ChatGPT for Google was #1 on HN earlier this year. Check out the GitHub repo now: that person sold the extension.
I had a small side project extension, ~25,000 installs & free to use. I got enough inbound interest trying to "help me monetize" that I thought it would be worth cataloguing all the different unsavory avenues: https://mattfrisbie.substack.com/p/the-ugly-business-of-mone...
The most galling offer we saw on the mobile app side was something that would turn on the user's microphone, and listen for ads on tvs around them to track what they'd been exposed to offline. Adtech is such a thoroughly gross field.
When I worked at Meta, the execs said that many users think they're being spied on when they see ads based on a conversation they've had in real life, but the execs categorically denied that this could be happening, and said it's all just a coincidence. I thought this was a completely unfounded denial, since Meta had no way of auditing 3rd party apps on the user's phone, and it's perfectly plausible for another app to spy on their conversations and then use that to provide targeted ads to the Facebook account associated with the individual's email.
You had the conversation with someone and that someone googled/shopped/amaozned/clicked it. Or did before already, you don’t initiate every conversation in your life after all.
Now go and try getting a denial that they are not using the fact that you share a wifi with someone as parts of the recipe for the recommendation cake.
The arrow of causality can also go the other way. X corp is currently running a campaign targeting your area/demographic. A friend of yours sees and X ad and mentions something X-related to you in a private conversation. The next day, you see an X ad too.
Realistically, in a simple statistical way, plain "coincidences" have a significant "expected value". I.e., if you simply take the billions of people across the planet, and look even across a single day, lots of coincidences occur.
Now, add in psychological effects - "synchronicity", "frequency illusion" ("Baader-Meinhof"), "recency illusion", confirmation bias, etc... I'd expect a fair bit of compounding*.
Then, add in simple use of statistics, statistical inference, etc. and basic tracking of user navigation around the web, on a given website, etc.
I've had these experiences, perhaps one or two times a year, on average. Experiences where I was VERY surprised by ads presented. Experiences that would easily suggest a microphone must have been on when it shouldn't have been. Sometimes, I realized I'd used someone else's device in a way that could be tied to me. Other times, while some "leaps" would be involved, I could basically deduce myself that someone who had looked for information on some "X", and information on some "Y", might really be thinking about some "Z" that isn't easily arrived at from either X or Y in vacuo.
Spying, in the sense you suggest, can't be ruled out by the above. But, I would ask - why even spy? Is a company like "meta" really going to get much more useful (from their perspective) info by doing so? Particularly given the COST? It's becoming more realistic, arguably, but, really, these companies have had more than enough info on just about anyone for well over a decade to keep their algorithms and such well-occupied.
People gladly hand over tons of data constantly ... with full awareness and intentionality, and otherwise. The vast majority have no idea what statistical inference and other techniques can suggest based on seemingly obliquely connected info. Further, most users are so accustomed to "cookies" and other hidden types of tracking, and ignoring EULAs** ... really, it's hard for me to imagine a good case for doing anything more ... "invasive" and ... legally / otherwise dubious.
Edit: mostly came back to add one of my favorite (ab)uses of (statistical) inference:
* Outweighing significantly, I'd suggest, other quirks of human perception, memory, etc. that may diminish awareness and recognition of potentially related events. I write "suggest" mainly because I don't have ready refs to offer this second and don't have time to dig a couple up ... IIRC, the research that exists strongly favors compounding, though, of course, this could be argued to be influenced itself by human psychology (including social and economic factors, e.g., "publish or perish" etc.).
** Jargon buried in legalese, what a genius way to get just about anyone to agree to just about anything! If only John, King of England (in 1215), had been more skilled in the ways of the EULA - perhaps "King Charles III" would be emperor of the world now. Oh utopia denied ... kek.
While that is a positive take that could explain it, I am not convinced by that number crunch. 2/situations per year, per person, that is still "a lot" to be considered plausible statistical coincidence.
Yup. The typical use case is e.g. if someone logs in to your e-commerce site with their email and looks at a product but doesn’t purchase, then you can show them an ad for that product to try to remind them to go back and buy it.
It’s a really creepy feature though that can easily be abused.
You can (e.g. by email address), which is why it's impossible for Facebook to guarantee that ads weren't targeted based on listening in on conversations. It has no ability to determine how an advertising purchaser generated / obtained the data it is using to for ads targeting.
But every time this comes up the threads are flooded with people saying it doesn't actually happen and the ad companies just work out what you're interested in by what you're browsing.
> the ad companies just work out what you're interested in
The word "just" doesn't belong in that sentence. The ad companies being able to know things about you without actually listening to you is even more scary.
Evil-Ad-Company Neo: "You're telling me I can know things about my customers by secretly listening to them?"
Evil-Ad-Company Morpheus: "No Neo, I'm telling you that with the right license agreements, data sharing partnerships, and algorithms, you wont need to secretly listen to them."
They're saying it's scarier that ad companies can figure out these things without the data because it means that you can't protect yourself by withholding your data.
You're protecting yourself from targeted psychological manipulation. It's like the difference between someone spraying a cyber-attack over the entire IPv4 space, or spending a while trying to drill into a specific server. The latter is much scarier and harder to resist, but it's basically what targeted advertising is these days. They supposedly want just to help you find what you want to buy, but they do this by trying to make you want things you wouldn't actually need otherwise.
I like to think I'm immune (the only ad I've ever taken up was years ago for Privacy(.com), and only because I then knew about it later, and could choose to pursue it on my own), but I wouldn't be surprised if at some point before I started being allergic to every type of advertisement imaginable, some ads managed to get my attention for one reason or another. (maybe subliminal messaging's done something before, I dunno.)
I'm not too concerned about it since I know it's been kept to a minimum, so at this point basically everything I've done is something I actually wanted to do, there are no concerns about having been manipulated. But that's just because I've managed to avoid seeing targeted ads almost whatsoever.
Depends on the method of manipulation but yeah that is the scary part. It's probably part of what scares people into being so privacy conscious in the first place. Though for me it's more that I get really, really annoyed getting told to do things, because it triggers pathological demand avoidance. But that's just manipulating me in reverse (it's really easy to make me hate/avoid something just by annoying me with it)
That's the metric I usually use. It's absolutely inconclusive, but it works for peace of mind at least. Have I seen any ads for something I bought? Usually the answer is "no". I'm still at the mercy of sort order on sites like Amazon and eBay, but that's much less scary because if I really care, I can sort by lowest price first.
By my own moral compass. If a company says "lots of people on Amazon are looking to buy what we have, let's make sure we're present in that market", that's completely moral. Compare that with, "a child is preparing for their math test tomorrow by watching a video, let's interrupt them and make them watch a commercial about our sugary, addictive, and unhealthy drink".
The house I live in was advertised when it was on sale, all the food at the store gets advertised, all the non-bespoke clothes I can buy get advertised, as do most of the bespoke ones, every car gets advertised...
Generally yes. Especially the grocery store is constantly advertising hundreds of items, and I've looked at their ad pages more than once. And it's pretty hard to find houses outside of advertising platforms, and I used to watch enough TV that I'd seen ads for every clothing store and every car before I had a chance to find them on my own.
Among other things, I would say the unknown collation of personal history, interests and spending activity that is often auctioned off to the highest bidder.[1][2] In an even more automated society than today, social scoring becomes the norm, and with it access to services.
With prolific cases as Robodebt and the Toeslagen Affaire, we can only hope these automated scoring systems remain isolated from governmental overreach.[3][4]
Firstly there is the emotional response: I don't want to be followed around in everything that I do for someone else's benefit, and I not at all convinced of arguments that targetted advertising is done for my benefit.
Then there is the fact that a large amount of data about me is being stored, possibly insecurely for people with even less scruples to analyse. I have very little to hide (white, middle class, straight, male, cis, no criminal activity beyond some unlicensed TV/film access, etc – there is little or nothing about me that would be frightening for anyone else to know) but there are many out there who do have things that could be (unfairly) held against them with terrible consequences. Consider women in Texas where there is effectively a reward/bounty program to encourage snitching on those who have had, or are considering, an abortion, or people in law enforcement who don't want certain groups to be able to derive their home address with any accuracy, people in one or more closets through fear of being ostracised from their family/community and left pennyless & without support, and so forth. I grew up with friends who were gay when it was still effectively illegal to be, despite what the Sexual Offences Act (1967) said, and when getting beaten up for being gay was almost acceptable (“act more straight, and it wouldn't have happened”: something a friend was once told by a policeman that saw no cause for arrest) – the fear of consequences from collected information “getting out” and/or being used to derive other information (true or otherwise) is real and for many people not at all irrational.
Back to my icky feelings, which are perhaps a little bit less rational: I wouldn't be happy with someone following me between shops, watching what I'm perusing, then to the pub and noting who I was there with, then back to my home, in order to be able to serve me relevant ads (perhaps for shoes that would be more comfortable for that much walking? or for condoms because they noticed I was accompanied by a female friend, and you never know, right, nudge nudge wink wink), and I'm not happy about the same happening in a more virtual environment. How do I trust that is really (or only) why I'm being followed? And I how do I know who else my stalker is selling news of my activity to?
