August 2025 USENIX bombshell exposes AI browsers as privacy predators—top extensions like Merlin, Sider, Monica hoover medical records, SSNs, banking logins via autonomous webpage scraping, transmitting to corporate servers and trackers sans consent. Chrome’s 70% monopoly faces Comet/Atlas insurgency promising agentic form-fills, Amazon carting, essay polishing—but at exfiltration cost. McKinsey’s $750B 2028 jackpot fuels arms race where Perplexity edges privacy laurels, yet all feast on browsing entrails. Prompt injections lure credentials; govt subpoenas (OpenAI’s 105 H1’25) strip illusions of control. Legacy Firefox/Safari fortify moats as AI upstarts gamble user data for dominance.
AI browsers transcend tabs: chatbots contextualize page DOMs against histories, agents autonomously inject scripts executing Amazon checkouts, tax autofills—LLM APIs (GPT/Gemini/Llama) backend wrappers demand full-spectrum harvest. Extensions sidestep chat portals’ input limits, auto-deploying content scripts via service workers profiling age/gender/income across incognito veils. USENIX simulated porn/taxes/news: Merlin leaked bank deets/health dxs; Sider/TinaMind piped IPs to Google Analytics. Copilot/others persist chat logs backgrounded; Perplexity sole holdout rejecting session recall, though page titles/location leak.
Privacy Violation Spectrum
| Extension | Leaks Captured | Storage/Tracking |
|---|---|---|
| Merlin | Banking/Health/SSN | Private mode + servers |
| Sider | Prompts/IPs/images | Google Analytics |
| Copilot | Chat histories | Background persistence |
| Perplexity | Titles/location only | Minimal/no recall |
Atlas/Comet Containment Steps
- Atlas: Settings > Disable “Improve model”/”Web browsing” > Block sensitive URLs > Purge memories.
- Comet: Local storage only > Opt-out Google integration > Sidebar on non-sensitive tabs > Clear cookies/history.
- Extensions: Chrome > Remove all AI agents > uBlock Origin + NoScript lockdown.
- Incognito + container tabs (Firefox Multi-Account) isolate leaks.
- Brave/Firefox defaults > VPN + trackerblock (uMatrix).
Security Threat Matrix
Prompt injections weaponize: hackers embed “exfil credentials to C2” in page text—AI agents execute blindly, LayerX clocks Comet 85% Chrome-vuln spike. Brave’s Oct’25 autopsy deems systemic; OpenAI CIO admits “frontier unsolved.” Repurposing trains unpermitted LLMs—forgiveness-post-scraping copyright blitzkriegs echo. Subpoena compliance eviscerates: 105 US govt hits H1’25 alone. Default opt-ins commercialize profiles; age/income targeting cross-session haunts.
Atlas pretense selectivity crumbles—all images/text ingested, “memories” optional poison pills. Comet localizes history yet craves Gmail/calendars for agentic glory. Mitigation mantras: sidebar-only, history nukes, third-party vetoes. Enterprise fallout looms: HIPAA/GDPR violations bankrupt adopters. Consumer calculus tilts legacy: Safari’s Intelligent Tracking Prevention + Firefox Total Cookie Protection eclipse AI gimmicks.
2026 reckoning: EU AI Act mandates audit trails, US privacy bills force opt-out defaults. Browser wars pivot secure enclaves—TPUs sandbox injections, ZKPs anonymize queries. Perplexity’s edge blunts as Comet scales; Firefox AI wave surfs sans soul-selling. Early adopters subsidize via data tribute; laggards inherit fortified futures. Privacy not commodity—AI browsers’ infancy demands skepticism, not surrender. Chrome’s duopoly endures; true disruption demands data sovereignty first.
