Thousands of websites save form data, even before the “submit” button has been used

This is one of the oldest fears on the Internet, which over time has almost become a myth: websites would spy on the slightest letter typed on our keyboard. In recent study conducted by researchers from three universities in the Netherlands, Switzerland and Belgium, the final version of which will be presented in August at the conference Usenix Securitycybersecurity researchers show that the myth is, in part, founded.

For this, they analyzed more than 2.8 million pages, from the hundred thousand most visited sites in the world. Their observation is clear: during a request from Europe, 1,844 of them retrieve the e-mail address of the user even before he has clicked on the “send” button. “If there’s a ‘submit’ button on a form, the most logical expectation is that it does something – and only sends your data when you click on it.reacts to the American magazine WiredGüne Acar, researcher in digital security at Radboud University and member of the study. We were very surprised by the results. We thought we might find a few hundred sites where your email address is collected before you send it, but the result far exceeded our expectations. »

The number of sites using this practice is even higher when connecting from the United States (2,950 cases). A notable difference of 60% compared to Europe, which scientists attribute in part to the General Regulation for the protection of personal data (GDPR)which since 2018 requires a website to ask for a user’s consent before collecting information about them.

An automated process

How do the sites do it? Concretely, while you have not yet clicked on the “send” button, your e-mail address is transmitted – point-blank or hashed, i.e. encrypted – to third-party sites, generally companies advertising, which collect the data and can thus create personalized advertisements. In Europe, for example, according to the researchers, the majority of email addresses are sent to Taboola, an online advertising company.

In some cases, the process may resemble a key logger (a keylogger). The researchers were able to prove that, for a part of the sites, the data was sent to third-party sites “character by character, while the user was typing their address”. A behavior they attribute to “a proofreading program” who “collects user interactions with the page, including keystrokes and mouse movements”.

Read also (2019): What happened in a year of GDPR, the law supposed to protect your data?

Better target the consumer

Among the sites that use this type of practice the most, the fashion-beauty category is at the top of the culprits, on a par with e-commerce. In contrast, public, governmental and military information sites account for less than 1% of leaks observed. A ranking that makes sense in view of the desired goal: to encourage the Internet user to buy. Because it is to better seduce the consumer that this process exists. Today, notes the study, simple Cookies (small files stored on your computer or phone by the sites you visit) would no longer allow advertisers to accurately identify the visitor’s profile. “With the spread of users on different connected media, tracing them only on websites is not enough”, explain the authors. However, they argue that “The email address is an ideal identifier because it is unique, persistent and can even be used offline”.

These illicit shipments also concern social networks. Indeed, the researchers found that Meta Pixel (owned by Meta, formerly Facebook) and TikTok Pixel – programs normally used to track a visitor’s activity on a site, in order to offer them more relevant content – automatically retrieved email addresses. This collection takes place regardless of the site visited, for example, information or home delivery.

In Europe, this would concern more than seven thousand sites for Meta, and almost one hundred and fifty for TikTok. Asked by the researchers, the social network of Mark Zuckerberg replied, at the end of March, to have “passed the issue on to their engineering team”. At the time of publication of their study, TikTok had not responded to their request.

Read also: Article reserved for our subscribers Against online surveillance, Internet users “poison” their personal data

We would like to give thanks to the writer of this short article for this incredible content

Thousands of websites save form data, even before the “submit” button has been used

Find here our social media accounts as well as other related pages