Also that privacy policy says nothing, and seem to just be copy pasted from the Internet.
If this is the company's approach on handling very private user data (ie. the contents of a number of websites they visit, including facebook, airbnb, office365, all of google.com), then this is a hard pass from me, and a huge red flag.
EDIT2: looking at the source code of the extension (extracted from the source map), it at least tracks and sends off any tab hostname (or URL?) you've visited: https://paste.q3k.org/paste/gxklokkF#055mmZ9Qu-zeiAwXGpWqSpw... , for any of the URLs in the allowed URLs list (which in turn has some websites whitelisted that you really might not want others to know you have visited)
EDIT3: if I read the code correctly, they actually send off the entire URL, not just the hostname. But someone would have to check this in practice to be sure.
Creating a set of whitelisted sites that this would work on is a better approach than other extensions like Grammarly have used in the past (not sure if they still do) and grant access to all browsing. However, this specific whitelist is such a weird combination of sites. It includes numerous financial and banking sites, porn sites, and e-commerce sites. Those are exactly the type of sites that I don't think you want on a whitelist as they are going to be full of information that people want private. This should probably be limited to sites with a lower likelihood of compromising data like news sites and potentially social media sites.
Hey there! We definitely agree with you. While we were trying to avoid asking for permission to run on all sites before gaining our users trust, we also wanted to find the right balance of working on popular sites to show the value of Toucan. For this, we used a list of the top 500 sites around the world without any filter (which there definitely should have been). Thank you so much for pointing this out, as this was not our intention. We will be combing through this list shortly and updating to make sure Toucan is only enabled by default on sites that our users would feel comfortable with. Again, really appreciate your insight here, this is tremendously helpful.
Good on you for acknowledging that is a problem and moving to fix it. The existing list makes a lot more sense now that I know it is just the top 500 sites.
I think you generally want to stick to sites that are both public and consumption oriented. News sites and places like Wikipedia are the obvious examples. Social media is a little more questionable since there is a mix of public and private data. I think an ideal system would break sites out into categories like news, education, pop culture, social media, etc. You then allow the users to either turn off a category as a whole or provide an advanced mode to manually disable individual sites. Although it has been a while since I messed with browser extension permissions so I don't remember if these permissions can even be set on a conditional basis. Either way, there can always be an option in the extension settings to ignore those pages even if the browser technically gives you permissions to them.
If this is the company's approach on handling very private user data (ie. the contents of a number of websites they visit, including facebook, airbnb, office365, all of google.com), then this is a hard pass from me, and a huge red flag.
EDIT: here's a list of all sites the extension accesses: https://paste.q3k.org/paste/uj-GbID4#g7IYwrXiF6zXlnlxQYguMlr...
EDIT2: looking at the source code of the extension (extracted from the source map), it at least tracks and sends off any tab hostname (or URL?) you've visited: https://paste.q3k.org/paste/gxklokkF#055mmZ9Qu-zeiAwXGpWqSpw... , for any of the URLs in the allowed URLs list (which in turn has some websites whitelisted that you really might not want others to know you have visited)
EDIT3: if I read the code correctly, they actually send off the entire URL, not just the hostname. But someone would have to check this in practice to be sure.