Back to Blog

Everything Watching You Is Also a Door Someone Else Can Open

Everything Watching You Is Also a Door Someone Else Can Open

There is a pattern we keep watching play out, and it runs through everything from browser extensions to nursing homes to the early formation of continents. The pattern is this: the same mechanism that provides safety or convenience is structurally identical to the mechanism that causes harm. There is no version where you get the benefit without accepting the exposure. The only question is whether you designed around that reality or pretended it doesn't exist.

Start with the extension. Microsoft recently disclosed a malicious Chrome extension that impersonated the Perplexity AI search tool and quietly routed every search query and every keystroke typed into the address bar through an attacker-controlled server before passing users on to real results. It worked because users had granted it exactly the permissions a legitimate AI search tool needs: the ability to read what you type and intercept requests before they resolve. The malicious version and the legitimate version are functionally indistinguishable at the permission layer. The door that lets the good tool in is the same door.

Now scale that principle. AI monitoring systems are being deployed in elder care settings to watch seniors in their homes, tracking movement patterns, detecting falls, flagging anomalies for caregivers. The pitch is safety. The reality is that you are installing a continuous behavioral surveillance apparatus in someone's most private space. The data that makes the system useful, granular, real-time physical monitoring of a person's daily patterns, is also exactly the data profile a bad actor, an insurer, a landlord, or a state would most want. The care case and the exploitation case run on the same infrastructure.

And here is where the geology comes in, because it clarifies something important. Early Earth was bombarded so relentlessly by asteroid impacts that stable continental crust couldn't form — every time something solid began to consolidate, another impact shattered it back into chaos. The reason continents eventually stabilized wasn't that the bombardment stopped first and then structure followed. It's that the planet kept absorbing impacts until the internal conditions shifted enough to hold ground against them. Stability didn't arrive when the threats disappeared. It arrived when the system got hard enough to survive them.

That is the operating condition for anyone building with data-dependent tools right now. The bombardment isn't stopping. The attack surface grows every time you add a useful integration. Every third-party extension, every monitoring widget, every AI assistant that sits between your users and their intent is a new surface. Waiting for the environment to get safer before you build is the wrong frame. The question is whether your architecture can hold ground when something in that stack gets compromised, because something will.

A recent OpenAI analysis mapping AI's effect on European labor markets makes the case that the most durable roles are ones where human judgment sits at a decision point that automation can inform but not replace. That framing applies directly here. The riskiest architecture isn't the one with the most AI in it. It's the one where AI sits in a position of implicit trust with no human verification layer above it. When you outsource a permission-critical function to a tool you don't control, you've removed yourself from the decision chain entirely. You've made the tool the last line of defense, and tools get compromised.

We see this constantly in the products we build and inherit. Someone integrated a third-party analytics script three years ago and it now has read access to form inputs. Someone installed a customer support widget that injects into every authenticated page. Someone gave a browser-based productivity tool access to their team's Google Workspace because it asked and nobody thought hard about it. None of these feel like security decisions in the moment. They feel like feature decisions. That's exactly why they accumulate into a posture that's genuinely hard to defend.

Even at the front-end layer, the boundary between what CSS handles and what JavaScript handles is shifting — CSS can now respond to interaction states that once required scripted logic. That's a useful evolution. It also means the attack surface of your styling layer is no longer cleanly separated from your behavior layer. The line between "this just controls appearance" and "this intercepts user input" is getting blurry in the browser, and blurry lines are where assumptions go to die.

The practical question for founders and operators is not "are we using AI tools" — you are, and you should be. It's "where in our stack does a tool sit that we didn't design, don't fully control, and have given standing permissions to act on behalf of users?" That inventory is usually short to build and genuinely alarming to look at once it exists.

There are a few things we tell clients to do and keep doing. First, treat third-party browser-side integrations as hostile by default until you've reviewed what they access. Second, scope permissions to the minimum viable need at the moment of grant, not the maximum possible future use case. Third, build your architecture assuming one of your integrations will eventually misbehave, and make sure that failure is detectable and containable rather than silent and sprawling. Fourth, wherever AI sits between a user and a sensitive action, put a human checkpoint above it. Not to slow things down. To keep yourself in the decision chain.

The tools that watch your users, serve your users, and assist your users are all doors. The ones you opened for good reasons are still doors. Every planet takes impacts. The ones that survive are the ones that held their structure anyway.

Previous Post Why Shortcuts Fail: What Winners Do Instead Next Post The Infrastructure You're Not Watching Is the One That Will Kill You