back to article Ad-tech firms grab email addresses from forms before they're even submitted

Tracking, marketing, and analytics firms have been exfiltrating the email addresses of internet users from web forms prior to submission and without user consent, according to security researchers. Some of these firms are said to have also inadvertently grabbed passwords from these forms. In a research paper scheduled to …

  1. Headley_Grange Silver badge

    GDPR?

    I started an order with John Lewis and got as far as filling in my details on the order form before the process crashed due to my blockers and for one reason or another I never completed the order. John Lewis started sending me marketing emails shortly after that. I complained and they pointed to the incomplete order being a "relationship" under GDPR rules that permitted them to send me stuff. I raised a case with the ICO and they confirmed that by completing the form, even though I'd not submitted it or given informed consent, that this constituted enough of a relationship under the GDPR regs for John Lewis to send me marketing mail as long as there was a clear way to unsubscribe.

    1. thosrtanner
      Pint

      Re: GDPR?

      not sure whether I should upvote that (detailing the problem) or downvote it (because arrggh)

      So have one of these to drown your sorrows ------------------>

      1. Version 1.0 Silver badge
        Joke

        Re: GDPR?

        I've been moving my mouse cursor over the downvote button for ten minutes now and it seems that El Reg is not behaving badly ... LOL, I would not actually downvote your post, I just verified that visiting El Reg appears to be completely safe!

    2. Cederic Silver badge

      Re: GDPR?

      I really don't understand the ICO's position there. As you say, you didn't provide informed consent, and claiming a relationship because you happened to use their website really does not sound like the law being interpreted as intended - otherwise all tracking would become legal.

      You're now making me regret buying two 'white goods' appliances from them in the last six weeks :(

      1. VoiceOfTruth

        Re: GDPR?

        -> I really don't understand the ICO's position there.

        You indeed do not understand. The ICO is a pretend-we-care-about-the-consumer thing from the government. Look how they 'fine' cold marketing callers 0.0001 pence per call. In general, the government hates the consumer and loves the businessman.

        1. MrReynolds2U

          Re: GDPR?

          They are quite happy to throw fines at unknown companies.

          Not so hot on actually collecting said fines though.

    3. Mike 137 Silver badge

      Re: GDPR?

      " even though I'd not submitted it or given informed consent even though I'd not submitted it or given informed consent"

      Recital 44 states "Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract" and Article 6(1)(b) states "(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract"

      Unfortunately, as reported, the ICO seems in this case to have interpreted the filling in of the unsubmitted form as constituting a 'request' associated with an intent to enter into a contract.

      That's pretty far fetched as, in normal interpretation, hitting the submit button would be considered as making the 'request', but since the GDPR came into force the ICO appears to have consistently tried to avoid getting involved in low key individual cases, concentrating instead in high profile large scale breaches of trust and data leakages. Consequently, it is possible that decisions in such individual cases might sometimes be subject to liberal interpretation of the law.

      I have myself been informed by an ICO case officer that it is lawful for an organisation not to disclose all processing conducted on the basis of legitimate interest, but when I challenged that I was told that it was only 'an opinion' and I was entitled to pursue the matter in court at my own expense. That 'opinion' of course specifically contravenes the Regulation, as it denies data subjects their statutory right to object to specific processing on that basis by allowing it to be concealed from the data subject. However, as the regulator, the ICO is the arbiter, so there's nowhere affordable to go to challenge it.

      So much for the reality of data protection. This sort of decision clearly encourages the 'box ticking' pseudo compliance which HMG are now seeking to 'eliminate' (i.e. bury under a cloud of vague "results oriented" directives). It has even been recommended that the Article 30 requirement to maintain records of processing should be eliminated as too burdensome, despite such records being the sole evidential reference point for ensuring that procesing remains lawful. I suspect we're doomed.

      1. Alan Brown Silver badge

        Re: GDPR?

        "That 'opinion' of course specifically contravenes the Regulation, as it denies data subjects their statutory right to object to specific processing on that basis by allowing it to be concealed from the data subject. "

        The action in that case outght to be against the ICO for thwarting the will of Parliament

      2. sniperpaddy

        Re: GDPR?

