Is Grammarly a keylogger? What can you do about it?

Years ago I worked at a company where many people were using Grammarly. One of the top devs took a look at it, and saw that the text was sent to Grammarly&#x27;s server unencrypted and warned everyone not to use it. Some still did.<p>At my previous engagement, a large number of staff spoke English as a second or third language, and Grammarly was prevalent. Even as a native English speaker, they wanted me to use it as a sort of proof reader. I&#x27;ll admit that it caught some of my dumber mistakes, but I never felt comfortable using it. I could have proof-read my work better is all. Perhaps if I wasn&#x27;t given mind-numbing work, the quality would have been better.

I think worse than keyloggers is that people are learning how to make the yellow lines in Grammarly go away rather than learning to write better. The training of humans on AI which was trained to be a (dull) average of prior humans has unforeseen consequences. I&#x27;ve seen Google grammar suggestions getting worse with time.

In Québec we have Antidote. It&#x27;s a good &quot;old&quot; piece of software you install on your computer and it integrates with office and other programs to provide _explanations_ of why what you write, looks wrong. No keylogger, no getting dumber. It essentially let&#x27;s you either learn why you&#x27;re wrong or decide the software is wrong. It used to be French only but they added English too a couple years back. I have no affiliation with Antidote, I just use it everyday.

I&#x27;m on the team at Sapling Intelligence, a deep-learning AI Writing Assistant. A lot of privacy and security conscious folks don&#x27;t like the idea of a keylogger, so we have self-hosted&#x2F;on-premise&#x2F;cloud-premise options for businesses. We have a list of available offerings here: <a href="https:&#x2F;&#x2F;sapling.ai&#x2F;comparison&#x2F;onprem" rel="nofollow">https:&#x2F;&#x2F;sapling.ai&#x2F;comparison&#x2F;onprem</a>. Sapling deployments can also be configured for no data retention, sacrificing some model customization.<p>Cost-wise, it doesn&#x27;t make sense for individuals to host a neural-network based grammar checker, though some of the rule-based options may work. There&#x27;s a future where if we can maintain some sort of Moore&#x27;s law scaling we will be able to run these language models on individual computers as opposed to the cloud.

While I don’t use it for the sake of privacy, folks saying “learn to write” are missing the point of grammarly. It’s an editing tool. Editing is remarkably difficult to do on your own writing. Ask any published author.

I used Grammarly in the past and I stopped because the privacy issues were concerning. I switched to <a href="https:&#x2F;&#x2F;www.antidote.info&#x2F;en" rel="nofollow">https:&#x2F;&#x2F;www.antidote.info&#x2F;en</a>, which works entirely on-device, without sending your data to a cloud service. They now do offer a fairly minimal web application that can be used if you have their subscription, but they offer a one-time purchase for the desktop application.<p>Similar to Grammarly, the growing use of AI-based pair programming tools, like Github Copilot and similar, poses similar serious privacy risks. While the intelligent autocomplete is helpful, it uploads large parts (or all) of your source code; which most companies should be very concerned about.

Previous serious security issue: <a href="https:&#x2F;&#x2F;bugs.chromium.org&#x2F;p&#x2F;project-zero&#x2F;issues&#x2F;detail?id=1527" rel="nofollow">https:&#x2F;&#x2F;bugs.chromium.org&#x2F;p&#x2F;project-zero&#x2F;issues&#x2F;detail?id=15...</a>

Yeah, it still absolutely blows my mind folks allow Grammarly anywhere. It&#x27;s <i>horrifying</i> from a privacy and security standpoint. I get requests to install it at work from time to time, and then have to basically explain that it would be illegal for me to allow it.<p>I would argue if you&#x27;re subject to <i>any</i> sort of data security compliance policies, you can&#x27;t allow Grammarly on your systems.

I would never use it but this feels like a common issue in general which is trading convenience for privacy and security.<p>This happens with a lot of choices. Smartphone vs flip phone, using an Alexa or similar device vs not, etc..<p>A fully offline Grammarly would be a really nice app to have. I&#x27;d pay something like $49 a year to have access to that if it worked really well and was kept up to date. The hard part is &quot;really well&quot;, it&#x27;s so much more than detecting spelling errors with a Vim plugin. At the same time I have a feeling the &quot;goodness&quot; of a tool like this is only because of how much data it can harvest to train its algorithms and models which makes me think it won&#x27;t happen until accurate models are in the public domain.

