According to new research, an alarming number of websites collect some or all of your data when you type it into a digital form.
Researchers from Radboud University, KU Leuven and University of Lausanne examined the top 100,000 websites, with particular interest in situations where an European is visiting a site from the U.S. They discovered that 1,844 sites collected the EU user’s email address without permission, and 2,950 kept a log of the US user’s email in some form. The data logging seem to be conducted unintentionally, but third-party marketing and analytics services lead to the behavior.
After searching sites for password leaks in May 2021, the researchers discovered 52 websites where third parties, including the Yandex, the Russian tech giant, were ‘incidentally’ gathering password data before submission. The group revealed their findings to these sites and these issues have since been resolved.
‘If there’s a Submit button on a form, the reasonable expectation is that it does something— that it will submit your data when you click it,’ said Güneş Acara, Professor and one of the leaders of the study. ‘We were super surprised by these results. We thought maybe we were going to find a few hundred websites where you email is collected before you submit, but this exceeded our expectations by far.’
The researchers will present their findings at the Usenix Security Conference in August. They say that they were inspired to investigate the ‘leaky forms’ by media reports from Gizmodo. They pointed out that the behavior is quite similar to keyloggers— malicious programs which log everything a user types. However, on a mainstream top -1000 site, a user probably shouldn’t expect to have his data logged. The researchers discovered variations of the behavior— some sites logged data by keystroke, while others collected complete submissions from one field when users went on to the next.
‘In some cases, when you click the next field, they collect the previous one, like you click the password field and they collect the email, or you just click anywhere and they collect all the information immediately,’ said Asuman Senol, researcher at KU Leuven and a co-author of the study. ‘We didn’t expect to find thousands of websites; and in the U.S., the numbers are really high, which is interesting.’
The researchers believe that the geographical differences may be related to companies in the EU being more cautious about user tracking, particularly because of the EU’s General Data Protection Regulation. They however emphasize that this is just one possibility and they don’t have explanations for the disparity.
Although not adequate justification, the research discovered that an explanation for the data logging may have to do with the issue of differentiating a ‘submit’ action from other actions on the webpages.
‘The privacy risks for users are that they will be tracked even more efficiently; they can be tracked across different websites, across different sessions, across mobile and desktop,’ says Acar. ‘An email address is such a useful identifier for tracking, because it’s global, it’s unique, it’s constant. You can’t clear it like you clear your cookies. It’s a very powerful identifier.’
The researchers proceeded to create a Firefox extension referred to as ‘LeakInspector’ to detect rogue form collection.
By Marvellous Iwendi.