        The ICO sounds more like a russian state apparatus than an honest information organization.

        Taking back control eh? Brexit, ! The gift that keeps on giving !!

        1. cyberdemon Silver badge
          Devil

          Re: GDPR?

          Well, obviously "taking back control" meant giving the tories the power to dispense with any rules that stop them from: Giving billions of pounds of public money to their mates, cracking down on any form of opposition to their power, and screwing over the general public for the benefit of their corporate sponsors.

          As one AC put it: The consumer is meant to consume, not complain.

    4. Anonymous Coward
      Anonymous Coward

      Re: GDPR?

      "Tracking, marketing, and analytics firms have been exfiltrating the email addresses of internet users from web forms prior to submission and without user consent, according to security researchers."

      I would bet every form that starts telling you that your email address isn't valid from the first letter until you complete typing it in has uploaded everything before you hit submit. The submit button is only there to confirm you really intended to submit.

      1. John Brown (no body) Silver badge

        Re: GDPR?

        "The submit button is only there to confirm you really intended to submit."

        That should be the "informed consent" part.

    5. steelpillow Silver badge
      Facepalm

      Re: GDPR?

      "as long as there was a clear way to unsubscribe."

      Presumably the first step would be to complete the form and submit it, in order to create and access your account with the unsubscribe button.

      This kind of shit happens a lot, there are many sites I simply will not open up enough blockers to do business with, I just go to a competitor. They never seem to grok that it is their loss not mine.

      1. Mike 137 Silver badge

        Re: GDPR?

        "Presumably the first step would be to complete the form and submit it, in order to create and access your account with the unsubscribe button"

        Exactly what is expected in several actual cases I've examined. And sadly, because of the specific wording of the legislation (in English at any rate) that would appear to be strictly lawful, even if unreasonable in principle.

        Indeed in one case an organisation that acted as a processor for others but nevertheless retained for its own internal use profiles of data subjects contracting via it with those others, informed me that my sole recourse to avoid said profiling was to issue an Article 17 Right to Erasure request after every transaction. As such transactions were forced on me by the third parties with which | wished to do business choosing to make use of this processor, that seemed to me quite unreasonable, but the ICO didn't event blink at it as there was a statutory right and I was free to exercise it. Letter of the law yet again.

      2. Martin-73 Silver badge

        Re: GDPR?

        I tend to shitcan the domain into my spam folder (yes i use a popular advertsiser's webmail feature, i'm aware of the issues but have done a risk assessment ;) ). That way the AI learns that domain is a spammer. The more people who do this, the less effective their marketing emails will be. Hit the buggers in the wallet

    6. Ian Johnston Silver badge

      Re: GDPR?

      You complained to JLP and raised a case with the ICO, rather than click on the "unsubscribe" button on the first email you were sent? Golly, I wish I had as much time on my hands as you seem to have.

      1. Cederic Silver badge

        Re: GDPR?

        Sometimes it's the principle that matters.

        In February I encountered a system failure that prevent my car parking payment being processed.

        I wrote to the car park operator, letting them know.

        They sent me a PCN, I told them off, they told me to appeal, I appealed, they rejected my appeal but did offer me a reduction from £100 to the £15 fee plus a £5 admin charge. So I wrote back and they changed it to £0 parking fee and £20 admin charge.

        So I took the case to Popla, and midway through that process the car park operator tried to charge me £100 again and threatened a 'debt recovery fee'.

        Which means that although Popla have now ruled in my favour I'm going to keep going, and pursue these cowboys. Because it's the principle that matters.

        My total outlay thus far: minus fifteen pounds, as I never did pay for parking. Sure, there's some of my time involved, but everybody needs a hobby.

      2. ITMA Silver badge

        Re: GDPR?

        A bit of an old thread but I thought worth adding this to it.

        I encountered a problem with the RBS Mobile Banking App (Android). If I try to go to the "Manage my cards" section it DEMANDS I select one of the Google accounts on my phone. Something which you can't get past to get at the card management functions.

        The brain dead morons who wrote the app bundled the Google Pay bits in with card management and ASSUMNED that anyone going into that part of the app MUST be wanting to setup/use Google Pay.

