of opt-in users --
individuals from around
the world
that agreed to share
their browsing data anonymously.
Nacho Analytics
scrubs this data,
so all personal information
is deleted.
-Is that really the case?
With Nick, his data leaked from
an extension called Hover Zoom.
Its stated purpose is
to enlarge photos on websites.
Hover Zoom's privacy policy
does say it can read
your browsing history.
By clicking "Agree,"
you're allowing it to view
every page you click.
But the messages you see
while installing Hover Zoom
hardly suggest
they're in the data business.
The extension's maker
didn't answer my e-mails.
After Sam disclosed
his findings, Google, Mozilla,
and Opera banned at least
six of the leaky extensions
he had identified,
including Hover Zoom.
If you had one of them
installed, it no longer works.
Since the shutoff, Nacho
Analytics has told customers
that it suffered
a permanent data outage
and could no longer serve them.
Nacho Analytics' CEO told me
Sam had misused his site
by looking up
personal information
and that Nacho's data came
from people who were informed,
even if they hadn't read every
detail in the privacy policies.
Those six extensions had
about four million users
before they were shut down.
But just because they're gone
doesn't mean your personal data
isn't at risk.
A recent academic study found
3,800 leaky extensions
in the Google Chrome
Web Store.
And the 10 most popular
have more than 60 million users.
Who are you angry at about this?
-You.
No, I'm just kidding.
-[laughs]
I'm just the messenger!
-Yeah, I can't be mad
at the messenger.
Well, I'm angry at Google,
maybe, for being permissive
of certain things like this
and to promote a marketplace
and a culture
that allows this to happen.
-I think that's right.
-If I've fallen for using
this extension,
I know hundreds of thousands of
other people, easily, have also.
