The Issue – Thousands of popular websites covertly harvest personal information typed into forms without users’ consent
When you’re filling in a form on a website, it may seem logical that what you’ve filled will only be processed once you hit the ‘submit’ button. However, the reality is that many popular websites contain scripts from third-party advertising, analytics and tracking firms which covertly collect the data that users type into online forms – even if this information is never formally submitted or you un-subscribe. This data is then monetised for targeted advertising and can also track users across a range of devices.
Professor Mathias Humbert from HEC Lausanne, University of Lausanne is one of a team of researchers who have analysed how the 100,000 most popular websites handle personal information typed into web forms to try to get to the bottom of this important issue. (see article Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission).
Their data shows that nearly 2,000 (1,844) websites gathered an EU user’s email address without their consent, and the situation was even worse in the US where almost 3,000 (2,950) had logged a US user’s email in some form.
Why it’s important
The collection of personal information from users without their consent is a breach of trust which violates users’ expectation of what should happen when they chose to abandon a form submission. Additionally, it shows a disregard for the importance of transparency and raises questions as to whether privacy legislation such as GDPR legislation is adequate in stopping this sort of abuse.
What our professor has to say
According to Professor Humbert there are positive developments on the horizon as the team have already developed a browser extension/add-on which will let people know in advance if their data risks being used. In the meantime, his advice is to think twice before you in-put personal information into online forms, and ensure that you really do want to sign up for a newsletter or to create an online account before providing any personal information about yourself.
The research findings highlight a new dimension of online tracking, which is being done by stealth and without the