AI-powered browser assistants, designed to streamline web activities, are facing mounting scrutiny over their data collection practices. A recent study by researchers from University College London and Mediterranea University of Reggio Calabria reveals that many of these tools, which offer features like summarization and search assistance, are collecting vast amounts of sensitive user data without clear consent.
The audit, which included popular assistants like ChatGPT for Google, Microsoft’s Copilot, and Merlin, found that some extensions transmitted entire webpage contents, including confidential information like medical records and banking details, to their servers. This data is then used for user profiling, which can infer attributes like age, gender, and interests, and is used to personalize responses, often across different browsing sessions. This practice, while enhancing user experience, poses a significant privacy risk.
A particularly concerning finding was that some assistants continued to track browsing activity even in private or incognito mode, directly contradicting the user’s intent for anonymity. This disregard for user privacy highlights a major gap in the transparency and accountability of these tools. Furthermore, the study suggests these data collection practices may violate existing privacy laws, such as the Health Insurance Portability and Accountability Act (HIPAA) in the U.S. and the European Union’s General Data Protection Regulation (GDPR).
As these AI tools become more embedded in our daily digital lives, experts are urging for stricter regulatory oversight. The findings underscore the urgent need for developers to adopt “privacy-by-design” principles, such as processing data locally on the user’s device and obtaining explicit, informed consent for any data collection. Consumers are advised to be vigilant about the permissions they grant to browser extensions and to review privacy policies carefully before installing these new tools. The promise of convenience, it seems, may come at a steep price: our personal data.