Hah, I use an old DOS grammar checker called Grammatik.<p>It works well enough for me, I use it with mutt instead of ispell. Naturally, it&#x27;s 100% offline.<p>I made a (terrible?) unboxing video a while ago: <a href="https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=6DMlaJ-ROXc" rel="nofollow">https:&#x2F;&#x2F;www.youtube.com&#x2F;watch?v=6DMlaJ-ROXc</a>

I saw an ad for Grammarly once, maybe a year ago, on YouTube. I was intrigued and clicked on it to learn about it and concluded that it was pretty awesome... until I learned about how it works and NOPE’d out immediately.<p>Since then, though, they aggressively bid to put ads on my browser. It’s a win-win for me, the ad networks get to feel like they’re delivering highly relevant personalized ads to a potential buyer and I get the peace of mind of not seeing other ads and the feeling of doing a good deed by baiting Grammarly into wasting ad spend. Selling a key logger as a service—- it’s an abomination.

Isn&#x27;t it plainly obvious that they take all your inputs and feed it to their models?<p>Isn&#x27;t that literally the point of Grammarly?

Is there a list of Grammarly servers, so it can be blocked, for example, at a corporate firewall?

We had a ticket where someone complained about &quot;latency&quot; when cutting and pasting into Microsoft Excel.<p>After some quick tests yielded the expected results, the person selected an entire paragraph of text and pasted it into a cell.<p>Sure enough, there was about a 3-4 second delay as the Grammarly add-in sent it in for analyzing.<p>Imagine if you had confidential data in your documents.

Yes. Don’t use it, and require that contractors not use it either.<p>I’ve found attorneys using it - automatic dq for me.

Grammarly seems insidious to me. Not only does it intercept the final versions, but all drafts of what users write. I know they sell a plagiarism product to schools[0]:<p>&gt; Grammarly&#x27;s integrated plagiarism checker instantly catches plagiarism from over 16 billion websites and ProQuest&#x27;s proprietary databases.<p>So it&#x27;s pretty clear that collecting and processing lots of semi-private writing is part and parcel to their business, which seems like a recipe for trouble sooner or later. To be clear, I have similar reservations about grammar check in e.g. Google Docs, so this is not limited to just Grammarly at all.<p>[0]: <a href="https:&#x2F;&#x2F;www.grammarly.com&#x2F;edu" rel="nofollow">https:&#x2F;&#x2F;www.grammarly.com&#x2F;edu</a>

I&#x27;ve seen people promote Language Tool as an alternative: <a href="https:&#x2F;&#x2F;languagetool.org" rel="nofollow">https:&#x2F;&#x2F;languagetool.org</a> It appears to be open source and you can host your own server!

In Grammerly’s Privacy Policy[0], it states as part of information they collect:<p>“User Content. This consists of all text, documents, or other content or information uploaded, entered, or otherwise transmitted by you in connection with your use of the Services and&#x2F;or Software.”<p>and yet they don’t define this as a keylogger. I do understand keyloggers record <i>everything</i> a user types and Grammerly claims to not read “sensitive fields”.<p>[0] <a href="https:&#x2F;&#x2F;www.grammarly.com&#x2F;privacy-policy" rel="nofollow">https:&#x2F;&#x2F;www.grammarly.com&#x2F;privacy-policy</a>

The Japanese government did disallow an IME from Baidu (a software that converts typed keys-strokes to Japanese kana and kanji), because it ran inference on a server.<p>- <a href="https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20140119231002&#x2F;http:&#x2F;&#x2F;www.techrepublic.com&#x2F;blog&#x2F;asian-technology&#x2F;japanese-government-warns-baidu-ime-is-spying-on-users&#x2F;" rel="nofollow">https:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20140119231002&#x2F;http:&#x2F;&#x2F;www.techre...</a>

I have disabled any auto-correct, suggest, or any so-called aid in any app that I use. I found most often they are a hindrance not a help. For example suggesting wont instead of won&#x27;t or its when 99.9% of the time I wanted it&#x27;s.<p>My spelling has become terrible and all my life I have been great at spelling. My grammar is OK I thought it was great until I went back to college and felt like I was illiterate.<p>In college I did try Grammarly mainly for its plagiarism tool. But Grammarly like a virus it&#x27;s very difficult to uninstall. I caught many mistakes in grammar like &quot;for free&quot; and &quot;off of&quot;. And Grammarly plan was supposed to be monthly $20&#x2F;month then it jumped to $300 US dollars one year-plan automatically charged to my credit card. I didn&#x27;t notice and after a month they said it was impossible to refund my money. Pure greed, scam, spammy junk.<p>I also realize I&#x27;m tempting Skitt&#x27;s Law just by mentioning all this.

