One thing I'll point out is that Comscore has been doing this with websites since the early 00s. They packaged it as some sort of "free website antivirus protection" or some related BS, and when you installed it it installed a root certificate in your browser, specifically so that Comscore could read all your SSL traffic for ecommerce purchasing analytics. I even remember if you used their uninstaller to uninstall it, it left the root cert in place. IIRC Comscore at one point claimed millions of installed users.