Email and Password Exfiltration Before Form Submission

Leaky Forms is a new study by Asuman Senol, Gunes Acar, Mathias Humbert, and Frederik Zuiderveen Borgesius (emphasis theirs):

Email addresses — or identifiers derived from them — are known to be used by data brokers and advertisers for cross-site, cross-platform, and persistent identification of potentially unsuspecting individuals. In order to find out whether access to online forms are misused by online trackers, we present a measurement of email and password collection that occur before form submission on the top 100K websites.

These researchers received marketing emails from some of the leaky sites where, I will repeat, they never submitted a form. Their typed email address was captured and whisked into the ad tech and data broker machinery without their explicit consent. When using a U.S.-based crawler to assess these forms, researchers found a greater proportion of incidents (PDF, section 4.3) of email address collection than when they used an E.U.-based crawler, “perhaps due to stricter data protection regulations”.

The worst offenders were, according to researchers, fashion and beauty websites, with shopping and general news sites in second and third places. Notably more private: porn sites, the only category for which not a single one was found to have leaky forms.