Careful what you write, some can see it all!

While browsing the internet, most websites will ask users to enter email addresses into online forms. The reasons for this could vary – from subscribing to newsletters to buying a product. We’re all familiar with these forms - ones with a submit button at the end.

Everyone knows that websites routinely leak our email addresses to advertisers, marketers, and data brokers. But here’s another shocker.

Recent studies show that third-party scripts collect data even when we leave without submitting the form. And it's not just any data but information which can identify individuals across websites and social platforms. The exercise has significant monetization benefits for companies.

Leaky forms – how do they work?

The practice is disturbingly similar to how keyloggers work – where someone records what users are typing on their phone. In this case, a leaky online form operates the same way. The form looks harmless on the surface. Users may feel secure since they haven’t clicked the ‘submit’ button.

Research conducted by the University of Lausanne and Radboud University, KU Leuven reveal that thousands of websites leak information before visitors hit a sign up or submit button.

The study included 100,000 of the highest-ranking websites in the EU and U.S. Out of 2.8 million web pages accessed from the EU, 1844 websites were leaking email addresses regardless of ‘submit’ statuses.

When accessed from the U.S, 2590 of the same websites allowed data exfiltration – 60% higher than the EU. Researchers attribute the difference in number to Europe’s GDPR, which clearly defines what personal data is. IP addresses, email addresses, cookies, or identification numbers are almost always considered personal data. Shockingly, several websites leaked user passwords in a similar fashion to third-party scripts.

The top culprits

The beauty/fashion sectors ranked at the top of the list of exfiltrating websites. E-commerce came a close second. The companies with the most number of domains leaking user emails were Meta (unsurprisingly) and TikTok.

Both companies declare that they collect hashed personal data only when users click the submit button. These claims have turned out to be false. In fact, Meta and TikTok scripts collect data in dubious ways – through functions that don’t operate as submit buttons.

Based on findings, users should be careful about what they type online and where. Until stricter privacy laws prevail, one should assume that trackers will collect the personal information we type into web forms without our consent. Enter yet another way that marketers insidiously collect data on unsuspecting individuals.