Photo by @florianklauer / Unsplash.com

Check your grammar! Understanding the security implications with cloud-based grammar checkers

I’ve had a guidebook on the English grammar on my desk for the better part of the last decade. It’s a classic – the Elements of Style. I rarely write longer essays in my native Finnish, and as Finnish is notoriously hard, I must also look up things every now and then. For that, I use the free Finnish grammar website.

I then started using Grammarly, the cloud-enabled grammar checker in 2019. I wrote about this late last year. It’s a neat little service that analyzes the text you produce and suggests corrections and spots mistakes. For me, the primary mistake I do is to not understand where and when to use a comma properly. Or a semicolon. Grammarly has a premium tier which is somewhat costly at $139 a year. You can use the app as a browser extension, as an app in Word and through a separate writing app. I also appreciate the app for Word, as I can configure it to match the styles of text I need to write for school.

Every few weeks I receive a gamified email complimenting me on these heroic efforts:

I’m a little bit proud of this achievement also:

I’ve been happy with Grammarly for a year now. Tobias Zimmergren, the co-host of our Ctrl+Alt+Azure podcast, casually mentioned to me once during one of our coffee calls, that these online and cloud-enabled checkers are not inherently secure by default. So, I did a quick search on Google on Grammarly security:

Grammarly does a decent job of explaining how they encrypt data on their website – all data is encrypted with AES-256 at rest. No immediate mention on who has the keys, how access is audited, or if I could bring my own key for the encryption party. They do comply with GDPR, which is a big positive. Upon further reading, Grammarly has produced a whitepaper on security. They mention they use “industry-leading managed services for roles and access policies, certificate management, encryption and keys management [..]“, but I couldn’t find any mention of what those industry-leading managed services are.

A worrying post at TechBeacon mentions that Grammarly’s browser extension had a security hole in its implementation in 2018. The post also curated other opinions on Grammarly’s security practices. Someone asked on Quora whether Grammarly is safe to use. This comment from Esteban A. Maringolo hits the spot: “So if you’re concerned with your privacy I wouldn’t recommend it.

I then had a look at the browser extension. I use the Grammarly extension for Microsoft Edge. The extension requires extensive permissions to work:

It can read your browsing history, and it can also read all data on websites you visit. These are the default settings. It makes sense though, as the service tries to analyze your text and for this, it needs to read the content you’re producing and seeing. It also needs the Communicate with cooperating websites permissions presumably to dial back to Grammarly’s APIs.

What this means, in practice, is that any website you visit will potentially have all its data transmitted to Grammarly’s services for further analysis. Thankfully, Grammarly has written within its privacy policy how they plan to use this data:

We only disclose Personal Data to third parties when…

  • …we use service providers who assist us in meeting business operations needs, including hosting, delivering, and improving our Services. We also use service providers for specific services and functions, including email communication, customer support services, and analytics. These service providers may only access, process, or store Personal Data pursuant to our instructions and to perform their duties to us.

(emphasis mine)

Not incredibly worrying, yet still open enough to use much of the personal data as they see fit. Grammarly also has a way to request for all of your personal data. I did this just now, and I’m waiting for the results. Kudos to them for making this so easy, even the form is prefilled! I received my data in less than 4 hours, so that is impressive. From the data, I could see that Grammarly had

  • My IP addresses – about 100 of them
  • My locations – just 2, which is surprising
  • My writing statistics (per week)

And that’s it. It seems Grammarly is not storing my written text other than the content I’ve created using their website directly (with its built-in editor). You can view your document version history here.

I’ve chosen not to use Grammarly for any work-related content – this means all browser-profiles that I use for work, do not have Grammarly extension enabled. I implied to this recently when I wrote about security awareness and multiple laptops.

I then found out that Microsoft recently released their version of an online grammar checker. It’s called Microsoft Editor and it works in Word and as a browser extension. As this sounded so familiar, I soon realized this was previously called Ideas. In Word, you can activate the new Editor by pressing F7, and in Word Online (the browser version) you have a button for Editor now.

Word Online:

Word:

I tried it on one of my old papers. The experience was remarkably like Grammarly, but the Microsoft Editor has more control over what and how grammar and text is analyzed. That has been one of the options I’d wished Grammarly would allow further configuration.

The browser extension works well, too.

The extension is available on the Edge Extensions Store, and it demands a little less permissions than the Grammarly extension:

The difference is that the Microsoft Editor extension does not require notification access, or communication access for websites.

At the end of the day it comes down to who you choose to trust. The Microsoft Editor certainly looks and feels nice. It has better configuration settings than Grammarly, but for now it lacks certain capabilities – such as custom dictionaries, ignoring certain words or phrases and the bi-weekly email. That’s the difference $139 a year buys you.