Phia, an AI shopping agent co-founded by Phoebe Gates and Sophia Kianni, has been collecting extensive user data through its desktop browser extension, raising significant privacy concerns. Cybersecurity researchers discovered that a previous version of the extension captured a snapshot of every webpage visited by users, including sensitive information from bank statements and private emails, even when not actively browsing e-commerce sites.
This practice allowed for the reconstruction of a user's complete browsing history. The extension uploaded full copies of webpages to Phia's servers by burying a function called "logCompleteHTMLtoGCS" in its code.
This occurred without explicit user consent or knowledge, and researchers confirmed it logged activity from sensitive accounts like digital banks. After being alerted to the issue, Phia removed the feature that collected users' full HTML pages, but did not inform users about the potential privacy violation or confirm the fate of the collected data.
The company stated that the logging was done in an aggregate and anonymous way to identify retail websites and that it never stored this data. However, cybersecurity experts argue that even the updated version, which logs only URLs, could still expose sensitive information contained within those URLs and allows for the reconstruction of browsing history associated with user identities.
Experts suggest that Phia's data collection practices contradict its privacy policy and could violate regulations like GDPR and various U.S. state privacy laws.
Phia maintains that its logging is anonymous and aggregate, that it doesn't collect personally identifiable information, and that users provide explicit consent through app store disclosures and its privacy policy. The incident highlights broader security gaps in the rapidly developing AI startup ecosystem, where fast development cycles may be leading to increased vulnerabilities.