        WRONG! VERY VERY WRONG!!!

        I raised this as an official complaint with RBS and the official reply was "We've followed our complaints process and happen to disagree that this is a problem - fuck off".

        So this is now a complaint against RBS directly with the FSA on the grounds that they demanding I supply them with data they do not need and have no right to before they will allow me access to the card management functions in the app despite them having nothing to do with Google Pay. Plus they have handled it in a really poxy way.

        Oh I also complained about them ramming charity begging messages down my throat AFTER I had logged into the app WITHOUT my consent.

    7. Alan Brown Silver badge

      Re: GDPR?

      Britain, the best ICO that money can buy

    8. Anonymous Coward
      Anonymous Coward

      Re: GDPR?

      I had a similar thing with Box. The guy did honorable thing and told them about it. I did the opposite thing and bad mouthed them on recommendations. Much more satisfying.

  2. thosrtanner

    And this is why I have noscript installed at home. Not at work, because I can't install stuff from external sites ...

    On the plus side, looks like I can re-enable javascript on all those pr0n websites I visit.

    1. Anonymous Coward
      Anonymous Coward

      Well if your IT guys are not installing NoScript by default I'd worry about their competence.

      1. Cederic Silver badge

        Yeah, his IT guys want multiple support calls every minute from anybody and everybody in the company frustrated that their web browsers don't work properly.

        They want the overhead of maintaining a whitelist for each browser, and keeping it updated with every software installation, external service sign-up and new plug-in required, plus pre-emptively identifying when external services have updated their own site.

        Above all, I completely agree that they want to demonstrate competence at fully securing a system, even though it'll get them accused of incompetence for failing to provide a working one.

        1. Anonymous Coward
          Anonymous Coward

          > his IT guys want multiple support calls every minute from anybody and everybody

          If that is the level of digital literacy at your company then you have even bigger problems than IT incompetence.

          Thankfully there are solutions. The French got it right on this one:

          https://pix.fr/

          I'm sorry but nearly half a century after the invention of the personal computer, there is no excuse for such a poor level of literacy.

          It started OK in the 80s when kids learnt the basics of computer architecture and were taught programming. Nowadays they receive instruction on how to use Facebook and how to shop on Amazon.

          1. Anonymous Coward
            Anonymous Coward

            Incidentally, my partially French company use Pix as part of the hiring process (as well as continuous learning).

            You'd be amazed at the number of people applying for software development positions who fail miserably at those tests. :(

            Anecdotally, finance types and other spreadsheet botherers seen to perform the best. Perhaps stereotypes are not so accurate, after all?

          2. Alan Brown Silver badge

            Um yeah, sorry

            I know a couple of people with a string of such "digital qualifications" under their belts and they're the most troublesome and prolific helpdesk "resource consumers"

            1. Anonymous Coward
              Anonymous Coward

              > I know a couple of people with a string of such "digital qualifications" under their belts

              That could mean two things: either their "digital qualifications" as you call them are tosh, or the IT standards at their organisations leave to be desired. :)

      2. Ian Johnston Silver badge

        We're not all pants-on-the-head, pencils-up-the-nose paranoid about some bizarre notion of privacy. I don't myself give a toss what companies scrape from my web use, and I am willing to bet that goes for 99+% of people. For everyone else, there's Lynx.

  3. Anonymous Coward
    Anonymous Coward

    > I raised a case with the ICO

    That was your biggest mistake. The ICO consistently take the side of the corporates, after all consumers are supposed to consume, not complain.

    One way to get them to backtrack is to appeal their decisions but it takes energy and time (and they know this).

  4. b0llchit Silver badge
    Mushroom

    ...inadvertently grabbed passwords...

    What a load of crap! These tracking pimps do not take stuff "inadvertently". This is done because of gross negligence or premeditation. Both are enough reason to put them up against the wall and make sure they never ever get access to the internet again.

    Reversal of burden of proof in these cases would be one change in the GDPR making life a lot easier. These firms caught in this crap should not be allowed to hide behind the "oh, we're so sorry" bullshit mantle.

