The privacy policy gap explained: what 3,000 Chrome extensions collect without telling you
Georgia Tech's Arcanum study found 3,000+ Chrome extensions silently collect your data — and none disclose it in their privacy policy. Here's how to check.
You read the privacy policy before installing your last browser extension, right? Neither did I. But here's the more uncomfortable truth: even if you had, it probably wouldn't have told you what the extension was actually doing.
Georgia Tech researchers spent months running over 100,000 Chrome extensions through a custom detection system called Arcanum. Their paper, published at the USENIX Security Symposium in 2024, produced a finding that's hard to ignore: more than 3,000 extensions automatically extract user-specific data from the websites you visit. Over 200 of those upload your sensitive data directly to external servers. And none of the sampled extensions with these behaviors clearly disclosed them in their privacy policies or Chrome Web Store descriptions.
Not a single one.
What the Chrome Web Store privacy policy is supposed to do
Google requires every extension developer to submit a privacy policy before their extension can be listed. When you click "Privacy practices" on a Chrome Web Store listing, you get a breakdown of what data the extension declares it collects — financial info, location, browsing history, and so on.
The assumption is that these disclosures are accurate. If an extension collects your data, it says so. If it doesn't, it says that too. This is the system's safeguard against extensions that quietly harvest user data.
The Arcanum study tested whether that assumption holds. The result: it doesn't.
What "automatically extracting data" actually means
When you visit a website — Gmail, Amazon, LinkedIn, PayPal — your browser renders everything on screen as a structured document called the DOM (Document Object Model). Every element you see is part of that tree: your inbox, your order history, your account balance, your contacts.
Any extension with host permissions for that domain can read that DOM. That's not a vulnerability — it's how browser extensions are designed to work. The same access that lets a shopping extension show you price comparisons also lets it read everything else on the Amazon page.
Arcanum monitored what extensions actually did with that access at runtime. The researchers watched data flows — what got read, what got transmitted, where it went. Extensions that triggered automatic, unprompted extraction of personal data got flagged.
The result was 3,000+ extensions doing exactly that. Not because they were compromised or hacked. Because they were built that way — and their privacy policies said nothing about it.
The data being extracted
Arcanum's team monitored seven websites widely used for sensitive activities: Amazon, Facebook, Gmail, Instagram, LinkedIn, Outlook, and PayPal. According to the Georgia Tech study announcement, the sensitive data categories being extracted include:
- Email content — subject lines, message bodies, sender and recipient addresses from Gmail and Outlook
- Social media activity — personal details, connections, and conversation content from Facebook and Instagram
- Shopping records — purchase histories, saved addresses, and payment metadata from Amazon
- Professional information — work history, connections, and contact details from LinkedIn
- Financial and medical data — account information and health records from monitored pages
The 200+ extensions that went further — actively uploading this data to external servers — represent the highest-risk tier. These aren't just reading local data; they're actively transmitting it. As Georgia Tech researcher Qinge Xie noted in the announcement: "The same capabilities that extensions rely on to enrich the web browsing experience can also be abused to harm user privacy, and potentially without users' knowledge or explicit consent."
Why reading the privacy policy won't save you
The deeper problem Arcanum exposed isn't just the data collection — it's the disclosure failure.
A Carnegie Mellon study found that reading all the privacy policies a typical internet user encounters in a year would take around 76 working days. Nobody does that. Extension developers know it, and some exploit it. But even the users who do read privacy policies can't protect themselves when those policies are incomplete.
The Arcanum researchers specifically checked extension store listings and privacy documents for the sampled extensions. None of them described their automated data collection clearly. Not one extension in the flagged set had a policy that said: "we read and transmit the contents of your Gmail inbox to external servers."
This isn't a legal loophole. It's a gap between what Chrome Web Store approval checks and what extensions execute at runtime. Approval is based on declared behavior. Arcanum measured actual behavior. They didn't match.
When data access is legitimate — and when it's a red flag
Not every extension that reads page content is a problem. Broad DOM access is how most useful browser tools work.
A grammar checker needs to read what you type. A price comparison tool needs to read product pages. A LinkedIn job tracker needs to access your profile data. The permission exists for good reasons.
The question isn't whether an extension has access — it's whether that access is scoped to what the feature actually requires, and whether the extension is transparent about it. Three questions that matter:
- Does the extension disclose what data it accesses, why it needs it, and where it goes?
- Is collection limited to what the feature you installed actually requires?
- Is data processed locally on your device, or transmitted to external servers?
Extensions that fail on all three — broad access, no disclosure, external transmission — are the Arcanum category. There's also a grey zone: tools with legitimate use cases that collect more than necessary. Scope creep is common and often unintentional, but it still puts your data at risk if the extension is later acquired, compromised, or sold to new owners.
The hard part: you can't tell which category an extension falls into by reading its store listing, because the store listing doesn't have to say.
What Chrome would have to change to close the gap
The Arcanum researchers framed the problem as a mismatch between declared and executed behavior. Chrome's review process inspects the manifest, the store listing, and (to some extent) the static code; it does not continuously observe what the extension actually does once it's running on your machine. Closing that gap would require something closer to what mobile platforms attempt: runtime monitoring, instrumented sandboxes, and re-review whenever the extension's network destinations change.
Mozilla has taken a small step in that direction with its data_collection_permissions manifest field, which forces developers to declare data categories at install time, in a structured form Firefox can show in the install prompt. The disclosure is still self-reported — there's no runtime enforcement that an extension actually limits itself to what it declared — but it makes mismatches easier to audit because the declaration is now machine-readable rather than buried in a PDF privacy policy.
Chrome has no equivalent today. The Web Store's "Privacy practices" tab is one-shot, free-text, and not directly tied to the extension's runtime behavior. Until that changes, the most reliable check is observation rather than disclosure: looking at what each extension actually requests at runtime, what domains it talks to, and how its real behavior compares to its category peers.
How to check your extensions
You can't rely on privacy policies to catch this. But you can reduce your exposure.
Audit host permissions. In Chrome, open chrome://extensions, click "Details" on each extension, and look at "Site access." Extensions with "On all sites" access or named access to services like Gmail, LinkedIn, or PayPal have DOM access to sensitive activities on those sites. For each one, ask: does the core feature actually require this access, or is it broader than necessary?
Check the "Privacy practices" tab before installing. If an extension requests broad host permissions but declares minimal data collection, that mismatch is exactly the transparency gap Arcanum documented. Mismatches aren't proof of wrongdoing, but they're worth scrutinizing before you install.
Remove extensions you don't actively use. Every installed extension with host permissions is active surface area. Dormant tools you installed once and forgot still carry the same access as the ones you use daily.
Look up extensions before you install. The Extenshi catalog tracks permission profiles across Chrome extensions and surfaces unusual patterns. If an extension requests more than its stated functionality requires, that shows up in its risk profile — before you grant access.
This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].
Related Articles
AI browser assistant extensions explained: what nine popular add-ons were actually doing with your data
AI browser assistant data collection can sweep up your SSN and medical data — UC Davis tested 9 GenAI extensions and found just that. Here's what they access.
The `tabs` permission explained: what browser extensions can really see in your open tabs
The tabs permission lets Chrome extensions log every URL you visit in real time — no history permission needed. Here's what it does and how to audit yours.
Extension fingerprinting explained: what websites can read about you from your installed add-ons
LinkedIn scanned 6,236 Chrome extensions to fingerprint users without consent. Here's how extension fingerprinting works and how to check if you're exposed.