Ranking AI-Powered Chrome Extensions by Privacy Risk in 2025
Popular, “AI-powered” browser extensions, like those made available through Google’s Chrome Web Store, are often marketed as life-changing assistive technologies, promising to dramatically improve productivity. But the AI hype has overshadowed the considerable privacy risks presented by potentially giving third parties permission to view, track, and record everything that happens in a browser.
Incogni’s researchers have taken a data-driven approach to examining 238 AI-powered Chrome browser extensions, each with over 1,000 users. They analyzed the permissions required by these extensions and the data their publishers admit to collecting. The results are presented as a series of rankings, compiled according to the privacy risk posed by individual extensions and functionally defined groups of extensions.
The AI Chrome extension market, valued at $1.5 B in 2023, is projected to grow at a staggering 25% compound annual rate, reaching $7.8 B in value by 2031.1 Such booming popularity raises concerns surrounding privacy and security.
While Chrome users might not (and certainly should not) expect any significant privacy levels from their browsers, they do expect a minimum level of security. Many users place implicit trust in Google’s ecosystem, assuming that third-party extensions vetted through the Chrome Web Store are equally trustworthy—but these companies can suffer data breaches that expose sensitive user data. Recently revealed Chrome extension hacks show how easily Chrome’s security can be undermined, and how disastrous a breach like this can be for users’ privacy, with 35+ compromised extensions potentially leaving over 2.6 M users’ data exposed and credentials stolen.2
Key insights:
- The investigated extensions require 3 permissions each on average. Extensions that integrate websites with AI require the greatest number of permissions (3.8 on average).
- Two-thirds (67%) of analyzed extensions collect user data.
- 41% of the extensions examined collect personally identifiable information (PII).
- Also 41% of investigated extensions have a high risk impact—if compromised, they could be highly damaging to users’ cybersecurity.
- Among the most popular extensions, the most privacy-invasive was DeepL: AI translator and writing assistant, followed by AI Grammar Checker & Paraphraser and Sider: ChatGPT Sidebar + GPT-4o.
- Grammarly, DeepL, and Sider were recognized as the most popular extensions with high risk impact.
- Audiovisual generators constitute the least privacy-invasive AI-powered Chrome extension category, while programming assistants are the most privacy-invasive.
Overall rankings
To understand general trends in how extensions interact with user data (and permissions that have serious implications for privacy), we ranked our manually derived categories. This ranking is based on how much data is collected and how many permissions the extensions in these categories require (see Methodology section).
Data collection
The Chrome store defines 9 categories of personal data that developers can indicate as being collected. These are:
- Personally identifiable information (PII): including names, addresses, email addresses, and similar details. This is the most frequently collected data in all but 3 of the 9 categories: personal assistants or general purpose, integrating or connecting, and writing assistants. A whopping 41% of all investigated extensions collect personally identifiable information. At least a quarter of the extensions in every category except for audiovisual generators collect PII.
- Financial and payment information: including transactions, credit card numbers, credit rating scores, and the like. This data is collected by 7% of all investigated extensions and is most frequently seen in the text/video summarizer category, with 15% of extensions in this group collecting financial and payment information. Following closely behind, 14% of extensions in the audio transcriber category collect financial information.
- Authentication information: including passwords, credentials, security questions, and personal identification numbers (PINs). Authentication information is collected by 18% of all extensions, most frequently by extensions in the audio transcriber and programming helper categories.
- Personal communications: including communications contained in emails, SMS texts, and chat messages. Collected by 15% of investigated extensions and 27% of those in the writing assistant category.
- Location: refers to data like region, IP address, and GPS coordinates. Collected by 13% of investigated extensions and a whopping 25% of those in the programming helpers category. The closest category was that of integrating or connecting extensions at 18%.
- Web history: this refers to the list of web pages a user has visited, as well as associated data such as page titles and access times. Collected by 8% of all extensions, with integrating or connecting and text/video summarizing extensions leading the way at 18% and 15%, respectively.
