AI Web Browsers Are Spying On You - Here's How

A bombshell was dropped on the AI industry when an August 2025 USENIX study found that AI browsers violate user privacy by collecting customer browsing data. Conducted by researchers at the University College London, Mediterranea University of Reggio Calabria, and University of California, Davis, the study discovered that the most popular AI browser extensions recorded sensitive information like medical records, banking information, social security numbers, and social media activity.

AI-assisted web browsers have steadily grown in popularity since their introduction in 2025. By promising an enhanced browsing experience through website summaries, refined searches, chatbots, and other features, AI firms are taking on industry mainstays like Google Chrome, Safari, Edge, and Firefox. When users open OpenAI's Atlas, for example, they can conduct a new search or query ChatGPT, transforming web browsing into an interaction with the AI assistant.

Whether this technology gains a foothold in a market dominated by a single provider is a major question, as Google's Chrome holds around 70% of the global user base. And while this has sparked monopoly concerns, AI companies hope the capabilities of their supercharged browsers like Perplexity's Comet, Opera Neon, Dai, and ChatGPT can outperform Chrome as they garner significant user bases. Legacy browsers, like Firefox, may also ride the AI wave into larger market shares. In totality, McKinsey & Company predicts the industry will reach $750 billion in revenue by 2028. Critically, the stakes of the AI browser wars are higher than most consumers realize, and carry major security and privacy implications.

AI browsers are more than tools for accessing the internet. They can execute tasks like filling out forms, shopping on Amazon, or editing your essay, typically through two functionalities: an ever-present chatbot that analyzes website content, and agentic modes that complete complex tasks. To execute these tasks, AI browsers need to analyze the contents of open webpages, and contextualize them within prior requests, search histories, and interactions. Critically, most AI browsers aim to do so autonomously, meaning without user instructions or consent.

Browser extensions are merely "wrappers" for users to interact with generative AI models like OpenAI's ChatGPT, Google's Gemini, and Meta's Llama. To provide a personalized experience, extensions deploy the LLM's API on the backend of the browser. To work autonomously, AI browsers and extensions automatically inject content scripts into webpages that process activity through background service workers. From a privacy perspective, this makes AI browsers fundamentally different from your run-of-the-mill chatbot. While website versions can only interact with information you input into the log, browsers automatically scrape information from the websites you visit, fundamentally changing the level of information you're sharing.

Before diving into the results of the August study, it's important to clarify that it only addresses browser extensions, not AI browsers themselves. The reasoning for this is purely circumstantial, as frontrunners like OpenAI's Atlas and Perplexity's Comet weren't released until after the study's conclusion. However, the same principles apply when considering both, as they require the same webpage data to function properly.

Presented and published at the 2025 USENIX Security Symposium, the paper shows how AI browsers including ChatGPT for Google, Sider, Monica, Merlin, MaxAI, Perplexity, HARPA, TinaMind, and Microsoft's Copilot analyze, store, and recall user information. Researchers simulated real-world browsing scenarios in private and public spaces, ranging from reading the news and watching YouTube, to accessing pornography, to filling out tax documents. They tested privacy safeguards with targeted prompts, revealing what data was collected, and finding that extensions recorded images, and written contents including medical diagnoses, social security numbers, and preferences on dating apps. The Merlin extension, for example, transmitted banking details, and health records. Some, including Merlin and Sider AI, even recorded activity on private browsers. 

Researchers decrypted traffic to gauge where data was stored, revealing that several assistants transmitted webpage content to their own servers, and third-party trackers. Sider and TinaMind shared user prompts, and identifying information like IP addresses, with Google Analytics, allowing users to be tracked across sites. Several AI agents, including Microsoft's Copilot, stored chat histories from previous sessions on the background of the browser, which could mean such logs persisted across sessions. Google, Copilot, Monica, ChatGPT, and Sider used user activity to profile customers by age, gender, income, and interests to personalize responses across browsing sessions. 