[actually, the “I have little or nothing to fear” isn't entirely right – any of us could suffer from plain old identity theft in various ways]
Deanonymizing people across datasets for one. Maybe attacker or maybe next gov that goes full Hitler and subpenas tech companies to introduce social karma and you are put on a no-fly list because you expressed interest in UK royalty or have a cousin in Iran. Invisible bubble and radicalization for another.
I understood this to mean the amount of information they have is enough to uniquely fingerprint you and associate that with your derived wants and needs.
I am pretty convinced that modern advertising - from the most inane and innocent to tracking users 24/7 pretty clearly falls under evil. Gone are the days of advertising trying to raise product awareness and convert purchases - that field now exists to create demand. It induces desires in the recipients that play on psychological factors like FOMO to create customers out of thin air - and that process causes we the consumer to pay a constant attention tax and suffer higher levels of stress in our daily lives.
You do realize all forms of media embed advertising directly into the content going right back to the beginning, right? There's nothing modern about it. Showing you a product when you actually want to see it is the most effective way to induce demand. All your favorite shows, movies, youtube personalities, etc. still do this.
This isn't true. Originally advertising was designed around the premise of explicitly highlighting utility and functionality of goods/content. It wasn't until Bernays came along and adapted his uncle Sigmund Freud's theories into practice by designing advertising to manipulate people into believing that they actually need the product.
Modern advertising is not just "showing a product to induce demand". Car adverts don't just highlight functionality, they use mass market analytics to play emotionally driven messaging and visuals so that you associate that feeling with the car ad.
Do you know what Bernays called what services he offered before the word got tarnished?
If you think that the product that the lead actor in the series your marathoning through on your streaming provider isn't there on purpose, then you've just not been paying attention. There's a reason shows blur out logos on people's clothing or the crew covers them up with grip tape, or set dressers turn the cans/bottles/boxes of products around so the main logos are not visible. Even having copyrighted posters on the wall in frame can cause licensing issues.
Advertising, by its very nature, is emotional manipulation with the goal of getting you to give up some of your money for something you most likely don't really need and won't improve your life all that much, if at all. To me, that's evil.
Sure, there are varying degrees of this evil, but IMO even the least-objectionable advertising out there still can't be called "good".
In my experience, the case where advertising gets you to buy something that ends up being materially useful, that you would not have bought (or found a substitute for) without that advertising, is the exception, not the rule.
Oh, and to address your specific example: if you search "best diapers", and get shown ads for diapers, that absolutely is evil, because some ad-presentation algorithm is pushing you toward whatever diapers will generate the most money for the ad network, likely not toward which diapers are best. Not to mention that "best" often means different things to different people, and the ad networks only care about that insofar it increases their profit.
> Advertising, by its very nature, is emotional manipulation with the goal of getting you to give up some of your money for something you most likely don't really need and won't improve your life all that much
I've heard somewhere that ads are rich people screaming "give me money".
> If you really want to be a critical reader, it turns out you have to step back one step further, and ask not just whether the author is telling the truth, but why he's writing about this subject at all.
Followed quickly by being hopelessly naïve about the future:
> Whatever its flaws, the writing you find online is authentic. It's not mystery meat cooked up out of scraps of pitch letters and press releases, and pressed into molds of zippy journalese. It's people writing what they think.
>you most likely don't really need and won't improve your life all that much, if at all
People are spending money because they see that they are getting value from something. If people didn't want it or thought it was worthless they would not buy it.
>If people didn't want it or thought it was worseless [sic] they would not buy it.
Thinking something is "worthless" and not wanting something are opinions. A lot of modern advertising attempts to change peoples' opinions, so that they do want something, and think something has worth. It's just like propaganda, which actively attempts to sway peoples' opinions.
Of course, there's only so far you can take this. Convincing anyone who isn't seriously mentally impaired that a sandwich made with literal shit isn't worthless is probably not going to work. But away from the extreme end, there's a lot of room to manipulate people.
Sure, if you take the most benign examples, it doesn't sound so bad. But it's so much worse than that. Going back to 2012 for "acting on data analysis gone wrong"
Target Sends Coupons to Pregnant Girl and Unawares Dad Explodes
> Pole had identified about 25 products that, when analyzed together, allowed him to assign each shopper a "pregnancy prediction" score. More important, he could also estimate her due date to within a small window, so Target could send coupons timed to very specific stages of her pregnancy.
And things just get worse from there, as companies figure out more and more ways they can extract information from the information they have about you, and share it with each other.
No no no. First we start with trusted brands you know and love. We use the trust you have in them to slowly build a market around them. With our ad strategy, you’ll start seeing our product as related to Trusted Brand A. You will start seeing comments and reviews for our Brand in the same browsing contexts more and more until our Brand is now correlated enough to Trusted Brand A to remove purchase inhibitions.
After that, we just wait. We know we have you. It’s just a matter of time till you need a product like ours (you’re already our target demo), or an impulse buy occurs.
Without evening knowing it. You’ve been manipulated into trusting our brand, and you’ll think it was all an organic choice.
Two different things. The popular conspiracy theory is that the phone listens to and presumably transcribes your conversations, sending them to a third party. The example the OP gave is specifically listening for TV content: they’ll have hashes of known ads/shows/whatever to compare against rather than do something like live transcription.
Don’t get me wrong it’s shitty and gross. But they are different things.
Both iOS and Android show when your microphone is active so the whole conspiracy theory about it always listening to you and sending it back is pretty bullshit. And no one has yet found evidence of such network traffic either.
True, but the theory is far older than the indicators. So maybe Facebook stopped being sneaky once those controls came in? Not saying I believe them, but there's still room for doubt there.
Facebook doesn't have to be the one doing it - a 3rd party that controls an app on users' phones could be selling transcribed data to companies that want to run individually tailored ads on Facebook.
except it's always listening for you to say "siri" or "google assisstent". Some androids also show what music is playing nearby. You can thankfully opt-out but the ability to is still there.
Actually there are no servers involved; it uses an on-device database:
> When music plays nearby, your phone compares a few seconds of music to its on-device library to try to recognize the song. This processing happens on your phone and is private to you.
This seems very similar in principle to the perceptual neural hash that Apple created and uses to check every file on any Apple device. I recall that some people had an issue with that, because there is no guarantee what hashes will be added to the database, and no real way to know what file they will map. So, the hash could be anything, and could send anything, which is entirely up to the whins of whatever company or entity that deploys such a product.
Effectively, this just means that you can in fact check nearly anything happening on an input, if it maps to some perceptual hash that is similar enough to one the server has in its db.
At least on iOS, not without hacking the operating system. Siri’s ability to listen for a wakeword without an microphone indicator requires privileges that normal apps don’t get. On Android, as far as I can tell, the same is true, except that some phones ship with preinstalled third-party apps which can then get extra privileges.
...They don't even need to hash content. Advertisers can just add ultrasound beacons to the audio track.
Imperceptible to human hearing, but readily picked up by a listening mic. In fact, there are static analysis tools for picking out apps that access such API's in FDroid, along with taking measures to feed said apps dummy data. At least for Android anyway.
8 major versions, that is surely less than 5% of the Android population. I'm sure the security flaws in those non-updated phones is far more serious than the lack of microphone indicator.
According to https://source.android.com/docs/core/permissions/privacy-ind..., the microphone indicator is only in there since Android 12. Android 12 and 13 cover only 50% of Android phones, according to https://gs.statcounter.com/os-version-market-share/android/m.... There were some "access to the microphone is restricted for background apps" changes earlier, reported for Android 9. But I wouldn't rely on them, and even if those restriction always worked, that still made ~10% of Android phones vulnerable.
It seems highly inefficient to listen to users 24/7 given the other more specific signals that are available. Rather have a transaction data point around everything someone has purchased then what they talk about.
Agreed. Android 4 was peak Android. Most of my favorite Android games are from that era and very few of them run anymore. I wish Google either make a sandboxed emulation layer for those old abandoned games.
Wait... what? As someone who's always tried to target the oldest Android version I can which Google Play will still allow uploading (for a long time, Android 2.3), this is alarming. Why don't they run now? I don't actually play games on Android myself.
No idea of what API they're hitting but basically half of my old humble library won't run anymore - they show a warning about old APIs, show the title screen, then crash to desktop.
Even some old games I paid for are gone from the Play Store too. Like, I paid for Puffle Launch and it's just plain gone from my library.
Edit: ahah, I was looking in the wrong spot! Its still in my "not installed" list, just not in my "family library". Either way, not compatible with any device I own.
08-10 14:55:03.864 25995 25995 E linker : ERROR: OOPS: 0 cannot map library 'libmono.so'. no vspace available.
08-10 14:55:03.864 25995 25995 D AndroidRuntime: Shutting down VM
...
08-10 14:55:03.865 25995 25995 E AndroidRuntime: FATAL EXCEPTION: main
08-10 14:55:03.865 25995 25995 E AndroidRuntime: Process: com.disney.PuffleLaunch, PID: 25995
08-10 14:55:03.865 25995 25995 E AndroidRuntime: java.lang.UnsatisfiedLinkError: Bad JNI version returned from JNI_OnLoad in "/data/app/com.disney.PuffleLaunch-rjdXjIyhGz7STdfxQ9xH2g==/lib/arm/libmono.so": 0
I'm always on the lookout for old interesting games, and maybe there are workarounds for the other titles in your library too. What's the list?
