Popular websites leaking user email data to web tracking domains

Data collected without consent and before forms are submitted in many cases, say researchers

Email addresses entered into online forms are often passed to web trackers before being submitted and without the user’s consent, a systematic study by computer scientists has found.

Email addresses – or identifiers derived from them – are apparently used by data brokers and advertisers for cross-site and cross-platform identification of computer users.

As part of an investigation into how data from online forms is used for tracking, a team of four IT experts measured the extent of email and password collection before form submission. by analyzing the top 100,000 websites.

Keep up to date with the latest privacy-related security news and analysis

The researchers – Asuman Senol from KU Leuven in the Netherlands, Mathias Humbert (University of Lausanne, Switzerland) and Gunes Acar and Frederik Zuiderveen Borgesius (both from Radboud University, Belgium) – compared the results from two points of sight, in the United States and in the EU. , as well as between mobile and desktop browsers.

Tracking areas

The team found that email addresses were exfiltrated to tracking domains before form submission and without consent on 1,844 websites in the EU crawl and 2,950 websites in the US crawl.

In the majority of cases, the data was pulled to well-known tracking domains, but the researchers also identified 41 tracking domains omitted from popular blocklists.

Profiling for ad serving purposes is not the only concern.

Researchers also identified seemingly unintentional password harvesting from 52 websites by third-party relay scripts.

A research paper (PDF) based on the study is to be presented at the upcoming Usenix ’22 security conference.

PREVIEW The research has come a long way, but gaps remain – security researcher Artur Janc on the state of the XS-Leaks

Internet users usually enter their email addresses into online forms for reasons such as registering for a service or subscribing to a newsletter.

Research shows that all data entered into such forms can end up in the hands of data brokers – sometimes even in cases where individuals are unsure about signing up for something and haven’t pressed “send”. “.

The researchers used an online crawler to systematically examine what happens when users log off before submitting data entered on forms.

GDPR Violation Issues

Although not a lawyer, Gunes Acar, one of the project’s four principal researchers, said The daily sip that the behavior of certain websites may be in violation of stricter data privacy regulations, such as the European Union’s General Data Protection Regulation (GDPR).

Clandestine exfiltration of emails for tracking purposes may violate certain GDPR principles such as transparency, purpose limitation, and legal basis, but we cannot say for sure whether individual websites violate GDPR. GDPR (or other laws) without going into the details,” Acar explained.

Nearly half of the sites contacted responded to researchers’ requests related to the GDPR (see sample answer here).

“Some websites said they were unaware that their visitors’ emails were being collected by third parties, and they fixed the issue,” Acar said. “It was the most positive result.

“Other websites have informed us of how they use emails collected through this behavior,” they added.

Countermeasures

Internet users concerned about their privacy may well recoil from the revelations, as summarized in a blog post with screenshots and videos.

Fortunately, some countermeasures are already available.

Acar explained: “Ad blockers (e.g. uBlock Origin) and privacy-focused browsers (Brave, DuckDuckGo) block requests to tracking and advertising domains, and therefore may prevent this type of data collection. Blocking cookies alone would not provide any protection.

“Mail relay services can be used to avoid giving the same email address to different online and offline businesses. Apple, DuckDuckGo, and Mozilla offer such services, which can be used to generate alias addresses,” concluded Acer.

The researchers developed a proof-of-concept browser plugin, Leak Inspectorwhich notifies users when their email address and passwords are removed from forms, in addition to blocking “leaked” requests to tracking domains.

“Unfortunately, the add-on is not available on the Chrome Web Store because it relies on APIs that Google disallows in Manifest v3,” Acar said. “We are working on publishing the add-on to the Firefox Add-ons Repository.”

RECOMMENDED Facebook account takeover: Researcher wins $40,000 bug bounty for chained exploit