I feel like their slogan should be lifted from Mr Lee&#x27;s Greater Hong Kong:<p>&quot;Whether seriously in business or on a fun-loving hijink, make yourself totally homely in this meager environment. If any aspect is not utterly harmonious, gratefully bring it to my notice and I shall strive to earn your satisfaction.&quot;

This article misses the way I use it, which is much safer. I am security minded but also a terrible writer.<p>I have Grammarly as a browser extension that is OFF BY DEFAULT, except, when I am writing on Medium, and a few times when I click to enable it temporarily.<p>Problem solved! I feel this article is not serious about a the &quot;What you can do about it&quot;. I am fairly confident I have sensitive information controlled, yet I do get the very real benefits when I write a blog post.<p>I also copy and paste markdown into the standalone web app occasionally because it can correct markdown without getting tripped up by syntax! I am very happy with the quality of grammarly corrections and I do think it is possible to use it safely, just not with its default settings.

I used to use it in highschool. What I&#x27;d do is just copy&#x2F;paste my assessment text into their web interface rather than installing their addon or desktop client.<p>I&#x27;m not sure if they.offer.a web interface outside of their plugins&#x2F;client apps these days.

The main problem is that Grammarly doesn&#x27;t want their models&#x2F;rules&#x2F;etc. to end up out of their control, hence they do the checking on their server.<p>But this means it MUST BE a key logger, how else could it work?<p>But tbh. what irritates me the most, is how bad their product is.<p>At least with this type of errors I do (some dyslexia, English being the second language, and me having some uh bad past with English in school).<p>Like the &quot;corrections&quot; they recommend (which go beyond what a &quot;dictionary&quot; spell checker is able to do) are often wrong and will result in another wrong text.<p>It&#x27;s pretty obsessed with writing in one specific style.<p>It seems to have some major problems with listings.<p>It also seems to want to change anything with some subtle undertone to a version without it.<p>I would say maybe for people already somewhat good at English which do not make the kind of errors I often do, writing soulless &quot;business&quot; English, it might be good.<p>If it wouldn&#x27;t be a major risk to confidentiality.<p>I do not trust a company like Grammarly (or most companies) to be cable of defending their IT infrastructure against professional attackers, and subtle backdooring Grammarly seems quite useful (for certain actors).<p>Btw. same for 1Password it&#x27;s a supper juicy target, especially if it adds a crypto wallet (as they plan to do).<p>Also I&#x27;m pretty sure the usage of Grammarly for writing letters to customers is in conflict with more then just the GDPR (if they contain sensitive information, in more then one way).

It is the biggest botnet ever. How do you think they are paying for ads everywhere. The money have to come from somewhere.

Does most of the HN react the same way I did when I first saw an ad for grammarly?<p>I remember just thinking that it would definitely be logging my text and recording my internal endpoints.<p>Is that a normal thought or would most of HN not expect this ?

Generally, Grammarly feels like a practical example of something humans want to believe AI will be very good at, but will eventually turn out not to be.

I am very proud I have always refused to use this kind of software, the question is &quot;Is Grammarly a keylogger&quot; is hard to answer per se, but it has always potential to collect enormous data about its users, it doesn&#x27;t matter what they claim in their T&amp;C, Facebook also started as a &quot;just&quot; social network, they ended up being one the biggest data collector of the world.

What can you do about it?<p>Learn to write. Don&#x27;t use Grammerly. That&#x27;s the article. Instead, we keep trying to find little tricks to keep the utility without surrendering privacy.<p>High school and college essays are already full of enough mindless fluff and tropes. Why put everything you write into something that then makes you sound like a bot? Your essays will all end up with YouTube Face.

There ain&#x27;t no reason I wouldn&#x27;t never consider using Grammarly once, at least especially not now or whatnot.

Could you use Grammarly keylogs to train AIs? It could have infinitely more content than the web has.