I tried looking up that "no vspace available" error (which is the real error message) and found no explanation. I wonder whether it's something like trying to map a .so segment as memory that's both executable and writeable but it's no longer allowed? And IIRC Android's runtime linker was rewritten sometime around Android ~4 because the original was not very well written, so that might be the cause of the incompatibility. Come to think of it, the large parts of libc that were also completely replaced (mostly with code from OpenBSD and FreeBSD IIRC) because they were terribly buggy will probably cause compatibility issues too.
Puffle Launch wasn't an Angry Birds clone, it was the barrel scenes from Donkey Kong Country expanded into a full game.
One problem is that some games aren't just incompatible, but also were enshittified with ads and nonsense after I paid for them (before they were killed altogether).
Offhand, the ones I remember: a paid version of Angry Birds Space, Amazing Alex (Rovio's excellent take on The Incredible Machine), Swords and Soldiers (fortunately there's a Steam version of that), Noodlecake's "Wave Wave", Pool Break Pro, and some classic ports like Dead Space, Spy vs Spy, and Ur-Quan Master, but there are better non-mobile ways to play those games.
Nielsen has sent me about $30 so far begging me to wear a microphone that records me all day. They repeatedly call and have started fedexing me letters instead of USPS.
Fly-by-night ad networks might engage in this. Ad networks that are in the sights of regulators, and can be slapped with $X billion fines, that may well exceed the marginal revenue produced by improved tracking[1] are going to be a bit antsier around doing that sort of thing.
[1] How much more money will a $100B ad business make if they improved tracking accuracy by %1? It's some positive number, but significantly less than $1B.
Probably not direct legal risk[1] if they weren't the ones collecting the data, but integrating with all that shit has the incredible risk that your counterparty might just go up in smoke next week, while leaving you with a busted product, and all the reputational damage fallout.
It's picking up pennies in front of a steamroller. You'd have to be a truly desperate PM to consider it.
[1] Still all the legal risks of holding that data, but they are easier to mitigate.
So instead they buy that data from the fly-by-night operators and carry on as usual. That's the key problem here, this data only needs to be collected by one shady operator, "the market" will handle the rest.
That was an official feature of the Facebook app at one point. Like 10 years ago. It's absurd that anyone would deny this. It was right there as a feature! Default off I think. But it was definitely there.
I can’t speak for Android. But exactly how does a mobile app turn on your microphone on iOS without you giving it explicit permission?
I just did a virtual visit with a doctor that used a video conferencing service that work without an app on iOS and just used Safari. I had to give the page explicit permission to use my microphone
Adtech is psychological manipulation. Radicalisation uses the same techniques: Create the perception of a vacuum and then provide the solution to fill it.
One is actively censored and you can go to jail for, the other isn't even on the legislative agenda. There are semi-understandable reasons, but it's far from entirely non-hypocritical.
- Do you trust your constituency to make up their own minds or not?
- Who are you trying to protect?
- From what?
- From whom?
And this is without even mentioning online advertising as a (seemingly increasing) vector of scams, frauds, malware and viruses.
When I worked on audio firmware for the BlackBerry, one of the external devices I had to support was called a "security plug", which just shorted the headset mic and headphones to ground. It always seemed kind of silly to me because there was still the handset mic on the phone that could be activated separately.
> "The current movement to avoid tracking is an extremely powerful centralizing force."
What a biased, myopic comment. As if ad companies are a grassroots movement against centralisation. As if ad tech is not in the hands of the powerful few tech companies.
They have defended ads in 2021 as well. I wonder where they work. I mean, somebody must be writing the backend for all these ad companies.
Probably to target an ad for the same product/service at someone who was in the same room as a TV ad. About 10 years ago I worked for an ad targeting company and we got ~50% more click-through on a web ad just by showing it shortly after a TV ad aired in that location (just using the geoip timezone and hoping they might've been watching the right channel), if you could do that only for people who've actually been exposed to the TV ad there's the potential for huge uplift there.
so this really does happen then? Because I used to be convinced it wasn't a coincidence when I saw ads online for some niche uncommon topic I had recently talked out loud about.
This matches the audio signature of the TV ad - basically, it's like Shazam, but for TV ads.
It's currently not economically possible to listen to user's conversations, transcribe them to text, and serve ads based on that. It would cost orders of magnitude more in processing power than you could get from the extra sales.
Yeah, my understanding was that it was audio fingerprinting tv ads, not transcribing anything, but I wouldn’t be surprised if they were trying to vacuum up other stuff. That said, I think it should be feasible to do basic low-accuracy transcription on-device, especially with all the neural engine hardware making inference more efficient.
This would be immediately obvious in a cursory analysis of performance. On-device transcription is not only computationally infeasible, it would also require model capabilities far beyond what is currently SOTA.
Google had (and has afaik) significant challenges implementing multiple wake-word detection for precisely this reason.
Transcribing a couple of words accurately on-device without a major performance penalty (so that it can be running in the background always) is just _barely_ coming out now.
There's this weird narrative I see that "computers just aren't powerful enough" to do things I remember them already doing on Pentium 1 class machines in the 90s.
> It's currently not economically possible to listen to user's conversations, transcribe them to text, and serve ads based on that.
Anedoctally I belive Meta does something like that because I consistently get ads on Instagram about topics I talk with a friend on Whatsapp and sometimes that is done completely via audio messages. Though I might be wrong and leaked the topics in text messages among other possibilities.
I think it can be economically feasible. They can have a model optimized for their topics which can be orders of magnitude faster than general-purpose speech recognition. Low accuracy probably wouldn't be an issue as they are able to fine tune the user topics of interest via its interactions with the ads (e.g. click rate, time spent before scroll).
Man, being offered $11k for an extension would be hard to say no to... With that a down payment for a house is a much smaller problem. It's always a good idea to consider where the line is for ones own ethics.
In a sense, poverty encourages corruption / corruptability; it ties in with the saying that everyone's for sale at the right price.
I have a website, I'm sure it's worth money to someone. If someone were to offer me $1000? Piss off, i've paid more than that in hosting costs in the 15 odd years I've run it. 10K? Sounds compelling, I'll have to think about it. $1M? Fuck all of my online friends, I'm taking the money and cutting contact.
It would be shit and I'd probably regret it, but it's a lot of money. But this kind of corruption is everywhere, and worst of all, it's permeated in politics. But subtly, in the form of campaign contributions, lavish parties and vacations, connections (i.e. lavish positions in company boards during or after a tenure in politics), never in the form of wads of cash passing hands.
I am not at all surprised to see one of the emails you got matches exactly (other than the extension name) one from the linked post. Definitely a lot of this crap is heavily automated.
> I'm a fan of [extension name] and I really like how convenient and useful it is.
> Have you considered offering promotional spots to those interested in promoting their products on your extension? I'm interested in promoting my own extension on [extension name] and would love to discuss this possibility with you.
Interesting, I've received this same exact message recently as well. I've maintained an extension with a few hundred thousand users for the last few years and I've received way more messages like this in the last year than ever before. Can't say I'm that surprised though.
FWIW, and since a few of you probably use it… I own the JSON Formatter extension [0], which I created and open-sourced 12 years ago and have maintained [1] ever since, with 2 million users today. And I solemnly swear that I will never add any code that sends any data anywhere, nor let it fall into the hands of anyone else who would.
I’ve been emailed several tempting cash offers from shady people who presumably want to steal everyone’s data or worse. I sometimes wish I had never put my name on it so I could just take the money without harming my reputation, but I did, so I’m stuck with being honourable. On the plus side I will always be able to say that I never sold out.
I used to have an extension that promised to never be sold or even updated beyond the initial release, since it was a one-liner that can't possibly ever need to change. The Chrome Web Store took it down after 5+ years, presumably because I never published an update so the the now-mandatory fields were empty.
Curious to know if they gave valid reasons or just "you don't update this enough and it's coming down" a la Apple's terrible 'policy'.
I've got a few set-and-forget extensions I haven't uploaded a new package for in 5+ years but I have periodically had to log in (per email warning) and check a new box e.g. assert I'm not collecting user data or pledge compliance with a new privacy directive.
Description provided is insufficient to understand the functionality of the item.
I filled in all the new mandatory fields and had chatgpt rewrite the description about 10 times in increasingly simple language but it was rejected every time with the same reason. Since it only had like 20 installs I gave up trying to get it republished.
They usually don't require code updates but as the platform changes, they might have changing requirements or new policies that need to be acknowledged. I don't do extension development but I have a few apps and over the years I've had to rebuild them to target newer API versions, add data privacy policies, add child safety policies, etc., that weren't there when I first released the app. I haven't had to change any of the code though.
If cash offers scale linearly with the number of users, then yours would be pretty tempting indeed. Respect for not selling out! Would you like to start publishing these offers, like what I'm doing?
I thought one of the interesting requests was the DNS error one. I'm guessing they want to find commonly visited websites that no longer exist and buy the domain names to run ads or malware on? Any other reasons anyone can think of?
This seems so weird to me. You're clearly providing value to the world, and according to my moral view, should be entitled to capturing some of that value without resorting to something shady.