- User activity: including information such as that collected through network monitoring, clicks, mouse position, scroll position, and keystroke logging. Collected by 22% of investigated extensions, most frequently by programming helpers, at 63%, and text/video summarizers, at 30%.
- Website content: including text, images, sounds, videos, and hyperlinks. This data is collected by 39% of investigated extensions, most prominently in the writing assistant and audio transcriber/recorder categories, at 55% and 50%, respectively.
- Health information: No investigated extensions claim to collect this information, but it refers to things such as heart rate data and medical histories.
Permissions
Permissions give extensions access to their users’ browser functions and potentially the information these users access using the Chrome browser.
Some notable permissions:
- activeTab: required by 93 extensions, it gives extensions temporary access to the currently active browser tab. The most frequently used sensitive permission for extensions in the information lookup and collection, audio transcriber, and other categories.
- scripting: required by 88 extensions, it grants them the ability to inject code into websites. This permission is the most used sensitive permission in the programming helper category, and it’s quite popular in the writing assistant category.
- all_urls: required by 67 extensions, it gives extensions the ability to run on all pages the user’s browser opens. This permission is the most used sensitive permission in the audiovisual generator category.
- webRequest: required by 14 extensions, it allows extensions to analyze traffic and to intercept, block, and modify requests in flight.
Incogni’s researchers also observed that the Downloads permission (to initiate, monitor, manipulate, and search for downloads) was required by two extensions (SpeechText.AI: Record, Capture & Transcribe and ProfilePro – GMB SEO AI Tool (Google Business Profile SEO)).
Also of note were two extensions—HARPA AI | Automation Agent with Claude & GPTs and AI Webcam Effects + Recorder: Google Meet, Zoom, Discord & Other Meetings—requiring browsingData (to remove browsing data from a user’s local profile). The permission desktopCapture (to capture screen, window, and tab content) was also requested by one extension: Bluedot: AI Meeting Recorder & Notetaker.
Risk impact and risk likelihood
There are two additional measures that can be extremely useful in determining how much of a privacy risk is involved in installing a given Chrome extension: risk impact and risk likelihood.
Risk impact is an attempt to ascribe a measure to how dire the consequences could be if an extension was to be turned against its users, either by the current owner or developer, a new owner or developer, or a malicious third party. Risk impact is based on the number of permissions an extension requires.
Risk likelihood is related to the perceived probability of a Chrome extension turning malicious. It’s derived by considering the publisher’s and extension’s reputation on the Chrome Web Store, how long the extension has been available on the store, and other data points concerning the extension and its publisher.
So the risk impact is related to how much damage an extension could do in the wrong hands, while the risk likelihood speaks to the probability of an extension’s current publisher using it against its users.
A high risk impact extension could have the potential to capture passwords, exfiltrate other sensitive user data, and exert control over the user’s browser. Like the recent Chrome extension hacks2 have shown, an extension’s publisher or developer need not “go rogue” nor does the extension need to change hands for a high risk impact extension to run amok.
For these reasons, we recommend placing more importance on risk impact than risk likelihood metrics—a low risk impact extension is unlikely to be able to do much damage as long as the user doesn’t grant it additional permissions post-install.
Calculation
To arrive at our findings, our researchers scored the data collected and permissions required by the investigated extensions. These scores aim to capture a necessarily simplified, numerical overview of how much of a privacy risk a given extension represents. They were calculated as follows:
- The amount of user data that is collected is multiplied by 2.
- The number of sensitive permissions required is multiplied by 2.
- The above results are then added to the number of non-sensitive permissions required.
In this way, we’ve “penalized” extensions for collecting user data and for requiring sensitive permissions. The higher the score, the worse an extension is for user privacy. We averaged the privacy scores of extensions within each category to compare privacy metrics across different categories.
If two or more extensions had the same score within a rank, we decided which had the higher privacy invasiveness according to their risk impact and risk likelihood. If one extension had a higher risk impact or risk likelihood than another, we ranked it as more privacy-invasive.
