Your favourite AI Chrome extensions are spying on you

According to Incogni's yearly ranking released in January 2026, 52% of AI-powered Chrome extensions collect user data, with popular tools like Grammarly and QuillBot posing the highest privacy risks. The report analysed 442 extensions across eight categories, finding that programming helpers and meeting transcribers present the greatest threat to user privacy.

The data collection reality

Of the 442 AI extensions investigated, more than half actively harvest user information. These extensions collectively reached around 115.5 million downloads, meaning they could affect that many users worldwide.

The most commonly collected data types tell a concerning story. Website content leads at 31.4% of extensions, followed closely by personally identifiable information at 29.2%. This includes names, addresses, email addresses, and identification numbers. User activity monitoring — including keystroke logging and mouse tracking — affects 82.6 million users through 16.7% of extensions.

Authentication information collection, whilst less common at 11.5%, remains particularly worrying. This category covers passwords, credentials, and PINs — the exact data that cybersecurity experts warn creates the biggest risks for users.

Programming helpers pose biggest threat

Programming and mathematical aids topped Incogni's privacy invasiveness rankings, earning the highest scores across data collection and permissions requirements. These extensions typically require broad access to modify websites and inject code.

Meeting assistants and audio transcribers ranked second, collecting extensive data whilst requiring fewer sensitive permissions. This category's privacy risk comes primarily from the sheer volume of personal information it processes during calls and meetings.

Writing assistants — including the popular Grammarly and QuillBot — ranked third. Despite their mainstream adoption, these tools collect substantial personal communications data and require permissions that allow them to read everything you type.

Dangerous permissions explained

The most concerning permission, 'scripting', affects 42% of extensions and potentially 92 million users. This allows extensions to run custom code on any website you visit, essentially giving them the power to change what you see or inject text into forms.

'ActiveTab' permission, required by 40% of extensions, grants temporary access to whatever page you're currently viewing. Whilst seemingly harmless, this can expose sensitive information from banking sites, private messages, or confidential documents.

Only 8% request 'webRequest' permission, but this affects 13.9 million users. Extensions with this permission can observe, block, or modify your network requests — essentially seeing and potentially altering every connection your browser makes.

Popular extensions that collect most data

Grammarly and QuillBot tied for the highest privacy invasiveness scores among popular extensions. Both collect personal communications, location data, and website content. Grammarly additionally monitors user activity, including keystroke logging.

Both require 'scripting' and 'activeTab' permissions, giving them broad access to read and modify web pages. Fortunately, chrome-stats.com indicates both have very low risk likelihood scores, suggesting they're unlikely to be used maliciously.

Google Translate, despite its 29 million downloads, ranked fourth in privacy invasiveness. The extension led the translator category in data collection scores, though it requires fewer sensitive permissions than writing assistants.

How to protect yourself

Before installing any extension, examine the permissions it requests. Question whether a grammar checker really needs access to your location data, or why a translator requires keystroke monitoring.

Check the developer's reputation and read recent reviews. Extensions that suddenly start requiring new permissions may have changed ownership or functionality. Tools like chrome-stats.com provide risk assessments for popular extensions.

Consider alternatives with lighter permission requirements. Many extensions offer similar functionality without requiring broad access to your browsing data. When in doubt, use web-based versions of AI tools instead of browser extensions.

Remember that AI tools have become increasingly powerful, but this often comes with increased data requirements. The convenience of browser-integrated AI assistance carries real privacy costs that users should carefully weigh.

Extension availability and data broker impact

All mentioned extensions remain available through the Chrome Web Store globally, including in the UAE. Users can install them freely, though Incogni's report highlights the growing connection between extension data collection and the data brokerage industry.

The data brokerage market is expected to grow from $312.84 billion in 2025 to $342.86 billion in 2026, with a compound annual growth rate exceeding 10%. Extensions represent a significant source of personal data for these brokers, who then sell user information to advertisers, employers, and other third parties.

For UAE users, this means personal data collected by Chrome extensions could end up in databases used for targeted advertising, background checks, or even more invasive profiling activities across international markets.

Frequently Asked Questions

Written by

Share

Copied