Startling Report Claims Popular Websites Secretly Collect Your Data Similar To A Keylogger

Typing on a laptop keyboard
When you fill out an online form and hit the submit button, you're willingly transmitting your personal data to the website and any third parties you may have agreed to in the fine print. That's fair game. However, an alarming security report suggests your data is sometimes transmitted even if you change your mind and never hit submit.

The average user is likely to assume that abandoning a web form before submitting their information and closing out the browser window would prevent their inputted data from reaching unwanted eyeballs. But should you change your mind midway through, it might already be too late. Apparently some web forms collect your data as you switch from one field to the next, highlighting the need for better data collection transparency.

Researchers at KU Leuven, Radbound University, and University of Lausanne say that thousands of the top 100,000 websites they evaluated engaged in this behavior, Wired reports. In many cases, researchers found that offending sites scooped up an inputted email address without permission. And while investigating password leaks, the researchers also found that dozens of sites collected passwords through third parties before ever hitting the submit button. The push for a passwordless future can't come fast enough.

"We were super surprised by these results. We thought maybe we were going to find a few hundred websites where your email is collected before you submit, but this exceeded our expectations by far," said Günéş Acarone, one of the lead researchers.

The researchers liken this kind of data collection to a keylogger, which are installed on the sly (via software or hardware) to secretly record a person's keystrokes. And indeed, they note that some websites did actually log data by keystrokes, though by and large they collected complete fields of data when moving from one to the next.

"In some cases, when you click the next field, they collect the previous one, like you click the password field and they collect the email, or you just click anywhere and they collect all the information immediately," says Asuman Senol, one of the study's co-authors. "We didn’t expect to find thousands of websites; and in the US, the numbers are really high, which is interesting,"

This isn't necessarily intentionally malicious behavior. When the researchers asked the offending websites for an explanation, some of them said it could be related to the difficulty in discerning between a "submit" action and other types of actions on a webpage. And it's typically third-party marking and analytics services that are collecting data before hitting submit.

While some of the explanations may be valid, they don't ease any privacy concerns stemming from this behavior. This is especially concerning as sites begin to transition away from cookies to tracking users based on static IDs like email addresses and phone numbers.