Still sounds gross. While the developer might have opted in to selling your processing power to scrape websites, I doubt the users of each extension opted in.

Response from the developer:

" Users who want to support a free software product or creator can decide to opt-in to share their bandwidth. … Developers can decide to offer them additional features and content or simply use the money to keep the products free and available."

On User Consent:

“Our approach is always opt-out by default. I’ll write more below on how we are going about enforcing it now as part of a stricter approach to maintaining a transparent ecosystem. We provide default opt-in/out hosted pages to simplify asking consent and have left this page where users can see all the plugins to which they have opted-in and manage their settings with no developer as an intermediary: mellow.tel/user-control.”

In other words, users are opted-out by default. They can also go to that web site, and when they click the link, the page checks which extensions are installed in the browser and whether or not you opted in.

On Opt-In Enforcement:

Ars Technica article states there are “no checks to determine if a real user knows what they are approving or to determine if the developer just opts all users in on their behalf”.

“We do have a page where users can go and see if they are opted-in or have been opted in without their knowledge from the developer: mellow.tel/user-control. But you are right and we should do more. We have started enforcing the opt-in policy from today (by simply checking each integration and not sending requests to those that don’t show an opt-in) and will be doubling down on that in the coming days. Each new websocket request from an unknown integration will be quarantined and we won’t allow requests to go through until we have controlled the integration is compliant and is asking users to opt-in + is leaving an opt-out option clearly visible. We will also start enforcing routine checks on our Mellowtel integrations to create a transparent environment.”

In other words, the Mellow.tel developer has it set to always opt-out by default. However, developers of extensions may just opt-in the users without consent - which, I agree with you is gross. It’s possible those developers don’t explain the full implications. Now, the Mellow.tel developer is putting in remediations to ensure that the opt-in policy is enforced, and users will have more exposure to knowing whether or not this is happening. Meaning, they’re going to try to enforce default opt-out (as they stated this was always their policy), and make it easier for users to know they get opted in.

On Personally Identifiable Information and Monetisation:

The developers basically claims everything is anonymized. And the way they make money is, if you opt-in, you share “a fraction of your bandwidth” when browsing the web, fetching from a server, etc. They don’t collect or sell your user data because they aren’t advertising, and their business model is not advertising.

“all [Response data] is completely anonymous, it doesn’t point back to any user, and isn’t stored except the minimum time to at on it… Location - The only information used is country level (e.g., US, ES, DE), [and] it isn’t associated with any Personally-Identifiable-Information (PII) at all.”

So my conclusion - I care about my privacy. I don’t like being opted into things without my consent. According to this developer’s response, they never did. They’re trying to come up with a model to help the web stay free. Who knows if this will be viable or not. Developers of extensions can leverage this stuff, and in the past, some of those developers may have opted users in without their consent (or without full transparency or understanding of how this was happening). Even if a user was “opted in”, it doesn’t appear to be a significant impact to privacy as they have their source code published, processing happens locally on the user’s device, and the data that gets process is not transmitted, sold, or even have any identifiers. In fact, the data they claim is quite sparse to the extent that it’s limited to bandwidth allotment, country, and simple “keep alive” checks (heartbeat). Now I don’t have any association with this company, know this developer, nor do I have any stakes at all in this. This just caught my attention and I Had to read and learn more about it, and assess whether or not it affects my privacy threat model (it doesn’t for me, simply because none of the extensions I use have this thing).

For my background - I’m a software engineer for a SaaS provider. My company processes observability telemetry, and we assist customers to instrument agents in their environments (server, machines, clusters, DB, and end-user devices like browsers and mobile devices) to collect metrics to enable observability of their platform, and generate automatic application topology. Also a suite of tools to examine metrics and dynamic baselines, health rules for baseline deviations or other anomalies, analytics, user queries, complete business transaction view, incident remediation, etc. However, I have no background whatsoever in security. So I can’t comment on the security point because I don’t have a cyber security background. I’m only going off what the developer said, and it made sense to me. But I’d defer to a person with cyber security expertise to comment here.

Edit: Added some additional context, fixed some spelling.