Hem and Haw

Join a study to get paid and fight for internet privacy!

We are conducting a University of Calgary research study on online privacy to better understand how your personal identifiable information (PII) is shared by companies on the web.

What You’ll Do

Install Hem and Haw, our browser extension:
- on Firefox through the Firefox add-on store
- on Google Chrome, Brave, Opera, Microsoft Edge, or any other Chromium-based browser through the Chrome web store
Open Hem and Haw and enter your personal details (like email or phone number). These stay entirely local in your browser and are never sent to us.
Click Submit to run Hem and Haw in the background.
Browse as normal!

Note: Please ignore the Prolific ID section in the extension popup for now.

Install on Firefox

Install on Chrome

View Source on GitLab

Why This Matters

What is hashing?

Hash functions are one-way mathematical transformations used to convert plain text into a seemingly random output.

For example, the SHA-256 hash of hello is:
2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

What do companies do with hashing?

Your personally identifiable information (PII), such as email addresses and phone numbers, is often requested by websites and shared with third-party companies for advertising and analytics. To comply with privacy regulations, many websites claim to “anonymize” this data by applying hash functions before sharing it.

While hashing can serve legitimate security purposes, extensive research [1] [2] has shown it to be ineffective for PII anonymization. Many types of hashed PII can be easily reversed, especially when based on predictable data like phone numbers or email addresses. This allows third parties to re-identify users, undermining the privacy protections these sites claim to offer.

What does Hem and Haw do?

Hem and Haw is a browser extension that detects and reports when websites are transmitting your hashed PII to third-parties by comparing outgoing web traffic against hashed versions of data you provide (like your email or phone number).

The extension runs silently in the background as you browse. For research purposes, it collects metadata about when and where hashed personal identifiers appear in web requests — for example, which websites include them and which companies collect them.

Your actual personal information and its hashes never leave your device. The extension stores and processes that data locally, using it only to check if it appears in outgoing traffic. What we receive is anonymized and stripped of any identifying details.

How do I use Hem and Haw?

Once you have installed Hem and Haw on your browser, click on the extension icon to open the popup. You will then enter your personal information (such as email addresses, phone numbers, etc.) into Hem and Haw. You can add, remove, and modify fields.

Then, when ready, click the Submit button. The extension will then automatically scan your network traffic for instances of websites sending hashes of your personal information to third parties. These instances will be reported in a log which you can view using the See all results button.

As part of our study, the extension popup will ask you how privacy-conscious you are and whether you use an adblock tool or not. Please answer those questions. Ignore the Prolific ID section for now.

Frequently Asked Questions

How do I install Hem and Haw?

You can install it from the Firefox extension store for free here.

What kind of data is collected?

As part of this University of Calgary study, whenever a PII hash transmission to a third-party is detected, Hem and Haw will send us the following:

the hostname of the website you visited (ex. example.com),
the hostname of the third party (ex. trackingcompany.com),
the type of PII being shared (ex. Email, Phone Number, Zip Code),
the hash function used (ex. SHA256),
whether you declared you use an adblock or not,
how privacy-conscious you declare you are,
where in the transmission (HTTP request) the hashed PII was found (ex. url, body, headers).

How does Hem and Haw protect my privacy?

We will never collect your inputted personal information or your hashed data. Additionally, we do not record your IP address or any other identifying information.

Can I see my results?

Yes, you can see the hashed PII transmissions detected by Hem and Haw. Simply click on the "See all results" button in the Hem and Haw extension popup.

Can I delete my results?

Yes, you may delete your hashed PII transmission logs by:

Opening Hem and Haw -> See all results -> Clear your data, or
Deleting your entire browsing history (this will trigger the deletion of the logs)

Does Hem and Haw block hashed PII transmissions to third parties?

No, currently the extension does not block these hash transmissions, it only detects them.

Do I have to use Prolific?

Using Prolific is optional. If you want to get paid for participating, we use your Prolific ID to track your usage of Hem and Haw and to issue payments. To receive bonus payment for a week, you must have Hem and Haw running for at least 5 out of 7 days. Your Prolific ID will not be associated with your transmission data.

The Prolific study is not set up as of now. Please ignore the Prolific ID section in the extension.