More information regarding this scoring system can be found in the Methodology section.
Results
From our research, we developed a privacy ranking list that categorizes AI Chrome extensions by their use cases and scores each category based on how privacy-invasive they are based on risk likelihood (data collected) and potential impact (sensitivity of data). For example, AI video generators were typically the least privacy-invasive, while AI programming assistants were the most invasive and had the highest risk profile.
The extensions we examined require 3 permissions on average, including one sensitive permission. They also collect between one and two data types from their users (covering an average of 1.6 data categories per extension). The 3 most privacy-invasive extension categories are also the top 3 in terms of how many sensitive permissions they require.
Extensions in the programming assistants category were found to collect the highest number of data points (2.4 on average), propelling them into first place for privacy risk. This is also the only category where user activity is among the 2 most-collected data points. User activity tracking is one of the highest privacy risk factors, as it denotes capturing everything from highly personal data, sensitive company information, keystrokes, passwords, timestamps, and even behavioral patterns.
Personal assistants and general-purpose extensions have the highest variety of functions, but they also collect a large amount of data and require many permissions, leaving them in second place in terms of privacy risk.
Integrating or connecting extensions (extensions that integrate platforms with so-called AI systems) collect the highest number of average permissions (3.8) and constitute our third-most privacy-invasive category. They’re followed by personal assistants or general purpose extensions (with 3.2 permissions requested on average).
We also observed an interesting case of categories having an overall high (bad) score, despite having few non-sensitive permissions. Information lookup and collection and programming assistant extensions request few permissions, on average, but a relatively high proportion of those permissions are sensitive.
The audiovisual generator category is the least privacy-invasive AI-powered Chrome extension category, according to our ranking. This is primarily due to the limited amount of data that extensions in this category collect.
In second-last place in order of decreasing privacy risk, we found extensions that ostensibly help users with information lookup and collection. This position was mostly determined by the relatively low amount of data collected, in spite of a high number of required permissions.
The writing assistant category comes in third-to-last place, if we ignore uncategorized extensions (gathered together in the other category). Despite the relatively high average number of data points collected, the limited permission requirements keep the risk score for this category relatively low.
In our sample, 3 personal assistant extensions have both a high risk likelihood and high risk impact: LinkedIn AI Outreach Copilot, Yaseen AI – ChatPlayground & BrowserCopilot, and Casper AI. The following three extension categories had one extension each with both high risk impact and risk likelihood scores:
- Text/video summarizers, with the Observe.AI Screen Recording extension,
- Helpers for Information lookup and collection, with the StudyX: Your AI Homework, Writing & Reading Assistant extension,
- Audio transcribers/recorders, with the Fathom AI Meeting Assistant for Google Meet extension.
When it comes to extensions with high risk impact (irrespective of risk likelihood), extensions from the audio transcribers/recorders category dominate, with over ¾ of them being classified as posing either a high or very high risk impact. Almost half of the extensions in both the personal assistant or general purpose and audiovisual generators categories also present high or very high risk impacts.
There are fewer extensions with high risk likelihoods. However, text or video summarizers and helpers for information lookup and collection stand out here, with around 1 in 10 extensions in these categories being classified as having a high risk likelihood.
The most popular AI-powered extensions ranked by their privacy-invasiveness
We identified the 9 most popular extensions, each with a user base of at least 2 M people, and ranked them according to scores based on the number of data points collected and the permissions and sensitive permissions required. The higher the score the higher the risk to users’ privacy.
Among the most popular extensions we examined, the most privacy-invasive was DeepL: AI translator and writing assistant, which requires the highest number of sensitive permissions at 4, including scripting and webRequest. It also collects 5 data points (including personal communications and user activity) and requires 5 permissions, which is a significant amount compared to other extensions.
AI Grammar Checker & Paraphraser – LanguageTool, the second-most privacy-invasive extension also collects 5 data points, and requires a relatively high number of sensitive permissions (2): scripting and activeTab.
