Privacy and security concerns in Grammarly


Note: This is the most popular post on my blog. I wrote it in 2020 and can’t guarantee that it accurately reflects Grammarly’s current state.

You can use Grammarly in multiple ways. It’s available on its website or as a standalone application. In addition, you can install it as a browser extension for Firefox, Edge, Safari, and Chrome. It’s useful as an extra “pair of eyes,” as long as you don’t let it dictate your writing. I used it to check this article. Most of its suggestions were silly, but it caught a garbled sentence.

If you’re concerned with your security and privacy, the website is the safest. You can be reasonably sure it doesn’t have access to anything except what you type or paste into its pages. The browser extension is the most troublesome, since it can look at anything you do on a Web page. Before you install any extension, you should strongly trust its source not to do anything malicious or careless. Extensions can create security vulnerabilities with buggy code. This is especially a concern with an extension whose functionality is as pervasive as Grammarly’s. For all practical purposes, it functions as a key logger.

Grammarly denies that its product is a keylogger, but its arguments are evasive and nonsensical. That only convinces me they don’t understand security and are trying to lull their users. This concern isn’t just hypothetical; in 2018 its code had a bug that could let sites that you write for see what you’ve written for their competitors.

My recommendation: Don’t use the Grammarly browser extension.

What Grammarly says — and what it means

Grammarly says: “No, Grammarly is not a keylogger. A keylogger is a program that records every keystroke you make, in any program, on a particular device. … Grammarly does not record every keystroke you make on your device.” Browser keyloggers are a recognized category of keylogger; the notion that code which captures only keystrokes in the browser can’t be a keylogger is completely false. Grammarly offers an excessively narrow definition of “keylogger” in order to assert that its product isn’t one.

That page further tells us: “Grammarly accesses only the text you write using a Grammarly product, and only for the purposes of checking your text and providing corrections.” The first part of that is blatantly false. (Update, December 30, 2022: That claim is no longer on the page.) The purpose of the extension is to check your writing on third-party sites. By design, it can check any text box in your browser, not just ones that use a Grammarly product. Given such a blatant lie in the first half of the sentence, it makes me wonder if the second half is true.

Finally: “Additionally, Grammarly does not process anything you type in text fields marked ‘sensitive,’ such as credit card forms or password fields.” What is a field marked “sensitive”? That’s not an HTML attribute. There is no standard way in HTML to mark a field as sensitive. (Passwords do use a distinctive field attribute, which causes your typing not to be echoed.) As far as I can tell, Grammarly is making stuff up. A less polite term for that is “lying.”

Grammarly has had at least one highly publicized security flaw. In 2018, it exposed auth tokens to any website where the user had an active Grammarly browser extension. This let the site access the user’s Grammarly account. If you write for multiple clients, that could let one of your clients see everything you’ve run through Grammarly checking.

Given Grammarly’s misleading assurances, this bug suggests a culture of not caring about security issues. I seriously recommend not using any Grammarly browser extension.