Have you ever wondered how some websites know so much about you? Sure, they collect the information you give them when registering an account, and they track your visits using cookies, but that’s all, right?
Wrong. Some might also be key-logging you, a behavior that you’d expect from malware but not a legitimate website.
According to shocking new research conducted by a team of specialists from KU Leuven, Radboud University, and the University of Lausanne, key-logging sites aren’t just a hypothesis. They’re a reality. In fact, a significant number of websites, actively record everything you type during your visit, including email addresses and passwords, even without clicking the “Submit” button.
How does the tracking work?
Let’s say, for example, you want to register for a newsletter, and you type your e-mail address, but at the last moment, you change your mind and delete it. Chances are, that site still recorded your e-mail address, even if you didn’t tap the “Submit” button. Do you have to fill out a form but you abandon it halfway there? It doesn’t matter because everything you typed has been submitted anyway.
“If there’s a Submit button on a form, the reasonable expectation is that it does something—that it will submit your data when you click it,” says Güneş Acar, a professor, and researcher in Radboud University’s digital security group. “We were super surprised by these results. We thought maybe we were going to find a few hundred websites where your email is collected before you submit, but this exceeded our expectations by far.”
According to the research, out of 100,000 tested websites, 1,844 websites gathered an EU user’s email address without their consent, and 2,950 logged a US user’s email in some form. On top of that, the researchers also found 52 websites in which third parties, including the Russian giant Yandex, were collecting password data before submission.
But who’s doing this? And why?
Surprisingly enough, many of the sites have no intention of data-logging users, however, they incorporate third-party marketing and analytics services that force the behavior. Furthermore, a difference in legislation between the US and the EU, which has tougher privacy regulations, including the EU’s General Data Protection Regulation (GDPR) might explain the regional differences, as some companies are probably more careful when tracking users.
Phasing out cookies altogether, however, isn’t a universal solution for boosting privacy, says Güneş Acar, a researcher that has unmasked keylogging before. In his opinion, this will only force marketers and advertisers to rely more on static IDs like phone numbers and email addresses.
“The privacy risks for users are that they will be tracked even more efficiently; they can be tracked across different websites, across different sessions, across mobile and desktop,” Acar says. “An email address is such a useful identifier for tracking, because it’s global, it’s unique, it’s constant. You can’t clear it like you clear your cookies. It’s a very powerful identifier.”
How can you protect yourself?
Interested in protecting your Online Privacy and learning about your Digital Footprint? Visit Cyberpedia, our dedicated educational zone, and find out more about how your personal information can be exploited, how a VPN can boost your online privacy, and how our Digital Identity Protection (DIP) service can help you.