The Stylish app, once the browser extension darling of web users looking to hide distractions and gussy up webpages, has been turned into what a software engineer calls a “covert surveillance tool,” prompting Google and Mozilla to remove it from their add-on stores.
These moves were made because for nearly 18 months Stylish collected information about users’ web-browsing histories.
Stylish went “from visual Valhalla to privacy Chernobyl” after the original owner and creator sold it in August 2016 then the extension changed hands again in January 2017, engineer Robert Heaton wrote in a blog post.
“Unfortunately, since January 2017, Stylish has been augmented with bonus spyware that records every single website that I and its 2 million other users visit,” Heaton wrote. “Stylish sends our complete browsing activity back to its servers, together with a unique identifier.”
From there, the extension’s new owner, SimilarWeb, can “connect all of an individual’s actions into a single profile,” said Heaton.
“For users like me who have created a Stylish account on userstyles.org, this unique identifier can easily be linked to a login cookie,” he wrote. “This means that not only does SimilarWeb own a copy of our complete browsing histories, they also own enough other data to theoretically tie these histories to email addresses and real-world identities.”
The decision to remove the Stylish extension from the Google and Mozilla add-on stores “will no doubt have far-reaching impact,” said The Media Trust CEO Chris Olson. “It sends out a clear message that they want to be good digital citizens and to set better standards for how companies deal with consumers’ personal data.”
Olson urged organizations to heed “growing consumer wariness with breaches and data leakage and stay compliant with a growing number of consumer privacy laws like the EU’s GDPR, Canada’s PIPEDA, California’s recently passed bill, which restrict what data companies can collect, what they can do with the data, and whom they can share it with.”
Since many leaks find their roots in third-party organizations “that either have weak security measures or are knowingly engaging in unauthorized activities,” companies must get a better fix on the activities of third parties and “ensure they align with policies, and terminate them when they don’t,” said Olson.