Do today’s commercial freeof-charge software downloads show appropriate respect for the privacy of the computer user? We believe the answer to this question is “no.” Our research group at the University of Denver Privacy Center addressed the question by investigating Microsoft’s Internet Explorer (IE) browser extensions. These downloadable pieces of software improve IE by giving it the ability to automatically fill out Web forms, perform price comparisons while shopping online, and liven up the interface with thematic images and sounds. A recent summary of browser extension products is available in [4]. Browser extensions are usually free of charge—in exchange for clickstream and profile information about the user and access to the user’s display for advertising. The spectrum of information practices among products is broad. While some require full user address information and formal registration, others only request a zip code or age range at download time. Some products create a complete record of every Web site the user visits (for targeted marketing purposes), while other products avoid performing any actions that could leave an audit trail hinting at the user’s Internet activities and personal interests. Whatever they are, the full terms of exchange are seldom made clear to users. Although advertising components and requests for personal information are apparent, tracking a user’s Internet activities is an inherently invisible act. Users enticed to download software described as “totally free” have no a priori reason to suspect the software will report on their Internet usage. The difference between “free gift” and “free of charge” is significant. A gift is given with no expectation of compensation. A haircut at the local beauty school may be free of charge, but it is no gift; the school extracts training value from the exercise, and the customer suffers increased risks. Public domain software is usually a gift. Software that tracks users for business purposes certainly isn’t. Vendors and users must understand that tracking records are potential subpoena and mining targets as long as they exist, whether in primary, backup, system log, or debug form. We downloaded 16 IE browser extensions and watched them at work. A number were well behaved. But some extensions seemed to outright exploit our hospitality, watching and reporting our every move in the browser, some intercepting competitor-bound data and one reporting back to headquarters on pages that we “securely” downloaded using Secure Socket Layers. We tried to reconcile the observed behavior with the corresponding software’s privacy policy and licensing agreement and noted any discrepancies. We then comDavid M. Martin Jr.,