I'm the founder of Streak where we directly monetize our extension (as do others like Grammarly). Have you tried directly asking your users for $ given the effort you put in?
I use several Firefox extensions that periodically nag me for money. I appreciate it because otherwise I would forget to donate. But now that I have monthly donations set up for several of them, I wish there was a way to turn it off.
Most FOSS android apps asking for donations do that: Sometimes a button in the donation-nag "I already donated", but pretty much every time a setting "stop asking, I either already donated or won’t donate".
Why would money be the only value, that is a really sad view on life. The developer gets joy and gratitude, they can live a happy life. Why bring money into it. Money does not make happy.
> Why would money be the only value, that is a really sad view on life.
Good thing nobody said that.
> The developer gets joy and gratitude,
Your average free software doesn't get very much joy and gratitude back from users either.
> they can live a happy life. Why bring money into it. Money does not make happy.
If the implication was too subtle, the idea is that when you spend a lot of time making something valuable, it should go towards obtaining food and shelter and the other benefits of a living wage.
It connects them, it doesn't say they're the same.
Money is an important type of value, especially the context of labor.
And, let me phrase this very precisely: there isn't an obvious non-monetary value they're getting back that comes close to the effort they put in.
You mentioned joy and gratitude but again I'm not sure how much of that they get back in this situation, plus there is the flip side of lots of complaints.
Making 2 million people individually decide and record how much of their economic output a JSON formatting extension is entitled to is a non-negligible amount of mental effort and time, especially if we had to do it for all extensions and software we use.
I believe in capitalism. I am 100% in favour of making money by offering something people are willing to pay for.
Some extensions are monetizable by honestly asking users to pay for access. Mine just isn’t. It’s only as popular as it is because it’s free and open source and promises total privacy.
As someone who uses your extension daily, I truly appreciate your strong will. It seems every day strong ethics become harder to maintain in our field.
If an extension I used got sold out … would it ask me if the permissions are changing? Or would it straight up sneak them in. Id hope id at least see a popup notice that would raise a red flag
Chrome and Firefox tell you the permissions of the extension changed and ask you to confirm or deny in a dialog box that doesn’t go away until you choose one.
What size cash offers? Not that I want some of it, but then I do think there could be an industry re-scamming these people and want to know how much we're talking about.
Convincing offers to buy it for $10-40K. One offer said $250K but I doubt that one was serious, more likely just a straight up scam. I have often emailed them back feigning interest to see if I can get them to state what they plan to do with it, since I cannot see anything that could possibly be ethical, but they always just start talking mumbo jumbo about their innovative monetisation strategy.
Recently I’ve had a serious sounding offer to inject an ad, i.e. a one-off ad would open in a new tab when the extension updates, for $3K a pop, which I just ignored, then he emailed again saying $4K, then just yesterday he emailed again with a bunch of emoji and said what about $8K.
It’s tempting, but it would still be selling out my users, who may be ungrateful little brats but I could never do that to them, I value their approval too much.
Thank you very much for the very informative response. As with any offer I think it's crucial to know what's at stake. You're very admirable for turning down tens of thousands, but if it had been tens of millions I'd have been questioning your judgement, as morally odious as the buyer might be.
Many are weakly motivated by wealth and power. I work a modestly comfortable job, enjoy the company of friends and family who I love, and my sleep is excellent. Selling my integrity may buy the softest sheets, but my sleep will never be as good as it is now.
The dev for uBlock origin must have received million and maybe tens of millions dollar offers, yet they refuse so much as token donations.
You are doing some pretty decent market research here too. I think you said your app had ~2M users so that's 0.4c per user.
What is the ad for? If it is a US equivalent to Great Ormand Street Hospital or some other worthy thing, then why not! I suspect it isn't and you will be offered quite a lot more vapid dollars because your user demographic is ... nerdy and installs addons 8) That is worth a lot more than 0.4c per head.
It may be that the ad offers are not as unpleasant as we might make them out to be but you do need to live - up to you. However I suspect they are just as genuine as the crap that lands in my Inbox, sometimes.
Most of them are lovely really, I was just kidding. I don’t even mind the ungrateful ones these days. The store reviews are like 95% people expressing gratitude, and the rest are people having a very bad day with the pixels and I feel for them
Maintainer here. My extension is pretty much unmonetizable so any offer I receive would require some degree of a moral sacrifice. The least intrusive offer I've seen so far is to put a reciprocal link to somebody else's extension inside of mine, kind of like DarkReader is doing on their website. Even though it won't compromise any of my users data, the reason I'm not doing this is because it indirectly endorses that other extension and I don't control what they do with their users data.
You're doing a very admirable thing, and this helps dispel the little voiced but commonly held perception that "everybody sells out" when they get big.
Yet the very same author turned over the OG uBlock to a shady character, having to launch a competitor to take back the momentum. To this day there is still confusion among normies.
You'd still have to rely on the trust of the original maintainer, but they could set up something like a warrant canary[0], but for if they sold it or if they added tracking items.
warrant canary assumes the maintainer is under coercion. But if the maintainer is untrustworthy, their warrant canary also won't be trustworthy, since it's trivial for the "sale" and the new maintainers to continue the existing warrant canary as though nothing has happened.
Aren't these also useless even for their original reason as they can just be given a demand from the legal system to keep updating the canary as if nothing happened?
I don't think there's a solution for it after all. At the end of the day, you need to trust someone / something, unless you are the one who writes the whole code.
I do think that reproducible builds would make a lot of sense for open-source browser extensions. Google could say "if you want your extension to get a Trusted Build tag, put the source code on Github, and we'll run the build script for you to ensure that the code submitted for store review is built from the code from a specific Git commit." And from a security perspective this would be better than what we have, which is zero guarantee that an "open source" extension even matches its stated repository. I'd trust the integrity of Google's automated build systems more than an independent developer with nothing to lose and everything to gain by sneaking in a third-party script.
Alas, the presence of this kind of reproducible build system would bring needed clarity to the chaotic ad blocker market, and the lack of that clarity works in Google's favor as an advertising company, so sadly I doubt they'd do such a thing.
Yes, that's what I mean, at the end of the day, you have to trust somebody / something.
Here you have to trust both developer's code and Google's build system. Can you verify all of the developer's codes? And can you verify how privacy-trustworthy Google's build system is? At the other side, you have to trust developer's code and developer's build.
I didn't mean which one you "should trust more" at all in my comment above. Please read again. What I mean is the first sentence here.
There is a method. Designing plugin and system API in such a way that allows users a granular control over plugins or apps permissions and network activity.
But that doesn't solve the problem of a plugin developer selling out. Under the granular permission control, your existing, granted permissions _should_ be revoked, but there's no way you could know to revoke it.
Something like a plugin is a fairly well defined thing and ideally should not need a lot of permissions. E.g. an ad blocker has a simple flow: occasionally update filters from a number of specified endpoints and then match and block web pages’ request urls against downloaded lists. Between update it should have zero web traffic and filter updates are expected to be from known whitelisted sources and asymmetrical in size: very few bytes sends and a lot received. If all of a sudden after an update your plugin wants to send a bunch of data to a new URL you know immediately something is fishy. With respect to granularity, in this case the plugin might not even need to know the entire URL but just the host/domain name - this makes it less attractive to adtech.
I really appreciate the transparency from you. I don't use Chrome anymore, but back in the day I absolutely loved Hover Zoom+ and my wife is still loving it to this day. It's a great extension and having read your comment and the linked Github issue, I feel even better about it. Thanks for your hard work.
Hi, I used to love hoverzoom... was there a malware scare a while back or am I thinking of a similarly named plugin ? At the time I switched to imagus & adjusted to it. Either way, thanks for turning away the monetization attempts :)
I don't know what the solution to this is, but I know a few trusted/legitimate companies that sell their user data for around £20/year even after having monetized their users with actual money
I will never do this because violating privacy goes against the core of my beliefs, but there is a conflict I can't seem to work out. On the one hand, I KNOW that the vast majority of users prefer to sell their privacy than pay a single penny. They would gladly click on a "sell my data" over a "pay money" button any day of the week. I know this because I have interacted with enough users to know these things. Many users will suffer a fit when things are not free but won't lose any sleep over giving away their personal details. Again, I speak of the majority and in general terms
On the other hand, I want the internet to be a place where unscroupulous actors don't flourish. Most people don't expect to get things for free in the real world, why should the internet be any different? Why does everyone (myself included) always look for free stuff on the internet?
The worst bit of it all is that in the end, the only people interested in spending money online are data thieves and advertisers. Everyone else is giving their soul. Developers are somehow expected to work for free so that this entire edifice can stand
>They would gladly click on a "sell my data" over a "pay money" button any day of the week.
You don't know that because no one is given a clear choice like you present (and even saying "data" is opaque to joe average user). And this is what regulations like EU's and CA's should be enforcing. Imagine if the choice was: We have this data about you (a comprehensive list of all the fruits of our creepy stalking: a,b,c,d, etc...), if you let us violate your privacy in a myriad of ways, we will let you have this little trinket for free. Otherwise, it will cost you x. How many people would select privacy violation?
