Six days after Ars revealed an online service selling links to tax returns, prescription refills, and reams of other sensitive information collected from more than four million browsers, the data remains available to existing customers—thanks, in part, to essential assistance from Google Analytics.
In a July 11 email, Nacho Analytics founder and CEO Mike Roberts told customers the site suffered a permanent data outage after its third-party supplier was no longer available. The site would no longer accept new customers or provide new data, he said, but customers who kept accounts open would still be able to access any existing data they bought previously.
As the redacted screenshots below demonstrate, the existing data is imported directly into customers’ Google Analytics accounts. That existing data can include the same sensitive information that led to Nacho Analytics being shut off in the first place. The first image shows the names of medical patients who obtained lab results through a Dr. Chrono, a patient care cloud platform that contracts with medical services. The one below that shows non-public project management issues taken from inside Tesla’s network, funneled to Nacho Analytics, and then imported into Google Analytics.
To be clear, data collected from the extensions is available only to customers who previously obtained it from Nacho Analytics. It’s not available to anyone who didn’t already have it. What’s more, the old adage about it not being possible to put toothpaste back in the tube fits this case. Once the non-public data was out there, there’s no way to ensure it gets returned.
Still, the help provided by Nacho Analytics and Google Analytics makes it considerably easier for customers to hold on to what could be gigabytes’ worth of browsing histories collected from millions of people.
Asked if the arrangement violates any of Google’s terms of service, a company representative wrote: “Passing data that personally identifies an individual, such as email addresses or mobile numbers, through Google Analytics is prohibited by our terms of service, and we take action on any account found doing so intentionally.” The representative also said that Google has suspended multiple Google Analytics properties owned by Nacho Analytics for violating Google terms of service. Google employees continue to investigate additional accounts that may be connected or integrated with Nacho Analytics, the representative said, on condition the person not be named or quoted.
Ars has also asked for comment from Nacho Analytics and some of the companies whose non-public data is still available. This post will be updated if any of the parties respond.
The sensitive data was caught up in DataSpii, the name for this incident coined by Sam Jadali, the researcher who discovered and documented the systemic privacy issue. DataSpii started with browser extensions—available mostly for Chrome but in more limited cases for Firefox as well—that had as many as 4.1 million users. These extensions collected the URLs and webpage titles of every page that the browser user visited. The Web histories were then published in near real-time by Nacho Analytics, which marketed itself as “God mode for the Internet” and used the tag line “See Anyone’s Analytics Account.”
Google removed the extensions from its Chrome Web Store a day after Jadali reported them. The company also remotely disabled them on the millions of computers that had them installed. (Mozilla removed and disabled the sole DataSpii extension in February.) About a week after Google’s actions, Nacho Analytics announced the data outage.
Many people assumed that DataSpii was shut down as a result. To the extent it stopped new non-public information from being published, it was. But anyone who obtained sensitive data in the past is welcome to hold on to it as long as they keep paying Nacho Analytics—and as long as Google Analytics continues to play a role in the dissemination.