Good that we have LT: <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=30379593" rel="nofollow">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=30379593</a>

I’m the only one that saw Loom having access to the webcam in the article?<p>Loom can open your webcam and record you audio if they want…<p>So grammarly is offering this service thanks to the cloud and thanks to the data transmitted over internet. We cannot do nothing else that trust this companies. We should maybe ask to our government to check and validate how our data are treated by companies and if the privacy is respected.

Second question: Is TextExpander a key logger as well?

The article suggests how could it all of the sudden read the Note after being turned on without new key presses — uhh duh the accessibility APIs it discussed?<p>Seems all very overblown to me. It’s known to begin with that it sends things you type to the server - that’s the model (or rather, how they run their models). That does not automatically mean evil things are happening.

I have long suspected Grammarly as a massive undercover FSB operation to monitor the west. The amount of marketing push behind the product never made sense otherwise, and their corporate HQ is in Ukraine.<p>Even if you don&#x27;t buy the conspiracy theory, the cold hard truth now is that those servers will be under Russian jurisdiction within a month.

It absolutely is an intelligence carve out.

Is anyone gonna bring up GitHub Autopilot?

It also injects html&#x2F;junk into email editors.<p>Our staff use it. Having typos in political emails is bad and super duper stressful. On the whole I think worth it for our use case.<p>But when you look at the actual draft email html there is almost always some grammarly fragment left like pseudo html elements and stuff

Yes, grammarly is an excellent data exfiltrator, don&#x27;t ever use it while typing anything you don&#x27;t want published externally.<p>The easiest way to do that (instead of being constantly aware) is to just never use it (or anything like it that sends all your private typing to somewhere else).

For German I want the Duden spell checker tool back.<p>German has more strict rules for a lot of it&#x27;s grammar, which can be checked rather well without needing any AI.<p>It ran local.<p>Or maybe I&#x27;m just nostalgic.<p>But as far as I remember it was the best spell checker I ever had (for any Language).<p>But then I&#x27;m hardly writing German now-days.

Related blog post I made:<p><a href="http:&#x2F;&#x2F;trevcan.duckdns.org&#x2F;blog&#x2F;rant-writing-tools.html" rel="nofollow">http:&#x2F;&#x2F;trevcan.duckdns.org&#x2F;blog&#x2F;rant-writing-tools.html</a><p>It talks more about morality and not legality.

I tried that once just to see what it&#x27;s all about, and it kept regularly sending irksome e-mails (&quot;We&#x27;re not seeing any activity from last week&quot;) for, I think, well over a year.

Not saying good or bad, but they do have a page on their &quot;trust&quot;:<p><a href="https:&#x2F;&#x2F;www.grammarly.com&#x2F;trust" rel="nofollow">https:&#x2F;&#x2F;www.grammarly.com&#x2F;trust</a>

I&#x27;m sad to read this. As someone who is dyslexic, it&#x27;s a necessary evil I have to use. Unless there is alternatives?<p>Infact I use Hemingway App and then Grammarly to write content.

Hmm it seems curious that this attack on a successful Ukrainian startup is happening at this time.<p>Could it be a Russian smear campaign? It seems like the sort of thing that the St Petersburg disinformation teams would attempt, in very subtle ways...

It would have been good if he asked how long grammar checked text is retained to grammarly &#x2F; an engineer that works on it.

All AI based systems that use your data to improve itself is incentivised to collect everything. Especially if it&#x27;s free

Incidentally, using Grammarly is verboten, internally at a more famous company whose name also happens to start with a G.

As I was wondering where they are located: <a href="https:&#x2F;&#x2F;www.google.com&#x2F;search?client=firefox-b-d&amp;q=where+is+grammarly+located" rel="nofollow">https:&#x2F;&#x2F;www.google.com&#x2F;search?client=firefox-b-d&amp;q=where+is+...</a><p><pre><code> San Francisco, California The software is produced by Grammarly Inc, which is headquartered in San Francisco, California, with offices in Kyiv, New York City, and Vancouver.</code></pre>

let me get this straight.. it is listening to every key input i make on my mac regardless of the app i am in? then sends this data to its cloud? im assuming this includes passwords?<p>if so, how is this app still legally available to the US consumer?

I installed its plugin on Microsoft Word and I feel a bit safe now.

How long until OpenAI comes with an open replacement?

Why is different than Gmail auto complete?

Try out outwrite.com<p>If you need a grammar correction.

@dang, This is Russian attack on Ukrainian Unicorn. Can you shadowban awakened bots?

Yes? Not use it?

Don&#x27;t use it and all concerns resolved.