Sider: ChatGPT Sidebar + GPT-4o, Claude 3.5, Gemini 1.5 & AI Tools, ranked third, requiring the highest number of sensitive extensions (4), including offscreen and all_urls.
Quillbolt, ranked fourth-most privacy-invasive, collects 4 data points (including website content and location and personally identifiable information) and requires 3 permissions and 2 sensitive permissions: scripting and activeTab. While Grammarly: AI Writing and Grammar Checker App, stands out for collecting a very high number of data points.
Notably, three of these extensions have a high risk impact, which means that, theoretically, they have the ability to exfiltrate or compromise a lot of sensitive user data or otherwise encroach upon users’ privacy (in terms of being the worst for user privacy):
- Grammarly: AI Writing and Grammar Checker App is categorized as a writing assistant and has 48 M users
- DeepL: AI translator and writing assistant was put in the other category (since it’s primarily presented as a translator, which was not seen frequently enough to merit its own category). It has 4 M users, and is tied for first in terms of the number of permissions it requires.
- Sider: ChatGPT Sidebar + GPT-4o, Claude 3.5, Gemini 1.5 & AI Tools is categorized as a tool and has 3 M users.
Only one extension, AI Grammar Checker & Paraphraser, has a low risk impact while the remaining extensions are classified as having a moderate risk impact.
Results by categories
In this section, we drill down into each category, taking a closer look at the extensions that make them up and identifying which extensions in a given category might prove less risky than the others. It’s important to note, though, that our researchers haven’t personally tested most of these extensions (such testing is outside the scope of this study).
None of our suggestions should be taken as recommendations, but merely as demonstrations of how a user could use freely available information like that concerning data collection and permissions to make better informed decisions when installing Chrome extensions.
We at Incogni cannot in good faith recommend the Chrome browser nor any of the extensions discussed here.
Personal assistant or general purpose extensions
Incogni’s researchers determined that 41 extensions belonged to the category of personal assistant or general purpose extensions. These extensions claim a broad range of features and, in practice, connect a so-called AI agent to users’ browsers for a variety of purposes. The extension descriptions in this group prominently featured keywords like “personal assistant”.
Extensions in the personal assistant or general purpose category displayed significant variation in their privacy scores, with an average of 8.2 for both data collected and permissions required, 3.7 for data collected alone, and 4.5 for the permissions they require.
The extensions presenting the greatest privacy risk in the category are HARPA AI | Automation Agent with Claude & GPT, AnswerAI – Homework AI Tutor powered by GPT-4, and HyperWrite – AI Assistant. HARPA AI leads the category in terms of its permissions required score. HyperWrite has the highest data collection score, and AnswerAI has a high average for both.
Bing AI presents the lowest privacy risk in this category, according to our metrics, with aiApply : Cover Letter Generator coming in second and Claude AI in third in order of increasing privacy risk. Notably, the 5 least risky extensions in this category claim to not collect any user data at all—a claim that should be taken with a grain of salt when the source code is not made available for public audit.
For those seeking personal assistant extensions:
Instead of data and permission hungry extensions like Monica – Your AI Copilot powered by ChatGPT4 (which has a score of 14), users might consider a less popular, but lower-scoring, option like ChatsNow:ChatGPT, Claude SideBar(GPT- 4,Web) (which has a score of 6) or Chapa – Your AI Assistant powered by GPT (which has a score of 3).
Writing assistant extensions
Incogni’s researchers placed 44 extensions into the writing assistant category. These extensions use so-called AI to help users write emails, SEO copy, and posts for social media, among other use cases. While some extensions in other categories might be able to fulfill the same use cases, the extensions classified as writing assistants primarily emphasize writing in their descriptions.
Writing assistants displayed significant variation in their privacy scores, with an average of 7.4 for both data collected and permissions required, 3.9 for collected data alone, and 3.5 for the permissions they require.