  5. An_Old_Dog Silver badge
    Big Brother

    Busted

    "Inadvertant password grabbing" -- I'll chortle over that one for at least a week.

    "Honest, guv'nor, we had no idea we was doin' that!"

    1. Anonymous Coward
      Anonymous Coward

      Re: Busted

      The way I understand it, that would mean the client did not request and had no idea the contractor they used to build their website was doing that.

      I can see how that might happen.

      1. An_Old_Dog Silver badge

        The Client "Didn't Know"

        Client (holding fingers in their ears): "La-la-la-la-la!"

        Valerie: "Humperdinck, Humperdinck, Humperdinck!"

      2. martinusher Silver badge

        Re: Busted

        The Client is as much raw meat as the people using their site. The people writing the site for them.....that's a different matter.

        I really liked Web 1.0. It worked and it was impossible to grab information from people unless they gave it to you. Sure, the web pages were a little boring but then I can read so I don't really need to have stuff flying around all over the place.

        1. David 132 Silver badge
          Happy

          Re: Busted

          > I really liked Web 1.0

          <blink>Me too!</blink>

          (This comment best viewed using NETSCAPE NAVIGATOR at 800x600 resolution! Under Construction! Check back soon!!)

          1. MrReynolds2U
            Thumb Up

            Re: Busted

            A doubleplusgood response.

            Ah the memories of UC pages everywhere you looked.

    2. Mike 137 Silver badge

      Re: Busted

      "Honest, guv'nor, we had no idea we was doin' that!"

      Sometimes that may actually be true. In my experience, most businesses (particularly those that outsource their online development) never look at the code that's delivered, or even ask what it does in detail. They just accept it and run it. There are quite probably many cases where the devs include questionable functionality out of habit or because 'it might be useful' and they know nothing about the legislation.

      However that, in theory at least, doesn't absolve the organisation deploying the code from responsibility for the resulting intrusion into privacy.

    3. Trigonoceps occipitalis

      Re: Busted

      it seems those "engineers" who worked for google have another gig.

    4. sniperpaddy

      Re: Busted

      but, but... it was only "password-grabbing" in a limited and specific manner.

  6. fitzpat

    I want to know the 41 domains not on block lists.

    The paper doesn't out them

    1. Anonymous Coward
      Anonymous Coward

      only 41 (why not 42...)?

      for FecalBarf?

      The blocklist (downloadable from several sources) I'm currently using has over 800 domains/IP addresses associated with Zuckfart.

      Yes, I detest FB and the rest of the antisocial media crowd.

      It is a constant war of attrition. If this keeps going, Fartpaper and the rest will soon own most of the internet. Sooner or later these empires will crash and burn just like Rome. May it be soon... very soon.

      don't worry Cleggy... I'm not on your platform nor any of the others so you can't ban me.

    2. Wade Burchette

      The paper does out some domains in it on page 7. (https://www.usenix.org/system/files/sec22fall_senol.pdf) I am going to use that list to make sure all of them are on my NoScript block list.

  7. DS999 Silver badge

    Is this really a problem?

    How often does one fill out a form then decide not to click "submit"?

    I mean, sure, it is sleazy and possibly even illegal depending on where you live, but I already assumed they were doing this and I'll be shocked if there is even one Reg reader who is surprised by this.

    It provides an opportunity to mess with them though, you can go to web sites and fill in a false email address like say that of your local legislator, police office or what have you...and no one can blame you for what happens after because you never clicked submit!

    1. wolfetone Silver badge

      Re: Is this really a problem?

      It's a problem depending on what you're doing.

      SurfShark, for example, require an email to start the process of signing up to their services. I was looking for a VPN provider for multiple machines and was going through the process, but I only got as far as putting in an email.

      Not even a few hours later I get a load of emails from them about completing the order.

      Now if the website is demanding an email right at the first part of the process, and not allowing you to continue to see the plans etc, that then becomes a problem as all I've really consented to was to view the packages they provide. I've not consented to being harassed by them asking me to carry on the order.

      1. DS999 Silver badge

        Re: Is this really a problem?

