Phia Under Fire: Privacy Overreach, Full-Page HTML Capture, and Cookie Stuffing in Phoebe Gates’ AI Shopping Extension - Captain Compliance
Skip to content
Sign in
Create FREE Account
Home » News » Phia Under Fire: Privacy Overreach, Full-Page HTML Capture, and Cookie Stuffing in Phoebe Gates’ AI Shopping Extension
Phia Under Fire: Privacy Overreach, Full-Page HTML Capture, and Cookie Stuffing in Phoebe Gates’ AI Shopping Extension
Published<br>July 13, 2026
Table of Contents
Phia, the AI-powered shopping browser extension co-founded by Phoebe Gates and Sophia Kianni, experienced explosive growth in 2025. It raised tens of millions in venture funding, surpassed one million downloads, and earned media praise, including recognition as a TIME Best Invention. Marketed as an intelligent tool that compares prices across 40,000+ retailers and surfaces discounts in real time, Phia positioned itself as a helpful AI shopping assistant.
However, two serious controversies have exposed significant issues with its data collection practices and affiliate monetization methods. In November 2025, independent security researchers revealed that the extension was capturing and transmitting full HTML snapshots of nearly every webpage users visited — including sensitive banking and email content. Then, in July 2026, Bloomberg, prominent affiliate marketing expert Ben Edelman, and others documented that Phia had been engaging in cookie stuffing and forced-click techniques, quietly claiming commissions on purchases it did not legitimately refer.
These incidents highlight critical failures in transparency, data minimization, consent, and compliance with both privacy regulations and affiliate network rules.
Background: Rapid Rise and Broad Permissions
Phia launched around April 2025 as a Chrome browser extension (with companion iOS support). Users install it from the Chrome Web Store, after which it activates during browsing — particularly on retail sites — to analyze pricing and suggest better deals or coupons.
The extension requests broad permissions at install time. According to its Chrome Web Store listing, it discloses handling of personally identifiable information, authentication information, web history, and website content.
The key permission grant is the ability to “read and change all your data on all websites.” This is implemented via content scripts that match broad host permissions (such as ), allowing injection and DOM access across virtually every site the user visits.
Technically, browser extensions like Phia typically consist of content scripts that run in the context of web pages and can read/modify the DOM, background service workers (Manifest V3) or persistent background pages that handle long-running tasks, network requests, and message passing, and popup or side panels for the user interface.
This architecture gives extensions powerful capabilities but also creates substantial privacy and security risks when data flows exceed what is necessary or disclosed.
The 2025 Privacy Scandal: Full HTML Capture via logCompleteHTMLtoGCS
The first major issue surfaced in November 2025 when security researcher Maahir Sharma (formerly at Meta) observed unusual background network activity while testing the extension on Amazon and Gmail.
Technical details of the data collection:
– The extension contained a function named logCompleteHTMLtoGCS (or logCompleteHtmlToGcs).
– On nearly every page load, the content script or background process captured the complete HTML of the current webpage.
– This raw HTML was compressed and transmitted via background API calls (GraphQL queries were also observed) to Phia’s servers at api.phia.com.
– Data was uploaded to what appears to be Google Cloud Storage (GCS), based on the function name.
– The behavior occurred even on non-retail sites and without additional user interaction beyond the initial broad permission grant.
– Captured content included highly sensitive pages, such as bank account statements (e.g., Revolut) and private email inboxes (e.g., Gmail).
Multiple independent researchers replicated the findings, including Kushagra Sharma, Eyal Arazi (LayerX Security), Alexandre Pauwels (University of Cambridge), Charlie Eriksen (Aikido Security), and Nick Nikiforakis (Stony Brook University).
Phia’s privacy policy at the time stated that the company collected “limited technical data” primarily from “retail sites” and generally excluded personally identifiable information. The actual implementation — full-page HTML capture across the entire web — directly contradicted these representations.
Phia’s response and changes:
After being notified, Phia removed the full HTML logging feature. The company stated that data was handled in an “aggregate, anonymous way” solely to identify retail sites and improve product features. They claimed it was not stored long-term and was not sold or distributed. The current version reportedly logs only URLs (though URLs themselves can...