Scoring the worst on our privacy metrics were FlyMSG: AI Writer & Autofill Text Expander, AI Blaze: Instantly Use AI in Any Webpage, and AI Grammar Checker & Paraphraser – LanguageTool.
AI SEO Assistant, AI Generator for Wix SEO, and AI Alt Text for Wix are all tied for first in the writing assistant category, having scores of 0, with the next two best-scoring extensions having a score of 1. These extensions claim to collect no data and require only one permission each.
For those seeking extensions for email writing:
Instead of data and permission hungry extensions like Addy AI – ChatGPT Email Assistant (which has a score of 8), users might consider a less popular, but more privacy-friendly option like Ellie: Your Professional AI Email Assistant (which has a score of 5).
For those seeking extensions for copywriting:
Instead of data and permission-hungry extensions like Copymatic – AI Content Writer & Chat (which has a score of 13) and AIPRM for ChatGPT (with a score of 9), users might consider a less popular, but more privacy-friendly option like Writesonic: AI Writing, SEO, and Keywords (which has a score of 2) or AI SEO Assistant (with a score of 0).
For those seeking extensions for social media posts:
Instead of data and permission-hungry extensions like evyAI – AI Assistant for Social Media (with a score of 14) and Fablerr — AI for Social Media (with a score of 8), users might consider a less popular but more privacy-friendly option like Engage AI – ChatGPT for Social Media (with a score of 4).
Text or video summarizer extensions
We categorized 20 extensions as falling into the summarizer category. Among these, two primary sub-categories emerge: one that deals with video and one that emphasizes textual content.
The extensions in this category displayed a significant variation in their privacy scores, with an average of 7.8 for collected data and permissions required, 4.0 for data collected alone, and 3.8 for the permissions they require.
The worst-scoring extensions according to our privacy metrics are AI-powered Notes on Videos – Video Notebook (with a score of 23), Tammy AI: YouTube Summarizer with Chat QnA (with a score of 15) and Elmo Chat – Your AI Web Copilot, tied with Wayin AI – Understanding Videos in Seconds (YouTube Summarizer & Chat) (both with scores of 13).
The better-scoring extensions in this category are Gistly: YouTube AI Summary with ChatGPT (which has a score of 0), Gimme Summary – Get summary using ChatGPT AI (with a score of 1), and YouTube Videos Summary with ChatGPT AI (with a score of 2). Interestingly, even some of the least privacy invading extensions in this category require some sensitive permissions.
For those seeking extensions for video summarization:
Instead of AI-powered Notes on Videos – Video Notebook (with a score of 23) or Tammy AI: YouTube Summarizer with Chat QnA (with a score of 15), users could consider more privacy-respecting extensions like Gistly: YouTube AI Summary with ChatGPT (with a score of 0) or YouTube Videos Summary with ChatGPT AI (with a score of 2).
For those seeking extensions for text summarization:
Instead of Elmo Chat – Your AI Web Copilot (with a score of 13), users could consider a seemingly more privacy respecting extension like Gimme Summary – Get summary using ChatGPT AI (with a score of 1).
Helper for information lookup and collection extensions
We categorized 43 extensions as falling into the information lookup and collection category. Amongst these, three primary sub-categories emerge: study aides, search enhancers, and homework helpers.
The extensions in this category displayed a significant variation in their privacy scores, with an average of 6.9 for data collected and permissions required, 2.5 for data collected alone, and 4.4 for the permissions they require.
StudyX: Your AI Homework, Writing & Reading Assistant and Slid: AI-powered Video Note-taking App are tied for first in terms of privacy risk in this category. They both stand out as collecting the most user information as well. The other potentially more privacy-invasive extensions have more of their scores coming from the permissions they require.
The less risky extensions in this category, such as Perplexity – AI Search and You.com: Default AI Search & Chat, don’t require any permissions and claim not to collect any data. But permissions are apparently difficult to avoid, and all other extensions in the category do require at least one.
