As generative artificial intelligence rapidly integrates into the digital tools we rely on daily, a recent investigative study has sounded an urgent alarm about the privacy pitfalls lurking beneath the convenience. Researchers from University College London (UCL) and Mediterranea University of Reggio Calabria have conducted the first large-scale audit uncovering how popular AI-powered web browser assistants, designed to enhance user experience, are simultaneously gathering and sharing deeply sensitive personal data without adequate protection mechanisms.
These AI extensions, including widely used tools like ChatGPT for Google, Merlin, and Copilot (distinct from Microsoft’s Copilot), require users to download and install them on their web browsers. While these assistants promise to augment web navigation by offering features such as succinct summarizations and contextual search assistance, the research reveals a far more invasive underbelly. The study’s findings, set to be presented at the prestigious USENIX Security Symposium, highlight the extent to which these tools collect comprehensive personal information from users’ web activity, often transmitting entire webpage content—including visible elements on the screen—to external servers.
Among the most concerning revelations was that Merlin, one of the examined assistants, captured form input data encompassing highly sensitive information such as online banking credentials and personal health records. Other browser assistants, like Sider and TinaMind, were found to relay user-generated queries and identifying information, including IP addresses, to third-party analytics platforms such as Google Analytics. This practice opens the door to covert cross-site tracking and aggressive advertisement targeting, effectively eroding user anonymity across the web.
Beyond mere data collection, several assistants demonstrated sophisticated profiling capabilities. ChatGPT for Google, Copilot, Monica, and Sider were shown to infer nuanced demographic attributes—age, gender, income level, and areas of interest—leveraging this insight to tailor responses and interactions. Remarkably, these personalized profiles could persist across multiple browsing sessions, indicating that user data was not only collected but actively stored and analyzed. Contrastingly, Perplexity stood out as the sole assistant in the study that did not engage in any detectable profiling or personalization practices.
Dr. Anna Maria Mandalari, who led the research team from UCL’s Electronic & Electrical Engineering department, emphasized the gravity of these findings: “While users are somewhat accustomed to search engines and social media collecting data for targeted ads, these generative AI assistants have unprecedented access to private online behaviors. The convenience they offer often masks the reality that user data is being harvested without clear consent, transparency, or adherence to existing privacy laws and terms of service.”
The implications of these privacy violations extend well beyond conventional online tracking concerns. In an era beset by rampant data breaches and hacking incidents, centralized aggregation of sensitive browsing data heightens the risk of exposure. The researchers warn that once this data leaves the user’s device, individuals lose control over its fate, with no assurance of responsible handling or protection from malicious theft.
To rigorously assess the behavior of these assistants, researchers devised an intricate real-world simulation. They constructed a digital persona embodying a wealthy, millennial male resident of California who engaged in typical web activities. The experiments included interactions in public spaces—unlogged browsing such as reading news articles, shopping on Amazon, or viewing YouTube content—as well as private, logged-in domains involving deeply personal browsing: accessing university health portals, logging into dating websites, and visiting adult content platforms. The privacy-sensitive nature of these scenarios was central to testing whether assistants appropriately respect boundaries and user privacy expectations.
The research team employed advanced techniques to intercept and decrypt real-time data transmissions between the AI assistants, their servers, and third-party trackers. This allowed an unprecedented granular view of data flows, revealing precisely what information was collected and shared during active browsing sessions. Additionally, the assistants were tested for their memory and inference capabilities by prompting them to summarize sensitive page content, followed by queries designed to unearth retained personal details, such as the specific reasons behind a medical appointment.
Starkly, several assistants—including Merlin and Sider—demonstrated a troubling lack of adherence to privacy promises by continuing to record browsing activity even after users transitioned to private or incognito modes. This oversight not only breaches trust but also evidences a fundamental disregard for user intent to compartmentalize or shield certain online behaviors from being tracked.
The study further highlights significant legal concerns. Some assistants were found to contravene U.S. regulations such as the Health Insurance Portability and Accountability Act (HIPAA) and the Family Educational Rights and Privacy Act (FERPA) by illicitly collecting protected medical and educational information. While the analysis concentrated on U.S.-based regulations, the researchers anticipate that these privacy infringements would similarly violate the stricter data protection frameworks of the European Union’s GDPR and the UK’s data privacy laws.
In response to their findings, the authors advocate for sweeping regulatory reforms to govern AI browser assistants, insisting that privacy protection must be integral—not ancillary—to the development process. They propose that developers embrace privacy-by-design principles, including ensuring data processing occurs locally on devices when possible and mandating explicit, informed user consent before collecting or sharing any personal information.
Dr. Aurelio Canino, co-author affiliated with both UCL and Mediterranea University, underscored the broader stakes: “As generative AI becomes a ubiquitous element of our digital ecosystems, safeguarding user privacy cannot be sacrificed for the sake of convenience or innovation. Our research establishes a foundational resource to guide future legislation and increase transparency in this rapidly evolving domain.”
This groundbreaking study not only exposes the hidden data surveillance woven into AI browser extensions but also challenges developers, regulators, and users to rethink trust in emerging digital assistants. As these tools continue to proliferate, the balance between AI-driven convenience and fundamental privacy rights has never been more precarious—or more urgent.
Subject of Research: Not applicable
Article Title: Big Help or Big Brother? Auditing Tracking, Profiling, and Personalization in Generative AI Assistants
News Publication Date: 13-Aug-2025
Web References: https://www.usenix.org/conference/usenixsecurity25/
Keywords: Computer science; Applied sciences and engineering