>Most people don't expect to get things for free in the real world, why should the internet be any different? Why does everyone (myself included) always look for free stuff on the internet?
Most of the internet is communication in some form or another. I get a lot of communication for free in the real world. My question is: why does everyone assume that the purpose of the internet is their platform to get rich selling trinkets to clueless natives? Maybe some things are better off run as a non-profit?
> this is what regulations like EU's and CA's should be enforcing. Imagine if the choice was: We have this data about you (a comprehensive list of all the fruits of our creepy stalking: a,b,c,d, etc...), if you let us violate your privacy in a myriad of ways, we will let you have this little trinket for free. Otherwise, it will cost you x. How many people would select privacy violation?
Unfortunately under the GDPR we are not going to find out how many people would choose this option. It isn't legal, in the EU, to refuse someone access if they say no to your data collection.
> It is legal[1] to require users to agree to data collection or pay a subscription. Some news sites have already begun to implement this scheme.
From your link, almost at the top: "The cookie wall is a mechanism where the user has only one option to access the website: accept the processing of the cookies. The cookie wall is prohibited.". So no, requiring users to agree to data collection, per your article, is prohibited.
You have to read the whole article though, not just stop at the first paragraph.
The article makes a distinction between cookie wall (accept or no access) and paywall[1] (accept or pay). The former is prohibited, the latter has been okay'd by several national DPAs.
> The Austrian, French and Danish DPAs have already indicated that the paywall system is a valid solution as long as the subscription to the site has a modest and fair cost so that it does not constrain the user’s free choice.
> The Spanish DPA indirectly shared its position implying that cookie walls can be used as long as the user has been clearly informed of the two available options for accessing the service: 1. accepting the use of cookies; or 2. another alternative, “not necessarily free of charge“, that doesn’t require giving consent to cookies.
[1] Not to be confused with the "hard" paywall (pay or no access) we see on some publications. They've just called it like that for lack of a better term.
That is a monetization service. A short internet search quickly reveals that data-or-paywall is a bad idea at best, and explicitly illegal per multiple nations. It only requires one user from one of those states to file a report.
Open source, audited extensions. I noticed this already exists in Firefox (https://mzl.la/3Acn4DU), I don't know of any auditors for Chrome extensions.
Have some trusted organization or group (like Google or Mozilla themselves) who run audits on extensions to "certify" they don't have any malware. Additionally, the extensions are all 100% open-source, so if the "trusted organization" is compromised (or just bad at their job), they'll get caught and people will stop using them.
This isn't foolproof. Adware can be hidden from even the auditor or the auditor can be compromised but nobody finds out. It's also expensive and time-consuming, especially for extensions with a lot of complex code, so many popular extensions which perfectly-fine are still not certified. Updates are delayed and discouraged because the diff always has to be audited as well. Lastly (and something which can easily be overlooked), the auditors can be biased towards approving some extensions (like those who pay them) while not approving others: extensions code won't be approved if their code is too hard to read or they are later in the review queue, but the line at which code is considered "too hard to read" and their position in the queue could easily be influenced by cash.
Nonetheless, web extensions are a good type of software to audit, compared to other software like apps. They're often much smaller and simpler, users need much less, and they operate in a very-trusted domain (all web browing, including in banks and other confidential sites. Compare this to apps on a sandboxed phone, or programs running in user mode on a computer, the damage is still there but it's much less)
And it works. At least to keep the worst off Apples App Store. Mostly. Googles play store is apparently much more linient. And contains lots of horrible apps.
But the costs, as you mention, are real too. So much, that many, including myself, simply forego Apple as target at first. Sure, it's the more popular platform and it has more people willing to pay. But the review hurdles aren't worth it in the beginning.
The Internet has no easy to use fully-anonymous cash equivalent. If you pay for something, you're giving away your identity information anyway. The value exchange is definitely lopsided, but if I have to share my identity AND pay to get X, I'm out money AND shared my identity info. If I share my identity info and get X for free, at least I'm not out the money.
Extensions are centrally distributed on platforms that could at least nominally handle payment. The problem is that $0.01 is infinitely more expensive than free.
In order for me to pay you, I at a minimum have to do some amount of mental gymnastics to convince myself that it's worth it for me to pay you. This has a perceived cost even if the money spent is trivial. This is why people who take money in small increments - i.e. mobile games, arcade operators, casinos, and so on[0] have you buy a large amount of some scrip that they control, and then make it so easy to spend it that you might accidentally do so.
Nobody is thinking "I'd buy this, but only if I can leave no record of ownership[1]", they're thinking, "is it actually worth buying". Identity and privacy isn't a thing that people actually account for when making purchases - mostly because it's never actually mentioned[2] in the terms of purchase. It's snuck in. So the choice is just "the free one" and "the $2 one", where the value of the $2 extension can never hope to overcome the mental transaction costs.
[0] Nintendo and Microsoft used to do this around the Wii and 360 eras. While on the Wii it was 1 point equals 1 penny/yen, Xbox did something nasty and made it 80 points equals 1 dollar.
[1] That would mean that setting up a new computer or browser profile loses you all your existing extensions that you paid for.
[2] I do not consider legal disclaimers to be adequate notice, and neither should you. Dropping a clause in a EULA is the equivalent of dropping rohypnol in your drink.
It also effectively has a minimum payment amount due to the credit card transaction fee structure.
And also unlike cash a service can keep billing you.
And, for better or worse, the risk is partially put on the business in the form of increased cost (or payment service denial) when a credit card transaction is considered too risky (charge backs).
Also there is a fair amount of friction to giving payment info than say pulling out your wallet or phone (but this is improving with “digital wallets”).
>They would gladly click on a "sell my data" over a "pay money" button any day of the week.
Even though many people assume it's this way, this choice hardly ever happens in practice. You allude to this yourself. In reality, the choices are usually between paying for something and they still sell your data, and getting it free and they really sell your data.
The majority of paid services have privacy policies, terms of service and user agreements that spell out how they sell data just as much. At best, you might expect that they are a bit more selective in who they sell to, since they're not as desperate for cash flow. However the impact to you is greater - they now have your credit card, address, full name, phone number (all vulnerable to hacks and leaks) and it's harder to lie about these things than with a free account. So the data they collect is more valuable, hence the temptation is higher as well.
Moreover, the paid services have consumer-hostile subscription systems rife with dark patterns. It's needlessly tedious to cancel a service if you decide you don't like it, and even free trials demand a credit card.
Transparency is very low about what is actually done with your money as well. Many services operate at a loss, and the customer charge is just a fig leaf while the real money comes from investors. Arguably, the paid model is a sham for some companies and their real exit is to collect data for a years and then get bought by some data aggregator. On the other end of the spectrum you have people fishing for suckers with ridiculously inflated prices.
For these reasons the choice of paying money is tainted by lack of trust, it is not just consumers being stingy and entitled. Lack of trust can quickly bog down any market.
I don't really blame the industry here, though. It's a bit like California in 1848 - you can hardly blame people for picking up the gold that's just lying around. The real problem is that we don't have the tools, infrastructure and regulatory frameworks that let users see and control how their data is used. If people really want to sell their data in lieu of payment, then let them. But currently, most users are not aware exactly what data gets collected and how much it is worth - they're not able to rationally decide that paying $5 for an app is better than being mined for $20 worth of your data.
I've never had much a problem with informed decision. What rubs me the wrong way is when these apps hide the data monetization, require it, or don't offer any way to use the service except to opt in. It particularly sucks for services I can't even opt to not participate in, e.g. my work just went live with "The Work Number" service from Equifax so my data is already there whether or not I make an account. Even worse, not making an account just leaves it open that someone else might try to create an account as part of gathering even more involuntarily shared information about me.
When it comes to what people chose to do with their own data though I don't feel a moral obligation to push my views though. If they truly want to opt in and save the $20 (or however much the data is worth in the app) then taking that choice away because I disagree with how they should treat their privacy information is hardly much better than forcing them to because of the same reason. The main difference for me being whether or not I profit off it but, given choice in each case, that really doesn't matter to how the user weighs the situation.
World of Warcraft has an in game ui addon modding system built in that ends up suffering from these same problems. It’s so damn frustrating to see addon developers sell out their fans to a super shady spyware company for like $3/month (and the alternative is $0)
I could understand betraying people for a life-changing amount of money, but £20 is 5-20 minutes’ worth of pay for a competent SWE…
I actually run a service for adding paid features to browser extensions: https://extensionpay.com
From all the data I have, people will definitely pay for extension functionality, though lots of people will write negative reviews unfortunately.
I also use ExtensionPay myself in my own extensions and have found this to be true. I try to get the people who pay and have a good experience to write reviews since they’re so underrepresented in written reviews.
And if you run a website you get constant emails like this:
Hey There,
I wanted to reach out and see if <website.com> accepts guest post contributions or link insertion in existing posts? If so, I'd love to hear more about your guidelines and any specific topics of interest.
Thank you for your time, and I'm looking forward to your response.
Best Regards,
These ones are definitely spammed out en-masse, my site doesn't even have a blog.
My site also has some Windows software downloads on it, and I occasionally get emails for bundling dodgy installers. Most of these tend to be "residential proxy" services looking to sell access to users' internet connections.