For those seeking extensions for search enhancement:
Instead of ChatGPT for Google (with a score of 14), users could consider a seemingly more privacy respecting extension like Perplexity – AI Search (with a score of 0) or You.com: AI Search Assistant (with a score of 2).
For those seeking extensions for homework or study helpers:
Instead of StudyX: Your AI Homework, Writing & Reading Assistant (with a score of 17) or Knowee (formerly StudyGPT) – Your Study Copilot powered by GPT-4 (with a score of 15), users could consider a seemingly more privacy respecting extension like Quizard AI – Homework Tutor (with a score of 6) or StudyPal AI – Ultimate Homework Helper (with a score of 7).
Audio transcriber/recorder extensions
We categorized 21 extensions as falling into the audio transcriber/recorder category. This category is dominated by extensions that record and summarize Google, Zoom, or Microsoft Teams meetings.
These extensions displayed a significant variation in their privacy scores, with an average of 7.7 for data collected and permissions required, 3.5 for data collected alone, and 4.2 for the permissions they require.
Among the least privacy-friendly extensions in this category, we saw a high degree of variation in how the scores were constituted. For example, SpeechText.AI: Record, Capture & Transcribe (tied for third-worst) does not collect any data, which is not common in this category. The second-worst extension for user privacy, Bubbles – AI Meeting Notes & Screen Recorder, requires 4 sensitive permissions, giving it a score of 8 in this category alone.
Incogni’s researchers found that 4 out of the 21 extensions in this category claim not to collect any data, and three of these (Fathom AI Meeting Assistant for Google Meet, Supernormal: AI Meeting Notes, and Google Meet Transcripts & AI Summary) are among the 5 least privacy-invasive. AI Meeting Summaries: Zoom, Meet & MS Teams is also among these 5 extensions, but it claims only to collect one data point, and does not seem to require any permissions.
For those seeking extensions to record and summarize meetings:
Instead of more privacy-hungry extensions, such as Bluedot: AI Meeting Recorder & Notetaker (with a score of 15) and Fireflies: AI meeting notes (with a score of 15), users could consider seemingly less risky extensions like Supernormal: AI Meeting Notes (with a score of 1) and Google Meet Transcripts & AI Summary (with a score of 1).
Programming assistant extensions
We categorized 8 extensions as falling into the programming assistant category. The category is rather narrow but enough extensions presented themselves in a way that emphasized coding that a separate category was justified.
These extensions displayed a significant variation in their privacy scores, with an average of 9.1 for data collected and permission required, 4.7 for data collected alone, and 4.4 for the permissions they require.
The programming assistant category stands out through a sudden change in scores as we approach the best scoring (lowest privacy-risk score) extensions. While this could be explained by the small sample size in the category, it could also indicate variations in the functions performed by extensions in this category.
For those seeking programming assistants:
Instead of more privacy hungry extensions, such as Bito AI – Use ChatGPT to 100x dev work (with a score of 12), users could consider seemingly less risky extensions like PR-Agent: AI-Powered Code Reviews & Chat (with a score of 3).
Audiovisual generator extensions
We categorized 14 extensions as falling into the audiovisual generator category. Among these, two primary sub-categories emerge: text-to-speech extensions (speech generators) and visual generators.
These extensions displayed a significant variation in their privacy scores, with an average of 5.6 for collected data and required permissions, 1.6 for data collected alone, and 4.0 for the permissions they require.
Among the worst-scoring extensions in this category, Supademo: AI interactive demos in seconds and NaturalReader – AI Text to Speech stand out for their high scores for sensitive permissions. Interestingly, Text to Speech TTS AI | Readvox claims not to collect any data, but is still tied for fourth in terms of privacy risk due to the permissions it requires.
Bearly.ai claims to not collect any data and doesn’t seem to require any permissions. Other well-scoring extensions such as Generate Image with AI and AI Image of the Day only require permissions and claim not to collect any data.
