Nacho Analytics sells browsing data from more than 4m users (they advertise "See Anyone's Analytics Account"), a service it calls "God mode for the internet." The data is harvested by embedding Nacho's spyware (dubbed "Dataspii") in a variety of browser extensions, mostly for Chrome, but also some for Firefox.

Nacho — and the browser extensions it relies on to harvest data — claim that everyone involved opts in, provides full consent, and can be assured that the data that Nacho gathers provides to its customers is anonymized first.

But as an in-depth Ars Technica report demonstrates, all of these claims are highly dubious. The "consent" is often obtained through click-throughs that accede to lengthy sets of terms, which include cryptic notices about having your data harvested in this way.

The supposed anonymization is even more problematic: though the company excises obvious personal identifiers from the URLs it harvests, many services unwisely embed personal information in their URLs, and still more rely on secret URLs as the only way of keeping personal data private — researcher Sam Jadali found that it could use Dataspii/Nacho's "anonymized" URLs to log in to people's electronic health records, internal company documents, tax returns and other extremely sensitive data, including corporate trade secrets and sensitive information from Tesla, Blue Origin, Amgen, Merck, Pfizer, Roche, AthenaHealth, Epic Systems, FireEye, Symantec, Palo Alto Networks, Trend Micro, Amazon, FireEye, BuzzFeed, NBCdigital, AlienVault, CardinalHealth, TMobile, Reddit, and UnderArmour.

Some of the blame for this is on web developers who put sensitive info in URLs and rely on URL secrecy to protect user data. But it's hardly a secret that browsing history allows for access to sensitive data, and Nacho's incorrect belief that they can automatically cleanse the browsing history of compromising and sensitive data is an example of both arrogance and negligence.

A companion piece to Ars's excellent coverage documents the clever forensics that Jadali used to figure out how the data-harvesting worked.



"Your report is personally disturbing to me–and [publishing sensitive data] is definitely not the purpose of Nacho Analytics," he said. "We work hard to remove personally identifiable information from URLs and page titles, and exclude sites with serious security issues. When we learn of a new issue, we have a system to remove it immediately. We've stopped all new sign-ups for Nacho until we can get more information on this issue. If you give me a list of the sites that have these issues, we'll immediately disable those sites and work on a permanent solution." He also pushed back on the idea that Nacho Analytics had ever been used by customers to harvest sensitive information. Jadali, he claimed, was the only one who had done so. (He also claimed that Jadali had violated Nacho Analytics' terms of service in doing the research.) "Jadali looked at hundreds of websites, only a tiny fraction of which any legitimate Nacho Analytics customer ever viewed," he said. "In fact, none of the sites with the issues you've made me aware of have been viewed by any legitimate Nacho Analytics customer."

My browser, the spy: How extensions slurped up browsing histories from 4M users [Dan Goodin/Ars Technica]