82 Chrome Extensions Legally Sell Your Browsing Data—Ad Blockers and Streaming Tools Lead the List

The 71% Problem

LayerX's secondary finding may matter more than the headline. Of all extensions in the Chrome Web Store, 71% do not publish a privacy policy at all. The 82 confirmed sellers are the subset that actually disclosed their practices. Tens of thousands of extensions could be doing the same thing without saying so, and Google does not require them to.

The Chrome Web Store policy on user data is permissive: extensions must disclose data handling but do not have to limit it. As long as the privacy policy contains the words "may sell," the extension is compliant.

The Ad Blocker Paradox

Twelve ad blocking extensions appear on the list, with more than 5.5 million combined users. People install them to escape advertising surveillance. The extensions then sell the browsing data the ads would have collected. Specific examples include:

• Stands AdBlocker (3 million users): Privacy policy authorizes selling browsing data for "market analytics."
• Poper Blocker (2 million users): Discloses selling browsing activity, behavioral profiles, and inferred sensitive attributes.
• All Block / All Block YouTube (500,000 users): Sells "anonymized" data for analytical and commercial purposes.
• TwiBlocker (80,000 users): Transfers browsing data to unspecified third parties.
• Urban AdBlocker (10,000 users): Routes data through the BiScience data broker network.

"Anonymized" is doing heavy lifting in those policies. Browsing histories are notoriously easy to reidentify because the URL pattern of a single user—logins, searches, location specific pages—is effectively a fingerprint. Academic studies have repeatedly demonstrated that supposedly anonymized clickstreams can be matched to individuals with surprisingly little auxiliary data.

The QVI Network: 24 Streaming Tools, One Data Broker

The largest single cluster in the dataset is what LayerX calls the QVI Network—24 extensions branded as "dogooodapp" and published by HideApp LLC. Each one targets a streaming platform: Custom Profile Picture for Netflix (200,000 users), Hulu Ad Skipper (100,000 users), and similar tools for Disney+, Amazon Prime, HBO Max, Peacock, Paramount+, Apple TV+, Tubi, and Crunchyroll.

The privacy policies disclose that the extensions collect viewing history, content preferences, subscription status, and demographic data, then share it with the "Quality Viewership Initiative" for analytics. The branding makes it sound like industry research. The function is selling consumer behavior data to whoever pays.

B2B Surveillance Hidden in Productivity Tools

Twenty nine of the 82 extensions are sales intelligence tools used inside enterprises. They sit in employee browsers, capture which internal URLs and SaaS dashboards are visited, and feed that activity into commercial datasets sold to competitors and recruiters. From the employer's perspective, every employee with one of these extensions installed is leaking the company's internal browsing patterns to a third party every day.

This is the same category that drove LinkedIn's recent decision to scan every Chrome extension installed on its members' browsers, including the privacy tools they use to limit LinkedIn's own tracking. Extensions are the most under-governed surface in modern computing.

The Email Connection

Extensions that read your browsing also read your inbox. Several extensions on LayerX's list, including EmailOnDeck, explicitly reserve the right to sell or share mailing lists. Others request "read all data on websites you visit" permissions, which includes Gmail, Outlook, and any webmail you use. An extension with that permission set can scrape your emails as easily as it can scrape your search history.

This matters for tracking pixel detection too. The same broad permissions that let a malicious extension exfiltrate your inbox also let it disable extensions like Gblock that try to block tracking pixels. Combining a trusted extension with a permissive privacy policy is the most efficient way to compromise email privacy at scale.

Audit Your Extensions in Five Minutes

If you use Chrome, take a few minutes to clean up:

• Open chrome://extensions/. Review every extension you have installed. If you do not recognize it or do not actively use it, remove it.
• Click "Details" on each remaining extension. Look for the permissions list. Anything with "Read and change all your data on all websites" is reading every page you visit.
• Click the privacy policy link. Search the document for the words "sell," "share," "third party," and "data broker." If any of them appear in the data handling section, the extension is monetizing your browsing.
• Prefer extensions with narrow permissions. An extension that only needs to run on one site (e.g., gmail.com) should not request access to all websites.
• Stick to extensions from publishers you can verify. An extension with two reviews and a publisher name you have never heard of is a higher risk than one from a known privacy organization.

Why Google Will Not Fix This

The Chrome Web Store enforces what extensions disclose, not what they do. As long as a privacy policy exists and the language is technically truthful, the extension is allowed. Removing every extension that sells data would also force Google to confront its own ad business, which monetizes browsing in ways that look very similar from the outside.

Until that changes, the responsibility lands on users. Every extension you install is a third party with read access to your browser. Pick them like you pick the apps that have access to your phone—because the privacy implications are the same. The 82 extensions LayerX flagged are still in the Web Store. They will still be there next month. The fine print already warned you.