        Does that signup require a real email address though? You can probably put in whatever you want, it is on you if you give them the real thing.

        If I need to provide an actual email for something I don't want to maintain a relationship with (for example some site that requires you create an account for the one time I'll ever need to access their support materials) I use my good old spam catcher @hotmail.com email for stuff like that. If they send a link to verify that email I'll do what I have to do 3 or 4 times a year and sign in to that account to click on the verification link. If they send spam it all goes to filling up some Microsoft hard drive. Win win!

        1. fidodogbreath

          Re: [verb]@[noun].[tld]

          You can probably put in whatever you want

          Indeed. I frequently use this to tell the site what I think about requiring an email in exchange for basic info.

          If you make up an email address for a COmpany in the Cook Islands (.ck), you can substitute a preposition for the noun.

          1. An_Old_Dog Silver badge

            Dynamic Email Address Validation

            I've seen sites which did email address validation on-the-spot, and their list of "invalid" email addresses included mailinator.com (and its aliases)-type sites, and some free email services (techemail.com, gmx.com, etc.).

          2. Anonymous Coward
            Anonymous Coward

            Re: [verb]@[noun].[tld]

            "If you make up an email address for a COmpany in the Cook Islands (.ck), you can substitute a preposition for the noun."

            The only preposition I can think of that makes a word when "ck" is added to it is "to". Are you sure that's what you meant?

            1. fidodogbreath

              Re: [verb]@[dependent-possessive-pronoun].[tld]

              Sorry, you're right; in this context, "my" is serving as a dependent possessive pronoun.

        2. Alan Brown Silver badge

          Re: Is this really a problem?

          twelve@monkeys.com is a way to ensure such companies get added to at least one rather nasty blacklist

          ....or so I've heard

      2. Joy31

        Re: Is this really a problem?

        Luckily, I finally choose a VPN called PandaVPN that doesn't require my email address for the sign-up and purchase...

    2. Fazal Majid

      Autocomplete

      Will “helpfully” fill in many fields like email.

      Good thing I use a separate email for each website (Apple’s email privacy feature before its time).

      1. Flocke Kroes Silver badge

        Re: Autocomplete

        If you are not careful, autocomplete will also send your name, address and phone number. So far I have not seen credit card number, expiry date and CVC in auto complete, but I am sure that is only one developer's typo away from happening.

        It is tempting to enable javascript, go to the John Lewis website, enter my MP's email address and half complete an order.

        1. wolfetone Silver badge

          Re: Autocomplete

          "If you are not careful, autocomplete will also send your name, address and phone number. So far I have not seen credit card number, expiry date and CVC in auto complete, but I am sure that is only one developer's typo away from happening."

          I'm not that familiar with auto complete as I like the misery of typing in all of my details every single time, but I'm fairly sure on my wife's iPhone her credit card details are part of some sort of auto complete? So it could well happen, but I don't know enough first hand about the facility.

        2. Doctor Syntax Silver badge

          Re: Autocomplete

          I'm sure a little research would find a few other email addresses that you could inadvertently enter in error and have to change, such as John Lewis's CEO's.

        3. Anonymous Coward
          Anonymous Coward

          Re: Autocomplete

          Or even: dataprotectionfee@ico.org.uk

        4. Alan Brown Silver badge

          Re: Autocomplete

          Even better, the email address of a few people at the ICO's office?

        5. Cuddles

          Re: Autocomplete

          "So far I have not seen credit card number, expiry date and CVC in auto complete, but I am sure that is only one developer's typo away from happening."

          Firefox autofills credit card details by default.

      2. DS999 Silver badge

        Re: Autocomplete

        Isn't that a browser function and not a website function? Your privacy worry is with your browser's vendor (i.e. Google if you use Chrome) not the website.

        With Firefox I have to type the first letter in a field to see the autocomplete options presented, it doesn't prefill anything but I don't use Chrome (and don't know if I've changed the settings on Firefox) so maybe it is actually the filling the fields in a way the website can see. If so mark that down as reason #563 to never use Chrome!

