The “Enter” key is not a valid defense for protecting sensitive digital data

When you sign up for a newsletter, register on a website, purchase a ticket, book a hotel room, or even check out online, it is thought that if you misspell your e-mail address or change your mind, you can simply quit the page and all will be over. Nothing happens until the “Send” button is pushed, and the data we enter does not move anywhere until we touch the submit button, according to popular perception. That is not the case. Our information has already been transferred. A group of researchers from KU Leuven, Radboud University, and the University of Lausanne discovered that a staggering number of websites secretly collected everything typed into an online form, even if users changed their minds and left the site without pressing the Enter key, after analyzing more than 100,000 websites.

Our electronic mail

Our email addresses are at the center of this story.

Because IT companies are gradually shifting away from cookie-based user tracking for privacy reasons, marketers are increasingly depending on static identifiers like phone numbers and email addresses. “Tracking people on the Internet with cookies is becoming increasingly problematic for many companies,” said Güneş Acar, a Radboud University professor and researcher who led the research team.

Collection without permission

The study employed software that acted like a real user, visiting websites and filling out login or registration pages without submitting them, and discovered that 1,844 websites throughout the EU had acquired users’ email addresses without their knowledge. It was even worse in the United States, with 2,950 sites participating.

The authors of the study stated that “given its scope, intrusiveness, and unforeseen side consequences, the privacy issue we analyze warrants further attention from browser makers, privacy tool developers, and data protection bodies.”

Services in marketing and data analysis

The truth is that many websites use third-party marketing and analytics services that collect form data regardless of whether or not it is submitted. “We were extremely startled by these results,” Güneş Acar remarked. “If there is a ‘Submit’ button on a form, the fair expectation is that it will do something that will transfer your data when you click.” We expected to uncover a few hundred sites where emails are logged before they are sent, but this much exceeded our expectations.”

The researchers discovered that international newspapers were among the websites where email addresses were collected in Europe. After publishing the study, the researchers discovered that Meta and TikTok were also collecting data from other websites using their own invisible marketing trackers.

The “automatic advanced matching” feature allowed social media networks to acquire data from advertiser’s websites on websites that employed Meta Pixel or TikTok Pixel, code snippets that allow website domains to track visitor activity.

So, what exactly happened? The researchers discovered that when you provided an email address on a page using Meta Pixel, personal data was stolen from Meta or TikTok by clicking on most buttons or links that transported users away from that page.

According to the findings, 8,438 sites in the US may have sent data to Meta via its Pixel, while 7,379 sites may have been impacted by U4 users.

How does tracking work?

The researchers, who will present their findings at the Usenix security conference in August, pointed out that the method is essentially the same as that of so-called key loggers, malicious applications that record everything a subject types. The researchers did see some changes in this technique, though. Some sites kept track of data beat by beat, while others saved whole submissions when visitors clicked on the next one.

The distinctions. “In some cases, when you click on the next field, they collect the previous one,” explained Asuman Senol, a researcher at KU Leuven and study co-author. “For example, if you click on the password field, they collect the e-mail, or simply do clicks anywhere, they collect all the information immediately.” We weren’t expecting to come across thousands of webpages. The statistics in the United States are really high, which is intriguing.

According to the researchers, the disparities could be attributable to the EU General Data Protection Regulation, which requires enterprises to be more cautious about user tracking and integrate with fewer third parties. However, they emphasize that this is merely a possibility.

“The concern,” according to Güneş Acar, “is that users will be watched even more efficiently: they will be observed across several websites, sessions, and mobile and desktop devices.” Because it is worldwide, unique, and constant, an email address is a very valuable identifier for tracking. You can’t remove it like you can cookies. It’s a highly effective identifier.”

By Editor