AI Web Browser Assistants Raise Serious Privacy Concerns, Study Reveals

AI web browser assistants raise serious privacy concerns

Popular generative AI web browser assistants are collecting and sharing sensitive user data, such as medical records and social security numbers, without adequate safeguards, finds a new study led by researchers from UCL and Mediterranea University of Reggio Calabria. The study, which was presented and published as part of the USENIX Security Symposium, is the first large-scale analysis of generative AI browser assistants and privacy. The research was also published on the arXiv preprint server. It uncovered widespread tracking, profiling, and personalization practices that pose serious privacy concerns, with the authors calling for greater transparency and user control over data collection and sharing practices. The researchers analyzed nine of the most popular generative AI browser extensions, such as ChatGPT for Google, Merlin, and Copilot (not to be confused with the Microsoft app of the same name). These tools, which need to be downloaded and installed to use, are designed to enhance web browsing with AI-powered features like summarization and search assistance, but were found to collect extensive personal data from users' web activity. Analysis revealed that several assistants transmitted full webpage content -- including any information visible on screen -- to their servers. One assistant, Merlin, even captured form inputs such as online banking details or health data. Extensions like Sider and TinaMind shared user questions and information that could identify them (such as their IP address) with platforms like Google Analytics, enabling potential cross-site tracking and ad targeting. ChatGPT for Google, Copilot, Monica, and Sider demonstrated the ability to infer user attributes such as age, gender, income, and interests, and used this information to personalize responses, even across different browsing sessions. Only one assistant, Perplexity, did not show any evidence of profiling or personalization. Dr. Anna Maria Mandalari, senior author of the study from UCL Electronic & Electrical Engineering, said, "Though many people are aware that search engines and social media platforms collect information about them for targeted advertising, these AI browser assistants operate with unprecedented access to users' online behavior in areas of their online life that should remain private. "While they offer convenience, our findings show they often do so at the cost of user privacy, without transparency or consent and sometimes in breach of privacy legislation or the company's own terms of service. "This data collection and sharing is not trivial. Besides the selling or sharing of data with third parties, in a world where massive data hacks are frequent, there's no way of knowing what's happening with your browsing data once it has been gathered." For the study, the researchers simulated real-world browsing scenarios by creating the persona of a "rich, millennial male from California," which they used to interact with the browser assistants while completing common online tasks. This included activities in both the public (logged out) space, such as reading online news, shopping on Amazon or watching YouTube videos. It also included activities in the private (logged in) space, such as accessing a university health portal, logging into a dating service or accessing pornography. The researchers assumed that users would not want this activity to be tracked due to the data being personal and sensitive. During the simulation, the researchers intercepted and decrypted traffic between browser assistants, their servers and third-party trackers, allowing them to analyze what data was flowing in and out in real time. They also tested whether assistants could infer and remember user characteristics based on browsing behavior, by asking them to summarize the webpages then asking the assistant questions, such as "what was the purpose of the current medical visit?" after accessing an online health portal, to see if they had retained personal data. The experiments revealed that some assistants, including Merlin and Sider, did not stop recording activity when the user switched to the private space as they are meant to. The authors say the study highlights the urgent need for regulatory oversight of AI browser assistants in order to protect users' personal data. Some assistants were found to violate US data protection laws such as the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA) by collecting protected health and educational information. The study was conducted in the US and so compatibility with UK/EU data laws such as GDPR was not included, but the authors say this would likely be a violation in the EU and UK as well, given that privacy regulations in those places are more stringent. The authors recommend that developers adopt privacy-by-design principles, such as local processing or explicit user consent for data collection. Dr. Aurelio Canino, an author of the study from UCL Electronic & Electrical Engineering and Mediterranea University of Reggio Calabria, said, "As generative AI becomes more embedded in our digital lives, we must ensure that privacy is not sacrificed for convenience. Our work lays the foundation for future regulation and transparency in this rapidly evolving space."

AI browsers share sensitive personal data, new study finds

Artificial intelligence (AI) web browser assistants track and share sensitive user data, including medical records and social security numbers, a new study has found. Researchers from the United Kingdom and Italy tested 10 of the most popular AI-powered browsers -including OpenAI's ChatGPT, Microsoft's Copilot, and Merlin AI, an extension for Google's Chrome browser - with public-facing tasks like online shopping, as well as on private websites such as a university health portal. They found evidence that all of the assistants, excluding Perplexity AI, showed signs that they collect this data and use it to profile users or personalise their AI services, potentially in violation of data privacy rules. "These AI browser assistants operate with unprecedented access to users' online behaviour in areas of their online life that should remain private," Anna Maria Mandalari, the study's senior author and an assistant professor at University College London, said in a news release. "While they offer convenience, our findings show they often do so at the cost of user privacy ... and sometimes in breach of privacy legislation or the company's own terms of service". AI browsers are tools to "enhance" searching on the web with features like summaries and search assistance, the report said. For the study, researchers accessed private portals and then asked the AI assistants questions such as "what was the purpose of the current medical visit?" to see if the browser retained any data about that activity. During the public and private tasks, researchers decrypted traffic between the AI browsers, their servers, and other online trackers to see where the information was going in real time. Some of the tools, like Merlin and Sider's AI assistant, did not stop recording activity when users went into private spaces. That meant that several assistants "transmitted full webpage content," for example any content visible on the screen to their servers. In Merlin's case, it also captured users' online banking details, academic and health records, and a social security number entered on a US tax website. Other extensions, such as Sider and TinaMind, shared the prompts that users entered and any identifying information, including a computer's internet protocol (IP) address, with Google Analytics. This enabled "potential cross-site tracking and ad targeting," the study found. On the Google, Copilot, Monica, and Sider browsers, the ChatGPT assistant made assumptions about the age, gender, income, and interest of the user they interacted with. It used that information to personalise responses across several browsing sessions. In Copilot's case, it stored the complete chat history into the background of the browser, which indicated to researchers that "these histories persist across browsing sessions". Mandalari said the results show that "there's no way of knowing what's happening with your browsing data once it has been gathered". The study was conducted in the United States, and alleged that the AI assistants broke American privacy laws that deal with health information. The researchers said the browsers likely also breach European Union rules such as the General Data Protection Regulation (GDPR), which governs how personal data is used or shared. The findings may come as a surprise to people who use AI-supported internet browsers - even if they are familiar with the fine print. In Merlin's privacy policy for the EU and UK, it says it collects data such as names, contact information, account credentials, transaction history, and payment information. Personal data is also collected from the prompts that users put into the system or any surveys that the platform sends out. That data is used to personalise the experience of people using the AI browser, send notifications, and provide user support, the company continued. It can also be used when responding to legal requests. Sider's privacy page says it collects the same data and uses it for the same purposes but added that it could be analysed to "gain insights into user behaviour" and to conduct research into new features, products, or services. It says it may share personal information but does not sell it to third parties like Google, Cloudflare, or Microsoft. These providers help Sider operate its services and are "contractually obligated to protect your personal information," the policy continues. In ChatGPT's case, the OpenAI privacy policy says data from EU and UK users is housed on data servers outside of the region, but that the same rights are guaranteed.