Still sounds gross. While the developer might have opted in to selling your processing power to scrape websites, I doubt the users of each extension opted in.

Response from the developer:

" Users who want to support a free software product or creator can decide to opt-in to share their bandwidth. … Developers can decide to offer them additional features and content or simply use the money to keep the products free and available."

On User Consent:

“Our approach is always opt-out by default. I’ll write more below on how we are going about enforcing it now as part of a stricter approach to maintaining a transparent ecosystem. We provide default opt-in/out hosted pages to simplify asking consent and have left this page where users can see all the plugins to which they have opted-in and manage their settings with no developer as an intermediary: mellow.tel/user-control.”

In other words, users are opted-out by default. They can also go to that web site, and when they click the link, the page checks which extensions are installed in the browser and whether or not you opted in.

On Opt-In Enforcement:

Ars Technica article states there are “no checks to determine if a real user knows what they are approving or to determine if the developer just opts all users in on their behalf”.

“We do have a page where users can go and see if they are opted-in or have been opted in without their knowledge from the developer: mellow.tel/user-control. But you are right and we should do more. We have started enforcing the opt-in policy from today (by simply checking each integration and not sending requests to those that don’t show an opt-in) and will be doubling down on that in the coming days. Each new websocket request from an unknown integration will be quarantined and we won’t allow requests to go through until we have controlled the integration is compliant and is asking users to opt-in + is leaving an opt-out option clearly visible. We will also start enforcing routine checks on our Mellowtel integrations to create a transparent environment.”

In other words, the Mellow.tel developer has it set to always opt-out by default. However, developers of extensions may just opt-in the users without consent - which, I agree with you is gross. It’s possible those developers don’t explain the full implications. Now, the Mellow.tel developer is putting in remediations to ensure that the opt-in policy is enforced, and users will have more exposure to knowing whether or not this is happening. Meaning, they’re going to try to enforce default opt-out (as they stated this was always their policy), and make it easier for users to know they get opted in.

On Personally Identifiable Information and Monetisation:

The developers basically claims everything is anonymized. And the way they make money is, if you opt-in, you share “a fraction of your bandwidth” when browsing the web, fetching from a server, etc. They don’t collect or sell your user data because they aren’t advertising, and their business model is not advertising.

“all [Response data] is completely anonymous, it doesn’t point back to any user, and isn’t stored except the minimum time to at on it… Location - The only information used is country level (e.g., US, ES, DE), [and] it isn’t associated with any Personally-Identifiable-Information (PII) at all.”

So my conclusion - I care about my privacy. I don’t like being opted into things without my consent. According to this developer’s response, they never did. They’re trying to come up with a model to help the web stay free. Who knows if this will be viable or not. Developers of extensions can leverage this stuff, and in the past, some of those developers may have opted users in without their consent (or without full transparency or understanding of how this was happening). Even if a user was “opted in”, it doesn’t appear to be a significant impact to privacy as they have their source code published, processing happens locally on the user’s device, and the data that gets process is not transmitted, sold, or even have any identifiers. In fact, the data they claim is quite sparse to the extent that it’s limited to bandwidth allotment, country, and simple “keep alive” checks (heartbeat). Now I don’t have any association with this company, know this developer, nor do I have any stakes at all in this. This just caught my attention and I Had to read and learn more about it, and assess whether or not it affects my privacy threat model (it doesn’t for me, simply because none of the extensions I use have this thing).

For my background - I’m a software engineer for a SaaS provider. My company processes observability telemetry, and we assist customers to instrument agents in their environments (server, machines, clusters, DB, and end-user devices like browsers and mobile devices) to collect metrics to enable observability of their platform, and generate automatic application topology. Also a suite of tools to examine metrics and dynamic baselines, health rules for baseline deviations or other anomalies, analytics, user queries, complete business transaction view, incident remediation, etc. However, I have no background whatsoever in security. So I can’t comment on the security point because I don’t have a cyber security background. I’m only going off what the developer said, and it made sense to me. But I’d defer to a person with cyber security expertise to comment here.

Edit: Added some additional context, fixed some spelling.

Nice, thanks for discovering that. I wasn’t aware there was a rip off version of it.

These extensions use MellowTel-js. After this article from ArsTechnica went live, the developer responded in full detail and transparency.

If you’re a Dark Reader user (as that’s one of the most widely used extensions), definitely read MellowTel’s response on how their technology works. It made me realize the Ars article was not fully vetted.

https://www.mellowtel.com/blog/responding-to-ars-technica-and-mellow-drama-article

Edit: Dark Reader on this list is actually a knock off version just for Edge browser only - it’s not the widely used Dark Reader that’s on multiple browser engines. See another user’s comment that replied to me.

HTTPS with no VPN:

You trust the web site to encrypt your data if and only if the web site has properly implemented encryption along with encrypted DNS traffic. Sometimes you make a connection to HTTP before you’re redirected to HTTPS. Your ISP can see what web sites you visit, but the ISP can’t see what you’re doing because the traffic is encrypted so long as encryption is implemented correctly. ISP knows you went to https://www.website.com/.

Conclusion: Your ISP knows exactly what web sites you visit, but can’t see what you’re doing on the web site (if encryption is properly configured by the web site provider).

HTTP or HTTPS with trusted VPN (e.g., Mullvad):

You trust the VPN provider. Your connections are encrypted entirely. Your ISP can’t see what web sites you’re visiting nor can they interpret your traffic.

Conclusion: Your ISP is completely blind to what you’re doing and where you’re going.

