The joint paper — released by researchers from Radboud University, the University of Lausanne, and KU Leuven (Katholieke Universiteit te Leuven) — revealed that user keystrokes on online forms are being misused by online trackers. Even without hitting “submit” on an online form, trackers may exfiltrate and log user email addresses and “incidentally” exfiltrate passwords to other analytics, tracking, and marketing domains, the study said.
User Keystrokes Recorded While Browsing
The study found that 1,844 websites in the EU and 2,950 in the U.S. scooped email addresses that had been typed into web forms, and then logged them to both known and previously unknown tracking domains. This is akin to what a keylogger does but, in this case, is not necessarily a malicious activity. In addition, the study found that third-party scripts were collecting password data on an additional 52 websites. Notably, 60% more exfiltration took place when websites were visited from the US, the paper says. Some of this was taking place “even when users change their minds and leave the site without submitting the form.” Third-party scripts used by data brokers and advertisers can be used for “cross-site, cross-platform, and persistent identification of potentially unsuspecting individuals,” researchers wrote. The researchers were able to automate their search with a custom-built website “crawler” that “finds and fills email and password fields, monitors the network traffic for leaks, and intercepts script access to filled input fields.” The study says a large portion of these findings may result in a violation of several GDPR laws, such as the transparent processing of data per Article 5 of the GDPR. GDPR violations can result in enormous fines.
Which Websites Were Tracking Users?
A large number of major websites were found to be recording and exfiltrating user email addresses, including USA Today, Trello, The Independent, Marriot, Shopify, WebMD, Udemy and Codeacademy, among others. As far as passwords go, the study states that “an overwhelming majority (50/52 of these leaks were due to Yandex Metrica’s session recording feature.” In addition, “leaky” websites were found to be built with the “React framework” — seven of which were major banks. Researchers also noted that consent boxes were ineffective in preventing tracking and data collection. “Consent popups” were found in only 7.7% and 5.4% out of the 100,000 websites studied (both EU and US). Researchers stated that rejecting data processing via consent boxes did practically nothing and that “cookie consent choices are not effective in preventing tracking.”
Websites Informed, Issues Resolved
The group confirmed that they disclosed the findings to the websites, which later removed the tracking instances. This included two third-party trackers “with a combined presence of five million websites” that released fixes thanks to the researchers’ disclosure. “Considering its scale, intrusiveness, and unintended side-effects, the privacy problem we investigate deserves more attention from browser vendors, privacy tool developers, and data protection agencies,” the researchers concluded.
Meta and TikTok Are Collecting Personal Information
In a separate investigation, the researchers discovered that Meta Platforms Inc. (formerly Facebook) and TikTok collect “hashed personal information” in the same fashion with their Meta Pixel and TikTok Pixel trackers. Findings show that 8,438 US and 7,379 websites may leak data to Meta “when the user clicks on virtually any button or a link, after filling up a form,” while 154 US and 147 EU websites may leak data to TikTok, KU Leuven stated. Meta has since assigned the issues to their engineering team, while TikTok was notified at a later stage and are possibly working on the issues now.
Responses From First and Third Parties
About half (30/58) of the first parties contacted, such as Trello, Marriott, Stella McCartney, FiveThirtyEight, and others responded to the researchers’ requests. FiveThirtyEight, Lever, Branch, and Cision said they were unaware of any email collection and resolved the issues. Marriott said that the collection was used for customer care, fraud prevention, and technical support. Stella McCartney remarked that this was a technical issue, and swiftly fixed the leaks, the paper states. Meanwhile, about half (15/28) of the third parties contacted, such as Taboola, Zoominfo, and ActiveProspect, responded to requests. All three noted that data is not propagated or analyzed further beyond the purposes of features like ad and content personalization. Tracking can be enabled or disabled by clients, and client data is not kept for extended periods or shared, they added.
Researchers Analyzed Popular Browsers’ Anti-Tracking Features
Researchers also dug up interesting findings concerning popular browsers’ anti-tracking features — and whether they work as advertised. Neither Apple’s Safari nor the Firefox browser blocked email exfiltration fully, while Google’s Chrome browser does not even attempt to block online tracking, the paper says. Browser extensions such as uBlock Origin and browsers such as Brave and DuckDuckGo do a much better job of this, researchers said. In creating their own solution, researchers devised the FormLock extension, and the LEAKINSPECTOR concept browser, both of which pick up “sniff attempts” on websites. While researchers work on developing better anti-exfiltration technologies and Big Tech address their ongoing privacy woes, users can read our full guide to the best adblockers which includes uBlock origin that successfully blocks sniffing attempts. If you’re looking for improved privacy online, make sure to check out our curated list of the best privacy browsers.
