An extensive survey shows that up to 3% of websites can collect your form entries before you ever hit ‘Submit’. That’s right – even if you type something and then delete it, these websites will still record your keystrokes and remember the things you chose not to enter.
The data, which is collected without your knowledge and consent, may contain some of the most personal information, which can later be used for various purposes, such as targeted advertising.
The survey is titled “Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission”, and it was conducted by university researchers on a large sample of 100,000 of the world’s highest-ranked websites, with a total of 2.8 million pages. .
Using a website crawler (based on DuckDuckGo’s Tracker Radar Collector), the researchers scoured the internet and came back with stunning results. While most of us assume that websites only log the things we type when we submit them, it seems that for up to 2,950 of the 100,000 sampled, this simply wasn’t true. It seems that trackers collect data up to 3% of the time from the moment they are typed into the form.
Websites use trackers for many reasons, but for the most part they are used to personalize your browsing experience and to collect information about visitor activity. In theory this should be anonymous, but of course personal identifiers really limit things.
Trackers can be useful as they let the websites know what kind of content the users are most interested in. However, third-party trackers are used to help advertisers ensure that the ads you see are targeted, meaning you’re more likely to click and buy something.
The crawler used in the study was equipped with a machine learning classifier that was previously trained to detect email and password fields and then intercept any script access to those fields. It seems that many third-party trackers have been caught using scripts that track keystrokes when the visitor types in a form. If the trackers save the information before sending it, some of them could collect email addresses and passwords without the user’s consent.
The fact that some third-party trackers were able to collect keystrokes, and thus data, before submitting anything is absolutely alarming. According to the researchers, this problem affects a small percentage of trackers, but they are quite common on the Internet. The biggest culprits were LiveRamp (662 websites), Taboola (383), Verizon (255), and Bizible (191). These trackers were present on websites where email addresses were logged. When it comes to password stealing, Yandex trackers are at the top of the list.
An interesting factor of the research is that European users made fewer attempts to extract email/password than the users in the US. Only 1,844 websites allowed trackers to do this when visited from Europe, compared to 2,950 for users in the United States.
Users in Europe are protected by the GDPR, a set of legal regulations governing personal data. According to the study, email exfiltration through trackers violates at least three GDPR laws. Violation of the GDPR can lead to huge fines of up to 20 million euros or up to 4% of the worldwide annual turnover of the concerned entity.
The highlights of the study have been published by researchers alongside a full, much more technical version for those who want to learn a little more. This was then first shared by Bleeping Computer. It is important to note that half of the first and third parties on the list responded to the researchers, claiming that the collection was the result of an error.
If you want to protect yourself from similar trackers, it might be a good idea to disable third-party trackers altogether – you can do this in your browser settings. It is also considered good practice to change your password every now and then. Password managers can come in handy if you’re juggling many different passwords that change regularly.