        1. Flocke Kroes Silver badge

          Re: Autocomplete

          I met autocomplete with Brave which is a descendent of Chromium. The first thing I did when I saw it happen was to grep for my address in Brave's files, then disable autocomplete and finally grep again to make sure my address had gone. I strongly recommend doing something similar with Firefox. The only way to be certain that the browser does not leak personal information is if you have checked to make sure that information is not stored.

        2. tezboyes

          Re: Autocomplete

          Yes a browser function, but a website issue ...

          With a potential for any of those data items to be asked for, stored and disseminated without you knowing.That latter being the real problem.

          There was some hoohah about it recently, but also a few years ago - which is when I first noticed, turned auto off and installed one of the password (and other credential) managers that does require human input.

    3. jdiebdhidbsusbvwbsidnsoskebid Silver badge

      Re: Is this really a problem?

      I'm sure I can remember a story from a few years ago that revealed Facebook was extracting and analysing your posts even before you submit them. So if you were editing a post before publishing, or if you decided not to post after all, it didn't matter, Facebook still had it and added it to their analytics.

      I'm not surprised at all that this is happening, I presume that at least some websites track every key stroke and mouse movement you make whilst there. I don't know how that might be done, just assume it is.

    4. Sorry that handle is already taken. Silver badge

      Re: Is this really a problem?

      I do it regularly, usually to find out how much shipping will cost if a retailer has for some reason decided not to make that information available up front.

      But then I don't do it with my own details, you just need to fill the forms with enough vague bullshit to get an answer.

    5. An_Old_Dog Silver badge

      Re: Is this really a problem?

      "How often does one fill out a form then decide not to click 'submit'?"

      "Dark Pattern #514": when the form is structured as a series of pages which present unacceptable-to-you info-demands and/or T&Cs a few pages in. By that time, you've already filled-in some info, which they've already grabbed.

      Also: how many websites have you been to where the weblinks at the bottom of the page to "Our Privacy Policy" and "Terms and Conditions" go nowhere useful, i.e., to the company's "Under Construction" page?

  8. Mr Dogshit

    Facebook involved

    NO! Surely not?

  9. Kane
  10. js6898

    well you could mark any emails received this way from eg John Lewis as spam - if enough people did it maybe the spam filters would start taking their emails out...

  11. Loyal Commenter Silver badge

    Advertisers are Scum Shocker

    Film at 11.

  12. imanidiot Silver badge
    Paris Hilton

    It's almost as if...

    It's like porn is one of the few industries that actually cares about the privacy of it's customers. And the only one that seems to make AND KEEP promises in that regard.

    --> I'm sure she's got thoughts on porn and privacy -->

  13. Skwn

    And I thought I was getting old

    Recently I was filling out a form and by mistake momentarily filled a work email and I corrected to my personal one before submitting and paying the order. The order was a digital delivery and got stuck apparently because tapparenty to the seller he payment email and the order email. But I was in sure that I put the right personal email on both. Then it hit to my mind the work email may have been submitted via async calls on input text loosing focus and then I thought may be I am just getting old and nothing else .... No this is a whole new threat for online purchases security. Not bad having a dedicated card with small maximum amount to mitigate the risk.

  14. Pomgolian

    Unique emails

    This sort of grotty tactic is one of the reasons I use a different email on every site. It's easy to both know which idiots misuse it and also to block them when they do.

    1. Kevin Johnston

      Re: Unique emails

      Quite agree, it is one of the reasons I have continued to host my own mail rather than relying on my ISP provided solution or something like Hotmail/Yahoo/Outlook.com It allows me complete control over the mail and freedom in which email addresses to put in as much detail as need to track who is selling on my accounts (or possibly being scraped by ne'er-do-wells)

      1. jdiebdhidbsusbvwbsidnsoskebid Silver badge

        Re: Unique emails

        Google mail allows you to do that as well. If your email address is anoncoward@gmail.com, you can use anoncoward.anytextyoulikehere@gmail.com and it will come through to your anoncoward inbox, but still with the anytextyoulikehere in it so you can track it.

