Hem and Haw

Join a study to get paid and fight for internet privacy!

We are conducting a University of Calgary research study on online privacy to better understand how your personal information is shared by companies on the web.

What You’ll Do

  1. Install Hem and Haw, our browser extension:
  2. (Optional) Sign up for a Prolific account,
  3. (Optional) Paste in your Prolific ID in Hem and Haw to get paid,
  4. Run Hem and Haw in the background and browse as normal!

Firefox Logo Install on Firefox Chrome Logo Install on Chrome
GitLab Logo View Source on GitLab

Why This Matters

What is hashing?

Hash functions are one-way mathematical transformations used to convert plain text into a seemingly random output.

For example, the SHA-256 hash of hello is:
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

What do companies do with hashing?

Your personally identifiable information (PII), such as email addresses and phone numbers, is often requested by websites and shared with third-party companies for advertising and analytics. To comply with privacy regulations, many websites claim to “anonymize” this data by applying hash functions before sharing it.

While hashing can serve legitimate security purposes, extensive research [1] [2] has shown it to be ineffective for PII anonymization. Many types of hashed PII can be easily reversed, especially when based on predictable data like phone numbers or email addresses. This allows third parties to re-identify users, undermining the privacy protections these sites claim to offer.

What does Hem and Haw do?

Hem and Haw is a browser extension that detects and reports when websites are transmitting your hashed PII to third-parties by comparing outgoing web traffic against hashed versions of data you provide (like your email or phone number).

The extension runs silently in the background as you browse. For research purposes, it collects metadata about when and where hashed personal identifiers appear in web requests — for example, which websites include them and which companies collect them.

Your actual personal information and its hashes never leave your device. The extension stores and processes that data locally, using it only to check if it appears in outgoing traffic. What we receive is anonymized and stripped of any identifying details.

Frequently Asked Questions

How do I install Hem and Haw?

You can install it from the Firefox extension store for free here.

How do I use Hem and Haw?

You will enter your personal information (such as email addresses, phone numbers, etc.) into Hem and Haw. When you press the submit button, the extension will then automatically scan your network traffic for instances of websites sending hashes of your personal information to third parties. These instances will be reported in a log which you can view.

What kind of data is collected?

As part of this University of Calgary study, whenever a PII hash transmission to a third-party is detected, Hem and Haw will send us the following:

  • the hostname of the website you visited (ex. example.com),
  • the hostname of the third party (ex. trackingcompany.com),
  • the type of PII being shared (ex. Email, Phone Number, Zip Code),
  • the hash function used (ex. SHA256),
  • whether you declared you use an adblock or not,
  • where in the transmission (HTTP request) the hashed PII was found (ex. url, body, headers).

How does Hem and Haw protect my privacy?

We will never collect your inputted personal information or your hashed data. Additionally, we do not record your IP address or any other identifying information.

Can I see my results?

Yes, you can see the hashed PII transmissions detected by Hem and Haw. Simply click on the "See all results" button in the Hem and Haw extension popup.

Does Hem and Haw block hashed PII transmissions to third parties?

No, currently the extension does not block these hash transmissions, it only detects them.

Do I have to use Prolific?

Using Prolific is optional. If you want to get paid for participating, we use your Prolific ID to track your usage of Hem and Haw and to issue payments. To receive bonus payment for a week, you must have Hem and Haw running for at least 5 out of 7 days. Your Prolific ID will not be associated with your transmission data.