Back to articles

AI browser assistant extensions explained: what nine popular add-ons were actually doing with your data

AI browser assistant data collection can sweep up your SSN and medical data — UC Davis tested 9 GenAI extensions and found just that. Here's what they access.

Maxim Kosterin
7 min read

Filling out your tax return while your AI browser assistant is active? That form data might have just left your browser.

A peer-reviewed study from UC Davis, presented at the USENIX Security Symposium in August 2025, is the most detailed audit of AI browser assistant data collection I've come across. Researchers didn't just analyze permissions — they actually monitored data flows in real time. What they documented across nine popular extensions includes implicit page content collection, third-party data sharing, persistent behavioral profiling, and in one case, an extension transmitting a Social Security Number scraped from an IRS form to external servers.

The lead researcher, Yash Vekaria, put it plainly: "Users should understand that any information they provide to these GenAI browser assistants can and will be stored."

None of the extensions named in the study have publicly responded to these specific behavioral findings.

What AI assistant extensions actually need

When you install a GenAI browser assistant — an AI sidebar, writing helper, or research tool — it requests permission to run on web pages you visit. To summarize an article or rewrite a paragraph, it needs to read what's on screen. That's the legitimate use case.

The mechanism is scripting access combined with broad host permissions. The extension's content script runs alongside the page you're visiting, with access to the full DOM — the complete rendered text of the page, including form fields, inputs, and dynamically loaded content. That's the same tabs and page-access reach I've broken down for other permission types.

This is standard and expected for AI tools that work with page content. The question the UC Davis researchers asked is: what happens to that content beyond the specific AI query you submitted?

Three AI browser assistant data collection behaviors that matter

The study classified behaviors into three patterns. Understanding them is the key to knowing which extensions deserve scrutiny.

Explicit collection is what you signed up for. You paste text into the AI interface, ask for a summary, and the extension sends that text to its servers for processing. Uncomfortable if you're pasting sensitive content, but at least intentional on your part.

Implicit collection is different. The extension reads page content without you requesting anything. You browsed to a page without touching the AI feature — and data was collected anyway.

According to the UC Davis findings, HARPA.AI collected all page content regardless of whether the user was actively using any of its AI features. The extension was passively reading every page in the background.

Third-party sharing is the third pattern: the data collected (whether explicitly or implicitly) being forwarded to analytics services, ad-tech infrastructure, or other external parties. The study found that Merlin and TinaMind both sent raw user queries and page content to Google Analytics and other third-party trackers — meaning your AI interactions weren't just going to the extension developer, but into broader data infrastructure.

What the UC Davis study found in each extension

The researchers tested Monica, Sider, ChatGPT for Google, Merlin, MaxAI, Perplexity, HARPA.AI, TinaMind, and Copilot.

Here's where it gets specific.

Merlin stands out as the most alarming finding. During testing, it transmitted the full content of an IRS form — including a Social Security Number — to third-party servers. According to the researchers, this wasn't intentional design; it was an unintended data leak caused by the extension sweeping up full page content without any filtering for sensitive data types.

You never asked Merlin to read your SSN. You never asked it to do anything on a tax form. But if Merlin was installed and active, it was reading everything on that page — and in this case, transmitting it.

HARPA.AI ran implicit collection continuously across all pages, according to the findings. Passive surveillance is an accurate description of the behavior documented.

Monica and Sider built persistent behavioral profiles, per the study. This goes beyond logging individual queries — it means building a model of browsing patterns across sessions. Over time, the extension developed a profile of what sites you visit, what you search for, and what content you engage with.

TinaMind showed minimal profiling behavior but still forwarded content to third-party services, per the findings. Lower profile-building risk, but data-sharing risk remained.

Perplexity came out at the less-alarming end of the scale — the researchers found minimal profiling behavior. That's a relative distinction, not a clean bill of health, but worth noting in context.

When this access is okay — and when it's not

Some of this is just how AI browser tools work. To summarize a page, the extension has to read it. That's expected and fine.

The risk assessment changes based on a few specifics.

Red flags:

  • An extension reads page content when you haven't activated it — you're browsing, not using the AI feature
  • Data flows to third-party analytics or ad-tech services rather than just the extension developer's servers
  • The extension has access to sensitive domains — banking, tax services, healthcare portals — without any scope restriction
  • The privacy policy doesn't clearly describe what page content gets collected, retained, or shared

Probably fine:

  • The extension only activates when you explicitly click it or highlight text for an AI action
  • Data goes to the developer's own servers for processing your specific query, not external trackers
  • The privacy policy describes data retention limits and explicitly excludes third-party sharing

The IRS form scenario from the Merlin finding is the clearest illustration of why defaults matter. Merlin is a legitimate AI writing tool with real users. The SSN transmission wasn't a deliberate feature — it happened because broad implicit collection had no guardrails on what types of data should be excluded.

The intent wasn't malicious. The outcome was still a privacy failure — and the user had no way to know it happened.

How to check your extensions right now

Start with the basics before doing anything else.

In Chrome: Open chrome://extensions, find your AI assistant extensions, click "Details," and look at "Site access." If it shows "On all sites," the extension has access to page content everywhere you browse — including tax portals, medical records platforms, and banking sites.

You can restrict this. Switch to "On click" to require manual activation. For AI tools where you invoke them deliberately, this keeps the feature working while removing passive access. For tools like HARPA.AI that are specifically designed around passive collection, it may break some functionality — which is actually informative.

Before installing anything new: Check the Chrome Web Store listing's "Privacy practices" tab. If an AI extension requests broad host permissions but declares minimal data collection, that mismatch is the privacy-policy transparency gap the Georgia Tech Arcanum study documented across thousands of extensions. It's not proof of wrongdoing, but it's worth scrutinizing.

Look up extensions before you trust them. The Extenshi catalog shows the full permission profile for Chrome extensions. If one AI assistant shows significantly broader access than similar tools in the same category, that's a signal — and it lines up with the broader pattern of AI extension data collection I've tracked.

You can compare Monica vs. Perplexity vs. TinaMind directly — the differences in declared scope are visible before you install.

Build one habit: before filling in a sensitive form — tax records, medical history, financial data — take five seconds to check which AI extensions are active in that browser profile. Disabling them temporarily costs nothing. The alternative, as the UC Davis finding shows, is that form content ends up places you never intended.

Check your AI extension permissions →


This article is based on publicly available security research and news reporting. Extenshi does not independently verify all claims made by third-party researchers. References to specific companies or products reflect the findings of cited sources and do not constitute accusations of intentional wrongdoing. If you believe any information is inaccurate, please contact us at [email protected].

Related Articles