Of the assistants analyzed, researchers determined Perplexity to be the most private, as it could not recall previous interactions, and servers never accessed personal data in private spaces. However, Perplexity still analyzed page titles, and location.

As AI products grow from web extensions into standalone browsers, attention should turn toward understanding, and mitigating the impact on user privacy. The two most popular AI browsers, OpenAI's Atlas and Perplexity's Comet, have already exhibited privacy infringements. While OpenAI executives state that Atlas is selective in the content it analyzes, its restrictions are not privacy-based; chatbots analyze all website images, and text. Moreover, many of Atlas' top functions lean into privacy violations, as optional browser memories store depictions of browsing history to tailor user experience. Users are unable to determine what aspects of a website the AI browser retrieves. To limit infringements, they can remove pages from the chat window, block sensitive URLs from the chatbot, and delete browsing history, per OpenAI's help page.

Even privacy-centric browsers like Perplexity's Comet records users' information. To its credit, the company stores user search history locally on customers' computers, rather than its servers. However, the browser needs to utilize the URLs, text, images, search queries, download history, and cookies of websites to execute key functions. For example, Comet's agentic mode, and personal search tool, Memory, accomplish select tasks by analyzing users' search history, and preferences. The application also asks to access users' Google accounts, including emails, contacts, settings, and calendars, while also allowing users to opt-in to third-party integration functions. To restrict access, experts suggest using its chatbot sidebar on non-sensitive webpages. A detailed description of Comet's data settings can be found on Perplexity's explainer page.

Users hold little control over their data once it is stored on an AI company's servers. AI providers have repurposed user data to train their LLMs, often without permission. These issues aren't exclusive to the AI industry — social media companies, online retailers, search engines, messaging services, and other platforms commercialize data via opaque user agreements, and default opt-ins — but browsers are typically privy to more sensitive information. Whether AI firms use this data responsibly amidst the ever-escalating arms race of AI development is dubious. Add a pervasive inclination to ask forgiveness, not permission, resulting in a litany of copyright cases, and users are right to question how AI companies use their information. Data analysis isn't even limited to a company's own use cases: OpenAI complied with 105 U.S. Government requests for user data in the first half of 2025 alone, underscoring the lack of control users actually have.

As it stands, Atlas provides two options for its customers, neither of which prevents the repurposing of user data. The first, "Improve the model for everyone," is a default setting that allows OpenAI to use information from webpages to train ChatGPT whenever you ask the chatbot a question. The second, "Include web browsing," folds the entire scope of a user's browsing history into OpenAI's training modules. And while the company promises to anonymize user data before giving it to its chatbot, details are sparse regarding where these privacy lines are drawn. Luckily, users can disable both these settings.

Information security is a major issue, as the operational functions of AI browsers expose users to cybersecurity threats. Experts warn that hackers can easily hijack AI browsers via prompt injection attacks, hiding malicious content within the infrastructure's backend. This is how hackers are targeting AI systems, and browsers are highly susceptible because they cannot distinguish prompt injections from legitimate content. Login credentials, banking details, and other personal information can be exfiltrated this way. 

An October 2025 study by Brave, a browser privacy research firm, found that prompt injections pose a "systemic challenge" for AI browsers, as underlying issues make them susceptible to phishing attacks. Research firm LayerX Security also found that users of Perplexity's Comet were 85% more vulnerable than Chrome users. Unfortunately, as AI browsers focus on autonomous task execution, solutions are not readily apparent, but many AI firms have acknowledged the problem. OpenAI's CIO, Dane Stuckey, wrote in a post on X that prompt injection "remains a frontier, unsolved security problem." On its blog, Perplexity urged AI companies to begin "rethinking security from the ground up."

This lack of security reflects an industry that prioritizes growth over the privacy and security of customers. As is the case with many early-stage AI applications, the risks posed by this technology might outweigh the benefits. Unfortunately, to bring AI browsers out of their infancy, providers will likely need users to adopt the technology before these issues are fully addressed, risking the privacy, and information security of those users.