Spellcheck is a blessing and a curse. On one hand you get instant feedback if you mistype something. On the other hand, it causes people not to know how to correctly spell. However, if users have opted-in to use Chrome’s Enhanced Spellcheck or Microsoft Editor (add-on) in Edge, users could unknowingly be sending Personally Identifiable Information (PII) to Google or Microsoft. Users can check if they opted-in to use Chrome’s Enhanced Spellcheck. by entering:
chrome://settings/?search=Enhanced+Spell+Check in the Chrome address bar.
Now you may be wondering what kind of PII could I unknowingly be sending if I am using this feature or add-on? Simple answer is anything you type in a web form. This includes, but not limited to: Name, Address, Phone Number, Social Security/Social Insurance Numbers and Passwords. Yes, PASSWORDS! While the data entered into form fields is being transmitted to Google or Microsoft via HTTPS (secure) connection it is unclear what these companies are doing with said data.
In cases where Chrome Enhanced Spellcheck or Edge’s Microsoft Editor (spellchecker) were enabled, “basically anything” entered in form fields of these browsers was transmitted to Google and Microsoft.
“Furthermore, if you click on ‘show password,’ the enhanced spellcheck even sends your password, essentially Spell-Jacking your data,” explains otto-js in a blog post.
This was the first I had heard of Chrome’s Enhanced Spellcheck and didn’t really understand the purpose. Below are the differences between Basic and Enhanced spell check from a Google Chrome Help Article:
Basic spell check
- Chrome or your operating system provides the spell check.
- It doesn’t send the text that you enter in your browser to Google.Enhanced spell check
- This spell check is used in Google Search.
- It sends the text that you enter in your browser to Google for improved spelling suggestions.
- In some operating systems, you can update custom words in the spell check dictionary.