For those seeking extensions for text-to-speech (speech generators):
Instead of more privacy hungry extensions such as NaturalReader – AI Text to Speech (with a score of 11), users might consider potentially more privacy-friendly extensions like Text to Speech TTS AI | Readvox (with a score of 9).
For those seeking extensions for visual generators:
Instead of more privacy hungry extensions such as Free AI Art Generator – JourneyDraw (with a score of 3), users could consider seemingly more privacy-friendly extensions like Generate Image with AI (with a score of 1).
Integrating or connecting extensions
Extensions in this category emphasize that their functionality relies on a specific website or platform. They are used to automate or otherwise interact with one or more specific sites. We found 17 extensions belonging to this category.
These extensions displayed a significant variation in their privacy scores, with an average of 8.2 for data collected and permissions required, 3.0 for data collected alone, and 5.2 for the permissions they require.
In this category, with the exception of Sider: ChatGPT Sidebar + GPT-4o, Claude 3.5, Gemini 1.5 & AI Tools, and 1688 AIBUY: Official Global Sourcing AI Agent + Direct Shipping&Payment, poorly scoring extensions collect notable amounts of user data, something not seen across other categories.
On the other hand, the least risky extensions, other than the top 2: Complexity – Perplexity.ai supercharged and Treble.ai HubSpot Integration, collect user data, something that’s also not frequently seen in other categories.
Given that these extensions rely on specific platforms, it’s more difficult to find pairs or groups of extensions to compare.
Methodology
Data collection took place between October 3rd and 4th. We searched the Chrome Web Store3 for extensions that had “AI” in their name or description. These extensions were then manually checked to ensure that their core functionality is reliant on, or closely associated with, so-called artificial intelligence (various combinations of machine learning (ML), deep learning (DL), and large language models (LLMs)). We excluded extensions that had fewer than 1,000 users.
For the remaining extensions, we noted what data they collect using the Chrome Web Store, as well as any required permissions and the risk-impact and risk-likelihood scores from Chrome-Stats4. Lastly, we manually categorized each extension into one of 8 categories (or the other category, if none of the 8 were found to be appropriate). This categorization was performed based on the descriptions of the extensions. You can see the category descriptions in the public dataset.
The scores on which the ranking is based were calculated according to the following formula:
Score = no. of data points collected [0-9] * 2 + no. of sensitive permissions required [0-13] * 2 + other permissions [0-40].
The higher this score, the greater the risk to users’ privacy.
The score clearly places emphasis on how much data is collected and permissions Incogni’s researchers consider sensitive. The weighting of these counts (by a factor of 2) penalizes extensions that collect data and require sensitive permissions.
If two or more extensions had the same score within a rank, we decided which had the higher privacy invasiveness according to its risk impact and risk likelihood. If one extension had a higher risk impact or risk likelihood than another, we ranked it as being more privacy-invasive.
Of course, as with any scoring system, this one cannot account for all the nuances and variances present in the dataset. Its purpose is rather to gauge the privacy implications of installing and using certain extensions.
The data used in this study is available here: Public dataset.
Sources
- Market Research Intellect. “AI Chrome Extension Market Size and Projections.” Accessed December 30, 2024. https://www.marketresearchintellect.com/product/ai-chrome-extension-market/.
- Lakshmanan, Ravie, “Dozens of Chrome Extensions Hacked, Exposing Millions of Users to Data Theft,” The Hacker News, December 29, 2024. https://thehackernews.com/2024/12/16-chrome-extensions-hacked-exposing.html.
- Google. “Chrome Web Store.” Accessed December 30, 2024. https://chromewebstore.google.com.
- Chrome-Stats. “Chrome Web Store stats.” Accessed December 30, 2024. https://chrome-stats.com.
Visuals
We welcome the reuse of our images if proper attribution is given to Incogni. The charts, graphs, and tables used in this research can seamlessly embed into your website. Use the menu that appears at the top right of the visual when you hover over it with your mouse. When embedded, these visuals maintain their interactivity and preserve their original quality.