This is one of the oldest fears on the Internet, which over time has become almost a myth: websites would spy on the slightest letter typed on our keyboard. In a recent study by researchers from three universities in the Netherlands, Switzerland and Belgium, the final version of which will be presented at the Usenix Security conference in August, cybersecurity researchers show that the myth is partly true.
To do this, they analyzed more than 2.8 million pages, of the one hundred thousand most visited sites in the world. Their observation is clear: during a request from Europe, 1,844 of them retrieve the user’s email address even before they clicked the “send” button. “If there is a” submit “button on a form, the most logical expectation is that you do something and only submit your data when you click on it.reacts to the American magazine With cableGüne Acar, a researcher in digital security at Radboud University and a member of the study. We were very surprised by the results. We thought we might be able to find a few hundred sites where your email address is collected before sending it, but the result far exceeded our expectations. »
The number of sites using this practice is even higher when connecting from the United States (2,950 cases). A significant difference of 60% compared to Europe, which scientists attribute in part to the General Regulation on the Protection of Personal Data (GDPR), which since 2018 requires a website to request the consent of a user before gathering information about him.
An automated process
How do sites do it? Specifically, while you haven’t clicked the “submit” button yet, your email address is transmitted – blank or hash – that is, encrypted – to third-party sites, usually advertising companies, that collect the data and they can create personalized ads. In Europe, for example, according to researchers, most e-mail addresses are sent to Taboola, an online advertising company.
In some cases, the process may seem aa key recorder (a key logger). The researchers were able to show that for some of the sites, the data was sent to third-party sites “character by character, while the user typed their address”. A behavior they attribute to “a fix program” WHO “Collect user interactions with the page, including keystrokes and mouse movements”.
Better to address the consumer
Among the places that make the most use of this type of practice, the fashion-beauty category is at the forefront of the culprits, along with e-commerce. In contrast, public, government and military news sites account for less than 1% of observed leaks. A ranking that makes sense in view of the desired goal: to encourage the Internet user to buy. Because it is to better seduce the consumer that this process exists. Today, the study points out, simple Cookies (Small files stored on your computer or phone by the sites you visit) would no longer allow advertisers to accurately identify the visitor’s profile. “With the spread of users on different connected media, it’s not enough to crawl them on websites only.” the authors explain. However, they argue “The email address is an ideal identifier because it is unique, persistent, and can even be used offline.”.
These illegal postings also affect social media. In fact, researchers found that Meta Pixel (owned by Meta, formerly Facebook) and TikTok Pixel, programs that are commonly used to track a visitor’s activity on a site to provide them with more relevant content. , retrieved email addresses automatically. This collection takes place regardless of the place visited, for example information or home delivery.
In Europe, this would affect more than seven thousand sites for Meta, and almost one hundred and fifty for TikTok. Asked by researchers, Mark Zuckerberg’s social network responded in late March “passed the problem to his team of engineers”. At the time of publication of his study, TikTok had not responded to his request.