Ghostery is Malware: A Story of Censored Firefox Extension Ratings

About two months ago, I had created a Mozilla Extension Ratings account (with username extensionratings) and submitted the Firefox Extension Rating for Ghostery below.  My constructive but critical review was quickly censored from being visible on Ghostery’s review page–I’m not sure if it was by Mozilla or Ghostery at this point. But since the link to the review itself still worked (but wasn’t visible to others without knowing the URL), I decided to create a Twitter account with username GhosteryCritic that was later suspended by Twitter–perhaps because I had mentioned too many other users in flagging my review to Mozilla, Ghostery, Evidon, and others.  Unfortunately the e-mail server needed to reset my Twitter account has since stopped operating, and the only remaining evidence of that Twitter account is a single tweet from one of the blogs that had (incorrectly, in my opinion) touted the potential privacy benefits of Ghostery.  After contacting the Mozilla team about what its (or Ghostery’s) censorship of critical reviews using their forms, Mozilla deleted my account and along with it, the review that–despite being censored from the view of other users in less than an hour–was also removed from its original URL at Ghostery deleted the same review (and my user account on their support site) after I posted the same feedback (below) to there for clarification.  There are several take-aways from this experience:

  • Mozilla censors negative but constructive add-on ratings, potentially with developer input
  • Ghostery ignores constructive criticism and censors critical questions on its own forum

In both cases, this completely contradicts the corporate culture (and in the case of Mozilla, operating model) that these two organizations purport to espouse.  Keeping in mind that my original review was written in July and applies to an earlier version of Ghostery, I wanted to share the full text:

After reading some mixed reviews and after using this extension for a while myself, I decided to do some digging around “under the hood” even though I’ve never used Ghostery’s GhostRank “feature,” which shares your browsing history with the company. I concluded that this add-on is a total scam, and doesn’t block tracking by Facebook, Google, and others–even when its notifications suggest otherwise.

For example, Ghostery version 2.9.6 is hard-coded to re-inject Facebook tracking scripts even when it doesn’t show related Facebook script content. You can see this for yourself in lines 101-119 after opening a file called ghostery.js in the subdirectory named /extensions/ of your Firefox profile folder.

This is in addition to the various “surrogate scripts” that Ghostery claims aren’t related to tracking (but *would* easily still track you if an ad-tracking company had any sense, since they explicitly connect you to 3rd-party sites). You can see this list for yourself in the /extensions/ file (open with text editor) of your Firefox profile folder.

Ghostery also gives your info to Google by explicitly white-listing Google’s domain, which you can also verify in a text editor with lines 159 and 160 of the ghostery-content-policy.js file found in the extensions/ subdirectory of your Firefox profile folder.

Ghostery’s use of the OpenSans-Bold font installed with the extension in your Firefox profile folder’s /extensions/ subdirectory can be used to fingerprint browsers, further decreasing user privacy. For more on these privacy compromises, see EFF’s Pantopiclick project.

You can see a list of the many sites where Ghostery doesn’t actually block scripts for “compatibility” reasons (i.e. corporate partners paid them off) by opening the file called ghostery-compatibility.json from your Firefox profile’s extensions/ subdirectory.

This extension deceives users into thinking that they’re not being tracked by ad companies when GhostRank is disabled. My own experience with Ghostery, however, suggests that this is not the case. Barring a detailed and thorough explanation of the above from the developer, I wouldn’t touch this extension with a ten-foot pole.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s