Third-Party Companies Are Collecting Form Data Without User Consent gizmodo.com

Kashmir Hill and Surya Mattu, Gizmodo:

If you’re daydreaming about buying a home or need to lower the payment on the one you already have, you might pay a visit to the Quicken Loans mortgage calculator. You’ll be asked a quick succession of questions that reveal how much cash you have on hand or how much your home is worth and how close you are to paying it off. Then Quicken will tell you how much you’d owe per month if you got a loan from them and asks for your name, email address, and phone number.

You might fill in the contact form, but then have second thoughts. Do you really want to tell this company how much you’re worth or how in debt you are? You change your mind and close the page before clicking the Submit button and agreeing to Quicken’s privacy policy.

But it’s too late. Your email address and phone number have already been sent to a server at “murdoog.com,” which is owned by NaviStone, a company that advertises its ability to unmask anonymous website visitors and figure out their home addresses. NaviStone’s code on Quicken’s site invisibly grabbed each piece of your information as you filled it out, before you could hit the “Submit” button.

Quicken is just one of over a hundred websites known by BuiltWith that use NaviStone. This technique seems completely unethical to me, but NaviStone isn’t the only company providing tracking services for partially-completed form data: FormStack — which cites Delta Airlines, Netflix, Twitter, and Stanford as clients — highlights their version of the feature on their website. Gravity Forms, a popular WordPress plugin, has available a partial entries add-on. FormRescue has on its homepage a demo of cancelling a form entry and being opted into an email marketing list — something that’s entirely illegal in Canada.

Some of this functionality is optional, such as the Gravity Forms add-on and the FormStack functionality. But you, as a user, would never know which websites you visit are using scripts like these to disclose your partially-completed form entries to third parties without your explicit consent.