Some of the top 100,000 websites are found to be collecting data from their online forms even before you hit the Submit button, a study conducted by researchers has revealed. In some cases, many of these top-visited websites were even collecting password data of their visitors, without user consent. A large number of the websites collecting personal data including email addresses of their users without their prior permission appear to have this behaviour due to third-party trackers that are integrated for advertising and marketing purposes.
Conducted by researchers from Leuven, Radboud University, and University of Lausanne, the study is based on a system that enabled crawling and analysis of the top 100,000 websites from two different locations — European Union and the US. It shows that of the total number of websites analysed, as many as 1,844 websites captured data including email addresses of visitors from the EU region without their consent. In the case of a visitor coming from the US, that number increases to 2,950 websites, per the research.
In most cases, the trackers were of companies including Meta and TikTok that were getting user data from the top websites analysed. However, the researchers also noticed 41 previously unknown tracker domains that were found to be involved in capturing user data from the top websites before the users hit the Submit button.
While conducting the study, the researchers notably avoided considering cases in which websites might have legitimate reasons for collecting email addresses of users before submission. For instance, in some cases, websites check whether an email or username is already available in the database.
Nevertheless, the researchers discovered many of the popular websites where online trackers were capturing email addresses before the user gives their consent.
In the US, the top-ten websites where email addresses were found to be leaked to trackers include USAToday, Business Insider, Fox News, Time, and Trello, while in the EU, the list includes Independent, Shopify, Newsweek, and Marriott.
The researchers also found 52 websites in which third parties including Russia’s Yandex were incidentally collecting passwords before submission. Yandex rolled out a fix to prevent password collection when reached out by the researcher group.
“Based on our findings, users should assume that the personal information they enter into Web forms may be collected by trackers—even if the form is never submitted,” the researchers said in an 18-page paper detailing their study. “Considering its scale, intrusiveness and unintended side-effects, the privacy problem we investigate deserves more attention from browser vendors, privacy tool developers, and data protection agencies.”
Alongside regular capturing of email addresses, the researchers noticed that trackers of Meta and TikTok in some cases were collecting hashed personal information from Web forms. This is due to an “advanced matching” feature that is found to be responsible for capturing hashed user data including email addresses before submission.
“We believe the leaks are due to Facebook’s script interpreting clicks on irrelevant buttons as ‘submit button clicked’ events,” the researchers said.
Gadgets 360 has reached out to both Meta and TikTok for clarity on the study and will update this article when the companies respond.
Apple and other tech giants have started blocking third-party cookies and trackers to help reduce online tracking of users. However, the idea to track online visitors through email addresses could help marketers have an effective solution in place despite the ongoing restrictions.
The researchers also noted in their co-authored paper that email addresses work as an “ideal identifier” and help fill the gap for online trackers as they can allow tracking across platforms and on a longer term compared with other such parameters.
The findings from the research will be presented in detail at the Usenix security conference in August.