We run an educational blog for our saas product and we get some legit emails from readers but also a lot of the spam and some of it is scary good.
They feed in so much context that it does appear to be a real person and it ends up wasting a lot of time and honestly it's quite hurtful. We spend a lot of time sharing our stuff and these fake connections are a major turnoff.
Recently we encountered a wave of "awards shortlist" sort of emails written by AI with deep context that will cosider us for award for one easy payment! Except they always forget to tune the topic as we're not running software security service, we cover web scraping.
I feel like AI will kill email communication between strangers. It's getting so exhausting.
This may not be appropriate for your use case, but rotating the publicly facing email address when you get spam or on an interval may help here.
For example hello-XXXXX@site.com (hello-a5b84@site.com, hello-jux8k@site.com, …).
I believe most legitimate visitors send an email shortly after visiting a page with the address while spam emails often have a much longer lead time with new addresses (it takes time to get scraped, put in a database, and then get used).
However this does mean that extended communication on that address and saved addresses will not work well.
This is my favorite sort of email that we get about once a month in various forms... their title at the end is hilarious.
---
Subject: Found a security vulnerability on your website.
Hi Team,
I am Harris, a security researcher, and I have found a security vulnerability in your website outside a bug bounty program.
I can disclose all the vulnerabilities found and their proper fixes too, to make your website more secure.
Companies I helped have always been generous and helped me back with rewards in amounts they think are appropriate to the issues I have found. If you appreciate my help, I'd be happy to receive a bonus payment via PayPal, Bitcoin, Payoneer, or Bank Transfer.
> My site also has some Windows software downloads on it, and I occasionally get emails for bundling dodgy installers. Most of these tend to be "residential proxy" services looking to sell access to users' internet connections.
I wonder what these people are thinking? Like, TOR operators know the risks with connection sharing - most particularly: pedos using their service to share CSAM. But everyday people?! They have no idea until one day they get v&.
I think these services are used mainly for scraping sites which try to hide their data (think LinkedIn). They don't offer any protection to those that are breaking the law, afaik. So I would expect that there isn't much risk of putting their victims ("endpoints") in trouble with the law.
Not condoning it of course, it is still an ugly practice.
I've read through some of Brian Krebs' articles on some of these proxies, the ones I get these email offers from seem a little less slimy than that and more above board like you say. It's still not an acceptible thing to be seeling your users out to though.
Prey on users who don't know the difference. Sell the residential proxy service to scammers who use high-reputation residential IPs to commit crime or fraud or other shady things.
I would like to keep a working <email:> tag on my website but doing so seems to attract tons of spam email that goes something like this, or otherwise offers from random web developer conglomerates offering to "better" my website (which I try to keep simple and plain). :/
Masking your WordPress install is a pretty good idea for plenty of other reasons though, just hiding wp-login will save you a lot of headache with bots wasting your CPU cycles and bandwidth trying to bruteforce.
Sounds like a challenge to hide the wordpressyness entirely though, it's got a huge surface area.
The root problem here is that there's no legitimate way to monetize browser extensions. Extensions are meant to be simple, so it's hard to sell premium features. Extensions usually don't "own" any space to embed ads in.
"The web has come a long way in the 11 years since we launched the Chrome Web Store. Back then, we wanted to provide a way for developers to monetize their Web Store items. But in the years since, the ecosystem has grown and developers now have many payment-handling options available to them."
Just want to put a plug in for https://extensionpay.com/ - I've used it in extensions in the past. It takes away the headache of setting up a backend for payment. They do take an extra 5%, but it's worth it especially. for smaller projects
Another failed Google product...of course every company has huge back catalogs of deprecated products but the sheer % of fails by Google is almost unbelievable.
An extension user could theoretically be willing to pay for the value the extension provides them. The malicious actors sending these emails are willing to pay for the value that a user's data provides them. These two numbers are not related in any way, and the value of user data will often be much higher than the value of the extension's functionality.
There is no way for monetization to solve this, because the two potential customers are not purchasing the same product.
Not sure if sarcasm but will respond as if it's not.
There are lots of business models to choose from
- subscription
- affiliate links
- sponsors
- one time charge, this one is tricky as restricting access requires a back-end that needs ongoing maintenance and server costs
> one time charge, this one is tricky as restricting access requires a back-end that needs ongoing maintenance and server costs
If a browser extension is allowed to use license keys (not sure on the various store rules i.r.t. browser extensions), you could create a timed license key that is cryptographically signed.
Yes, most extension devs probably start out with no intentions of profit. They wrote their extension to scratch an itch. However, once they get an installed base and start getting offers to do shady stuff, it seems obvious that they might be tempted by easy money. If they had a more legitimate way to make money, they may be less tempted by the shady stuff.
I may have misunderstood your prior comment so please excuse me if I got it wrong. The problem I was solving was how to make money from an extension that I publish. I was outlining different business models where you could give the user access to the extension, and make money without having to accept this arrangement with data thieves.
I believe problem isn't the right word. I think OP is challenging your assumption that it's inherently freeware. There are methods for monetizing an extension and they're infrequently used or associated with a much larger experience (e.g. my BitWarden extension is critical for using BitWarden, but I pay for BitWarden's subscription elsewhere).
Might at least make these attacks harder if users could disable extension updates, or had to opt into them. Most of these extensions are simple and don't really need to be updated, yet the update mechanism is silent full auto bada bing bada boom no rollbacks. I can't think of any updates more aggressive, not even Steam.
Yet another opportunity to recommend Firefox to readers.
I'm not sure I advise doing it, but you can go to about:addons and hit the gear icon and you can uncheck "Update Addons Automatically". Even better, click on an extension and under the "details" tab there's an option per-addon to set whether you want automatic updates or not, so you can disable updates just for the one addon you don't trust (or enable updates just for the one addon you do trust).
Also, want to run older version of an extension? The Mozilla Addons page for each extension has a list of every release and you can download each version independently as a signed XPI file if you want to sideload it.
The big thing I wish Mozilla would add is self-compiled releases like F-Droid does, especially since their ill-advised signing process means it's hard for users to compile an extension from source -- it's way too easy for a submitted extension to deviate from its source code. But that (admittedly large) issue aside, Firefox offers a lot of control for users who want to manage their own extension versions. Forced automatic updates are a Chrome problem.
Yeah, that's very nice. The only reason I'm even aware of how Chrome does it is because we're forced to use Chrome at work. We're allowed to use some vetted internal extensions with it, and I do, but someone pushed an update that broke an extension by accident. Then I was like, why is this a thing.
I don't think this is necessarily true. I run a software licensing API with quite a handful of customers running browser extensions with respectable user bases.
So there are monetization opportunities, just like any other distribution channel.
The issue with that is that "Gets to read and/or write the DOM" happens to be the only permissions a nefarious extension needs while also being those that a vast number of useful extensions require.
I think you're thinking from the browser level. I was thinking from the standpoint of what I could do as an extension developer.
If we approach it from that angle, then your extension can only restrict access to it's features via a round trip to your own servers to validate access and/or show a checkout view to purchase access.
I suspect it would be a very hard permission to implement. There are a lot of ways to exfiltrate data from a website if you have DOM access. But yeah, agreed.
Some of the difficulty around securing extensions boils down to the fact that Javascript permissions could be better. Websites do a decent job of sandboxing the website, but sandboxing within websites (without relying on iframes) is much more difficult.
Per-site permissions and click-to-activate are also really useful features here. It's easy to forget how recent they are. But it would be good to go further if possible and having barriers in front of exfiltration would be a big part of that -- there are many browser permissions that would become less dangerous if you could know for sure that the data they generate can't get off your device. I just think it would be really difficult to try and build browser permissions around that in a user-legible way.
Google could easily find a way to display ads for all extensions: pre-roll ads before extension launches, mid-roll ads when user is using extension for some period of time; not sure what is stopping them.
This one is interesting because it seems harmless, if not even helpful (Monitoring DNS errors). What am I missing here?
"I’m sure you get business proposals all the time, so I’ll get straight to the point. I hope what I’m proposing is a little different and might actually interest you. I like Hover Zoom+ as a great alternative to it’s bigger brother Hover Zoom that lost its glamour over the last couple of months.
We're conducting a DNS error research and we’re interested in small amounts of anonymous data that you might be able to provide via your Chrome extension. Our research has been going on for years and Google has never had the slightest problem with it.
- Compatible with Google’s strict policies
- No personal user data
- No ads, no malware
The data we’re interested in are basically just DNS errors:
- NXD – Non Existent Domain - the domain that a user entered that resulted in a DNS error.
- A time stamp – when it happened.
- GEO – where it happened (USA, UK, RU etc.).
- A unique randomly generated user ID (can be hashed, not traceable back to the user). Please, don’t confuse this with the user IP address.
And that’s all. You can either use our script or collect the data on your own and send it to us via an FTP server, API etc. There’s a lot of different ways we can do this. We pay on a monthly basis. The payments depend on user GEOs, but it would be in thousands of dollars per year.
Is this worth at least a brief discussion? Looking forward to hearing from you.
A while back I reached out to you regarding a DNS error research our company conducts. Hover Zoom+ would be an ideal medium for our research. In return, this could become a solid new revenue stream for you.