ExpressVPN:

"HTTPS is essential for security, but it can only do so much. Don’t fall into a false sense of security—there are limitations to HTTPS protection:

• HTTPS doesn’t hide what websites you visit. Your ISP or network provider can still see which sites you access, even if they can’t view what you do on them.
• HTTPS won’t protect data stored on a website. If a site suffers a data breach, HTTPS won’t prevent hackers from accessing your saved information.
• HTTPS cannot encrypt all your internet traffic. It only secures connections between your browser and a site—not your entire internet activity.
• You have no control over HTTPS. The protocol is set by website owners, so if you visit a website without HTTPS protection, there is no way for you to enable it." Source: https://www.expressvpn.com/blog/https-vs-vpn/

PureVPN:

"HTTPS:

• Encrypts data between your browser and websites.
• Protects against eavesdropping on web transactions.
• Activated automatically with ‘https://’ VPN:
• Encrypts and routes all internet traffic, including from apps.
• Protects the entire internet connection. A VPN is used to establish an encrypted connection - also referred to as tunnel - between your device and unsecure network like the Internet. Since all your traffic goes through the VPN’s server rather than that of your ISP, nobody can find out what you’re up to online. What HTTPS Cannot Do?
• Hide Your IP Address: HTTPS doesn’t mask your IP address. Websites and your ISP can still see your IP and location, whereas a VPN hides your IP, making your online presence more anonymous.
• Encrypt All Internet Traffic: HTTPS only secures data between your browser and websites. A VPN encrypts all your internet traffic, including apps and services outside your browser.
• Prevent ISP Tracking: Your ISP can still see which sites you visit with HTTPS, they just can’t see the exact content. A VPN encrypts all your traffic, preventing ISPs from tracking your web activities. https://www.purevpn.com/blog/https-vs-vpn/

Here are more sources I won’t quote, but you can read:

• https://www.zdnet.com/article/reader-question-answered-if-i-have-https-do-i-need-a-vpn/
• https://nordvpn.com/blog/https-vs-vpn/
• Mullvad. This is more advanced as the article is targeted to technical users. However, it explains how they handle encrypted DNS in their services: https://mullvad.net/en/help/dns-over-https-and-dns-over-tls

Use of a VPN depends on your privacy threat model.

Using VPN at all times while using the internet like one normally does is beneficial only to the extent that you encrypt your traffic and prevent your ISP from spying on you… mostly. But if you’re logging into known accounts associated with you, then it’s a moot point. Your traffic is encrypted, but your use of services leaves an easy to follow cookie trail of where you’ve been.

If your privacy threat model is much more serious, then you wouldn’t login to any known accounts while on your VPN. You wouldn’t use services that can be pinpointed to you.

Hence, use a VPN to your discretion. If you generally don’t want your ISP spying on you, keeping it on is always best practice. If you have more things to hide, you’d want to use Tor while on VPN and of course don’t use any services that could be linked to you.

Nothing much you can do except make it harder for nefarious parties to get your information. If you’re in the U.S. most of your information is public. With two pieces of info about you, you’re one Google search away from your name, physical address, schools you went to, where you’re employed, etc. You can’t stop this, so just make it harder when your data does get leaked.

Here are my best practices:

• Own my email domain name and use it for generating unlimited random aliases.
• Update old accounts using a random alias.
• Generate random usernames using a proper username generator. Unique username per account.
• If an old account email can’t be updated, changed, or deleted, spoil the information in their system by using fake info and then abandon the account (Anon O’Moose, 1234 Fake Street, Beverly Hills, CA 90210).
• One email alias per account - never shared.
• Unique passwords via a password manager (e.g., passwords like ‘Obtuse4-Entangle-Matrix’).
• Enable TOTP multi-factor authentication wherever possible.
• For legacy security questions, always use a passphrase generator for the answer, and save both the question and answer into your password manager. “In what city did you go to school?”Answer: “Bandit4-Topic-Guardian”.
• Save recovery codes for your accounts into your password manager.
• Leverage virtual credit card numbers if your provider offers it. One virtual card per account - never shared.
• Create accounts only if you have no choice.
• Submit your formal request in Opt Out Prescreen to minimise the sale of your info.
• Delete all centralised social media accounts. Instruct people to text or call you.
• Switch to Linux completely if you can. Get off Windows and Mac where possible.
• Get off iOS if you can and try to run a proper trusted degoogled OS where possible. You can experiment with Linux phones in the future, but right now it’s not mature enough yet nor is it as secure as something like Graphene OS on Pixel phones.
• Get all your data on prem only. If you choose to backup some data for safeguarding online, encrypt it before you upload it.
• If your phone number has been leaked and you’re getting multi factor code requests, excessive spam, etc. consider setting up a new phone line with new number. Then update all your accounts, employer, government records, etc. to point to the new phone number. Let your contacts know. Once satisfied, deactivate your old phone number.
• Minimise posting any personal details about yourself online. Never identify physical locations. Make up fake details about yourself, your employment, etc. Make yourself a little more anonymous by providing fake information. One day you have a pet, another day you’ve never had pets, one day you’re divorced, another day you’re 18 years old, etc. Strive to be consistently inconsistent with the data you post about yourself online. Lots of things I’ve said on Lemmy about myself are untrue, while some things are true. It’s important to not reveal personal identifiers as it is trivial for a determined actor to correlate data and pinpoint who you are.
• Never, ever have any usernames, passwords, email addresses, or security questions that have any meaningful information related to you. ALWAYS use random generators. There is only one password you need to remember, and that is the one password to your password manager. Write it down on paper using pencil (graphite lasts longer than ink) and stick it in a safe.
• Use a VPN properly and with discretion, based on your privacy threat model.