Our method has been going on for years and we’ve never had the slightest problem with Google. We pay regularly on a monthly basis. For you it would be in tens of thousands of dollars per year - the amount depends on your users base and data quality.
If you’re concerned about including third party scripts, there’s still a lot of ways we can make this work.
Please let me know if this is worth a brief discussion to you."
Just a guess: they could buy domain names that are available and for some reason get queries. For example often misspelled domains. This would not be forbidden but still a little shady.
Well, money's changing hands, and they're not specifying any clear intent of goodwill.
Therefore, there is likely some business interest at best, or anti-user behavior at worst.
It's not hard to write a script that ostensibly does one thing but very sneakily carries information about another thing. For example, write a bad 'hashing' function? Piece of cake.
To see this many aggressive offers over an extension with ~300k users, it makes you wonder how intense the offers are for the likes that reach in the millions.
The incentives seem entirely misaligned in the extension space.
Ruffle's official e-mail inbox is chock full of these. The sums of money being offered for a free and Free extension are so high that I can only assume the buyers are looking to load it up with whatever malware won't immediately get it banned by Google or Mozilla[0].
My personal opinion is that you shouldn't be allowed to transfer an extension between owners without prior approval and vetting of the new ownership structure. This should deliberately be harder than just setting up a new extension, because new listings won't have reviews or trust associated with it. I'm saying this as the person who occasionally gets caught on the business end of some of these policies[1] and knows how much of a pain it is to navigate bureaucracy. The underground extension sales marketplace is incredibly sketchy and plays fast and loose with user trust.
[0] Joke's on them, our AMO listing is already flagged for machine-generated code (because we use Rust/WASM), so our extension submissions only get approved if Mozilla is able to reproduce our builds byte-for-byte.
Minecraft Bukkit plugins are basically the wildwest. It's really hard to tell if something is intentional or not. I remember many years ago trying to find a motd (message of the day) plugin that would just display a message when you joined the server.
I found one that was simple enough, but it would ping home to check if there were any updates as well. Now it could have been just the developer trying to add a useful feature, but the cynic in me believes it's so that they could get IP addresses of the servers running the plugin.
It also had a debug command that wasn't authenticated that let you print the contents of any motd file in a folder. Except it didn't escape strings properly, so you could `../...` to escape out of that directory and print any file.
I have no idea if the author actually exploited this, or if they were a naive 14 year old writing their first plugin. If they were trying to exploit, I don't know which file they were going to print the contents of, but it definitely made me very suspicious.
> It also had a debug command that wasn't authenticated that let you print the contents of any motd file in a folder. Except it didn't escape strings properly, so you could `../...` to escape out of that directory and print any file.
That's hilarious and showcases how un-sandboxed those plugins are.
2b2t got backdoored several times this way. Several people had access to WorldEdit, creative mode, admin commands, etc.
Beyond ancient anarchy servers, right now the Minecraft mod community has been dealing with several supply chain attacks, deserialization vulnerabilities, and so on.
If you put something out on the web that gets somewhat popular, you are going to get all sorts of scummy people contacting you.
The first one that happened to me: I have a domain name and someone emailed me to let me know, as a courtesy, that someone was buying similar Chinese domain names and did I want to get them first. I thought that was nice that they were notifying me ... oh wait, they're just trying to get me to buy their domain names.
People contact me about redesigning my website, buying my website, exchanging links, straight up spamming my website. It's really strange.
I wonder whether there exists a cottage industry of fake extension writers pumping up their numbers with fake installs, all with the goal to sell the fake extensions to these scammers.
I also wonder how they make these sales. Is there an escrow for this? Are Chrome extension transfers non-reversible? Can't imagine such a shady deal is safe for either party.
You make the extension. I'll use bots to inflate the stats and make it look used. You pretend to not notice and sell-out. We split the profits. Fraud as easy as 1-2-3.
Things have gotten bad enough that I've stopped using extensions that haven't been through a code vetting process.
> Recommended extensions differ from other extensions that are regularly reviewed by Firefox staff in that they are curated extensions that meet the highest standards of security, functionality, and user experience. Firefox staff thoroughly evaluate each extension before it receives Recommended status.
Mozilla's review process is much more strict than Chrome's: they required me to produce original source code for all libraries that I am using (like jquery), forced me to get rid of some leftover eval's in javascript, etc. I don't think they read all source code, but they definitely look for some patterns.
If by recommended you mean "featured" flag on Chrome webstore then I believe that happens automatically if the extension satisfies their "best practices" criteria.
What does that mean in reality? Pretty sure Chrome Web Store extensions are reviewed, but since they're all minified and obfuscated garbage, I wonder how easily malicious code could slip through. I'm surprised there hasn't been a mass cookie stealing attack yet.
CWS doesn't review every extension submission, at best they do some % of them along with anything that sets off red flags. Out of hundreds of times I pushed updates to my extension (~100k monthly users by the end) it was delayed for human review maybe... twice?
maybe its time for a LLM based security review open source framework. this could be adapted for extensions to see what information they'd be sending over.
It means taking malware seriously, even if that means you have to pay human beings to vet code manually. I realize that Google wants to avoid paying human beings at all costs, but too bad.
This is terrifying. I'm glad the developer of Hover Zoom+ is both ethical and has a backbone. He demures, but I know that having a decent job has not kept other people from taking the money when presented with similar offers. I see that he's in this thread, so: hats off to you.
What I'd like to know is, how many different entities are represented in this compilation? Since everything is redacted, it's not easy to tell. I was surprised that there are so many offers by, seemingly, so many different scumbags. I mean people.
This is so true. I receive these emails every week. I've even had offers about acquisition that I had to turn down. Having a "Featured" chrome extension does seem to attract a lot of these offers. The more emails/offers I receive, the more I'm convinced that I shouldn't give up the extension.
I built an extension called Repibox that pulls the recipe out of any website that has instructions/ingredients in the meta data and displays it immediately. First time I got an acquisition email was exciting, but then I realized any acquisition would do a disservice to my friends/family who use my extension.
Hell I have gotten offers like this on a Discord bot, even. Wherever user data can be found, there are those who'd like to have their finger on the pulse
Another extension creator here, I've been getting more and more of these emails recently. I just checked, and my extension [1] now has a "Featured" badge, which I guess explains this uptick.
No intention of "monetizing" as there is no non-shady way to monetize this feature. I perhaps don't maintain it as much as I could (sorry Windows and Linux users), but on the upside it is so little work that I'm never tempted.
I have an extension I wrote that is literally for a single regional website to do some extra blocking to get around a paywall. There are under 10 installs total. For some reason, the most recent monetization email I got thought it was 10,000.
> I'm reaching out to discuss a unique monetization opportunity for your extension, <name>, through our exclusive Premium Bing Hosted Product.
> I'm thrilled to let you know that this invitation-only product offers the chance to earn as much as $500 per month for every 1000 users. Given that your extension has a user base of 10K, you stand to make up to $5000 monthly just by integrating the search functionality into your extension. This could be a significant source of passive income, and I truly believe it's an opportunity you won't want to pass up.
I... I... I know the 10 installs are all basically /my devices/...
You should counter by offering to sell them the whole thing for a flat price and then have all your users (you) switch to a new extension that does the same thing under a new name. :)
Okay, even better, to follow on another user's idea and up the ante:
Fake extensions created under burner dev accounts (w/ fake identities), astroturf the installs like crazy. Use ChatGPT to write the code, pump it out like chocolate out of Willy Wonka's Fudge Sludgefest.
Sell to scammers/info scalpers for a flat fee via a non-refundable route under a semi-reputable escrow, rinse and repeat.
The one downside is if you do that to somebody bad, and you've left any personal info out by accident....
Additionally, it's highly unethical. Don't do this. But it seems like 'easy money', the whole 'curse of maybe getting doxxed and XYZ from a sufficiently-motivated data thief' aside.
>Monetizing anonymous user data is happening on almost every website we visit - you may be leaving alot of money on the table by not monetizing your anonymous user data. Try dowloading Ghostry to see for yourself.
Some people have no shame at all. It's like the caricature of the Devil from a Sunday Morning cartoon, offering you riches and power untold for the low, low price of your soul.
Like dude, how do you know what Ghostery is and don't get why people use it?
If anyone's around here and isn't adverse to actually being paid for developing extensions in a non-shitty way, I built https://github.com/dougwithseismic/monetize-this and use it in my own extensions.
I get that it's noble to hold a position of 'no way, I will never monetize, I am a shining white knight' but lets be real, we all gotta eat. If you choose not to then that's great, Im glad but please; monetization !== shady shit.
Of all of these, I appreciated the one from 05/11/2016 the most. It felt the least shady because they were very up front with the scope and the data collected (which was narrowly focused), and left the implementation up to the developer (along with an optional script they could use).
They also provided several options for sending the data, just to guarantee that the extension couldn't be compromised by their code. This one stood out from the rest for me. Curious though if I'm missing some way that this could be used for nefarious purposes though. Full text of the proposal below:
------
I’m sure you get business proposals all the time, so I’ll get straight to the point. I hope what I’m proposing is a little different and might actually interest you. I like Hover Zoom+ as a great alternative to it’s bigger brother Hover Zoom that lost its glamour over the last couple of months.
We're conducting a DNS error research and we’re interested in small amounts of anonymous data that you might be able to provide via your Chrome extension. Our research has been going on for years and Google has never had the slightest problem with it.
Compatible with Google’s strict policies
No personal user data
No ads, no malware
The data we’re interested in are basically just DNS errors:
NXD – Non Existent Domain - the domain that a user entered that resulted in a DNS error.
A time stamp – when it happened.
GEO – where it happened (USA, UK, RU etc.).
A unique randomly generated user ID (can be hashed, not traceable back to the user). Please, don’t confuse this with the user IP address.
And that’s all. You can either use our script or collect the data on your own and send it to us via an FTP server, API etc. There’s a lot of different ways we can do this. We pay on a monthly basis. The payments depend on user GEOs, but it would be in thousands of dollars per year.
Is this worth at least a brief discussion? Looking forward to hearing from you.
A while back I reached out to you regarding a DNS error research our company conducts. Hover Zoom+ would be an ideal medium for our research. In return, this could become a solid new revenue stream for you.
Our method has been going on for years and we’ve never had the slightest problem with Google. We pay regularly on a monthly basis. For you it would be in tens of thousands of dollars per year - the amount depends on your users base and data quality.
If you’re concerned about including third party scripts, there’s still a lot of ways we can make this work.
Please let me know if this is worth a brief discussion to you.
non existent domains are the ones that are most likely to be somehow personal to the user, because they weren't trying to enter a domain at all but it got interpreted as one accidentally. Eg a password they meant to type into a password field but the url bar was highlighted. If they were interested in statistics regarding popular domains, like google or facebook, then it would actually be less of a privacy intrusion, because it would only end up telling you about populations, not individual users.
I don't know what they actually intended to use this data for, but its telling that they don't mention that in their proposal.
So much sleaze with extensions, it's nice to see it documented. Have to be honest the name "HoverZoom" was spoiled for me because it was one of the first fraud extensions I was a victim of. Nice to see this open source fork with an author concerned about the problem.
These days I pretty much only install open source extensions. Ironically I was using Imagus, just switched to HoverZoom+ thanks to this post.
I too was a heavy user of imagus, until it stopped receiving updates and the owner went silent. I know there's a subreddit with some people picking it back up, but I've moved on to HZ+ now. And it's for reasons like the maintainer of HZ+ standing up morally being one of the reasons.
There was a rumor I heard on some forums awhile back that at one point, ad tech companies wanted to kill uBlock Origin so bad that they were willing to offer a few million dollars to take it over, and gorhill stood tall.
If this is true (and its a huge if, again, I heard it in the context of a rumor), just makes them more of a stand up developer!
I really like Hover Zoom+. I’d be willing to pay $7,000 to $8,500 USD for each kidney you’d be willing to sell. Once we know the size/functioning we can determine exact figures. Happy to buy both if you no longer need them, you probably barely use them anyway.
This assumes the offer is legit. I seriously doubt even the most nefarious extension nonsense is actually going to bring in $20k/month. Even if there's millions of users.
That's exactly it. The "extension monetization" field is a product area fundamentally designed to scam its users. Clearly they're not going to shy away from scamming their suppliers. They just need to fool the authors into giving them control before taking payment, then they move on to the next mark.
That is nothing. I turned down the opportunity to inherit a Saudi Prince’s fortune for doing nothing (well just needed to pay his sons bail
bond or something)
Oh, hey! I just got my first one of those for my extension a couple days ago. I just marked it as spam and moved on with my life.
Shameless self promotion - Open source chrome tab search way more powerful than the newish built in search (supports quotes, negative searches, things like host:example.com, etc).
The catch with those enticing monthly offers (versus selling the extension) is that you are taking the risk to get your extension taken down, while the offerors can at any time switch to another partner/victim.
A rather popular app for macOS got purchased by some shady company and they updated it to include a botnet SDK. I'm guessing a lot of the potential buyers here have similar intents.
Yep, I've been getting these emails since 2014, around 200 in total. My extension has had between 30,000 and 100,000 active users. They often quote up to $500 a month per 1000 users, which sounds too good to be true.
Without the additional constraints manifest v3 puts on what code an extension can run at runtime, an extension author can just slip some "grab some code from a server I control and eval it" logic into their extension, which Google can't vet. That makes it possible for an extension that was fine yesterday go to "harvesting your PII to send to a company that is building an AI based on your click frequency" today with no change indicated; just a silent "Oops I'm malicious now" shift.
All cards on the table: Google does a not-great job of protecting against intentional malicious changes last I checked, i.e. they'll pass through a lot of new extensions and extension updates that do shady stuff behind the scenes. But without some lockdown on arbitrary code execution (which Mv3 provides), the problem is theoretically impossible to solve.
Detect if the extension downloads and executes arbitrary code, and ban it if it does. That should be just as easy to detect as detecting that the code does something bad directly. In fact, the way extension policing works is (afaik) completely reactive: if someone reports that an extension is doing something bad, then the extension/the developer thereof is banned. No/minimal policing is done at the time of publishing. The exact same policy applies unchanged to extensions that download malicious code instead of packaging it directly: wait until someone complains about the malicious code, ban the extension for having malicious code.
In manifest v2, downloading and executing arbitrary code is a feature.
What you're describing is the migration path from v2 to v3. "Detect if the extension downloads and executes arbitrary code, and ban it if it does" is isomorphic to "deprecate the eval arbitrary code permission, cease supporting it in the store, and provide an alternative declarative model to get some of the behavior back;" it's what Google is trying to do.
It's a composition of two features, both of which are useful on their own. Removing this "feature" requires removing at least one of those sub-features, in this case eval. We could alternatively allow eval to be used, but ban it from being used on code downloaded from the internet. This would require vetting the code, rather than a fully automated check. The goal of such a removal is, supposedly, to enable manual vetting to be more effective. However, the only reason to prefer an outright removal over a conditional ban is that it obviates the need for manual review. Do you see the contradiction?
Naturally. Thus, it doesn't much matter whether code is shipped in the extension package, or downloaded off the internet, since nobody will be checking what it does regardless.
Of course it matters. One of them allows looping in data from arbitrary external sources, and the other one (Mv3) has a permissions model that disallows that. It's a completely different risk domain.
Don't forget, the mere act of requesting data from an external uncontrolled third-party source is leaking user information. Under Mv3, those leaks are fully documented.
It would require collecting this data in the first place. Since it's not related to the primary functionality of the extension, it would require me to declare it in the privacy policy and extension stores. Probably needs additional access permissions as well. It's much easier to just not collect anything at all.
If it was up-front and clear in scope and intent, I would have much fewer problems with it. But, I don't think I've ever some across software that clearly and explicit listed the scope of what will be tracked (and how), clearly stated that it was intended to be sold, and gathered clear and explicit consent from the user.
It will inevitably turn out later, when the data has already leaked, that due to an unfortunate oversight or bug or misconfiguration it wasn't truly anonymized after all.
Keeping track of which extension goes rogue or what eventually breaks if not maintained gets really tiring.
After dealing with this so many times, some strategies have stuck:
0. Prefer extensions that work locally, no data sent out anywhere.
1. Keep an extension audit profile, meant for testing them a bit.
2. Use different extensions for my main daily driver profile, shopping comparison profile, etc.
2. The audit profile also has bookmarks of the extensions I'm using and others for later review, or looking back, helps me declutter the main profile a bit.
3. Use https://chrome-stats.com/ to check the extensions' pedigree, they have a trust meter based on the amount of permissions asked, how long has the developer been around, etc.
4. Do your own review on what goes out with developer tools on requests, especially if the extension needs permission to a control domain. Many will tell you in the Privacy Policy that they don't collect anything PERSONAL, but need to process your data somehow, and from an initial look you can't really tell it's a service or the extension itself doing it. Lack of clear wording is key here.
5. Some mask the control domain using a subdomain of a cloud platform to host the app, so it looks more trustable, and tell they only send telemetry data there.
6. Prefer stuff that's also on github, but don't trust blindly: some developers have just posted a boilerplate hello world there.
Two related anecdotes:
1. The Glarity extension (AI GPT autocomplete stuff) is open source, you can find it on github too, it explicitly said it worked only with your OpenAI API key only, yet when installing it, it just worked and I was getting GPT-powered summaries. They have their own service, where they relay all your input, but there is no documentation of it anywhere. I didn't double check if those requests stopped once you added your own API key. That was months ago, now just checked before posting, still no news from them on that functionality. While I can ascribe this to just general sloppiness, there've been some repos with serious accusations of stolen keys (lencx/nofwl)
2. I've had login data leaked with a shopping extension, where Chrome alerted me and disabled it. That was in 2021. It was pulled from the store. Months later I start getting login notifications in my email to some websites I use with my 'shopping/price compare' profile. They were attempts from Russia. The websites alerted to my email yet let session go through, since I don't use 2fa. It seems they were scanning for some saved credit card or something.
I had a small side project extension, ~25,000 installs & free to use. I got enough inbound interest trying to "help me monetize" that I thought it would be worth cataloguing all the different unsavory avenues: https://mattfrisbie.substack.com/p/the-ugly-business-of-mone...