        1. Alan Brown Silver badge

          Re: Unique emails

          The scummier pricks are well aware of this "feature" and wash accordingly

        2. chas49

          Re: Unique emails

          Not sure you have that quite right. Gmail ignores any dot in the first part of your Gmail address, so madeup.example@gmail.com is the same as madeupexample@gmail.com so you could play with the position of the dot to identify some misuse perhaps. The alias feature is putting a + sign followed by any text you like - madeupexample+dontspamme@gmail.com gives you more options to play with.

          Both ways of doing it can be ignored / circumvented by less scrupulous spammers.

          1. tezboyes

            Re: Unique emails

            Also assuming address harvesting code that is well written. I still receive spam to "addresses" that are in fact message-ids.

            Some of which date back to the 1990s (I set up sendmail to generate IDs using yyyymmdd.hhmmss.random@mydomain back then).

          2. jdiebdhidbsusbvwbsidnsoskebid Silver badge

            Re: Unique emails

            Yes, that's it, you're right. It's a + sign not a dot. My mistake.

    2. Displacement Activity

      Re: Unique emails

      Agree. I've been using plussed addresses for 20-odd years now. It's a sendmail feature, but I think it's common: start with a prefix of some sort, add a '+' and some text (normally the vendor's name), and set up sendmail for the prefix only. If the vendor turns out to be an ***hole you block the combo. For some years, though, I was plagued by second-rate coders assuming that '+' wasn't a valid character in a mail address and rejecting the address as invalid.

      Doesn't stop anyone harvesting your name and address, though. But, of course, I'm sure we always lie about those unless we need a real delivery.

  15. Sil

    Best protection

    Short of disabling JavaScript, which will probably cause havoc with many sites, what's the best way to neutralize these session scripts?

    1. Anonymous Coward
      Anonymous Coward

      Re: Best protection

      It depends. If you're an RAF fighter/bomber pilot you could fix it damn quickly. As it stands, fighting NoScript go get some sites to actually function is a royale pain. At least most sites don't actually use indexes where the add networks provide part of the key and therefore the site won't atually work without them.

  16. VoiceOfTruth

    inadvertently grabbing

    -> Some of these firms are said to have also inadvertently grabbed passwords from these forms.

    Sorry officer. I inadvertently grabbed the woman on her buttocks. How does one 'inadvertently' grab a password? I think they mean they slurped everything.

  17. yetanotheraoc Silver badge

    responses from the first-parties

    "The boffins created their own software to measure email and password data gathering from web forms"

    That's outrageous! Our TOS specifically prohibits analyzing our website without authorization. You will be hearing from our lawyers concerning the Computer Misuse Act. (Aside: Get the lobbyist on the phone ASAP.)

  18. Danny 2

    Thank god for porn webites

    Our one moral compass, our spiritual North Star, in these dark days.

    I'll never visit a Fashion/Beauty website again, and as a result the world will be a little less beautiful and central Scotland a little less fashionable.

    Seriously though, the obvious reason porn websites don't do this is it would destroy their business model, We should make that the case for the morally corrupt websites too.

    [I often say 'pun unavoidable' when in truth I sometimes could've avoided it. 12 excellent puns were avoided in this post, you can guess. Spare me this anecdote: I sent a tracklist of old sex songs to an artist I knew entitled, "NSFW". She replied, "I work in a sex shop."]

  19. Anonymous Coward
    Anonymous Coward

    Can websites read the firefox email address suggestions too ?

    I assume not.

    Too explain more easily, if I click on a form then firefox provides a dropdown list of emails I have entered into forms before and allows me to click one to prefill that input box. I am guessing the website does not get to see all the email options but only the one if I choose to click on it.

  20. Sorry that handle is already taken. Silver badge

    Funny that

    As a subscriber to the theory of "if it's possible and it benefits them, they will do it", I've always assumed that this kind of thing has been going on for as long as web pages have been dynamic anyway. It's nice for my "paranoia" to be vindicated.

    Disclaimer: I'm not pretending to be clever, just careful.

  21. EricB123 Silver badge

    The real heros

    This makes me think back to the Bonmie and Clyde era.

    The real heroes are the freakin' bank robbers!

  22. Cuddles

    Not surprising

    ""A somehow surprising result was the following: despite filling email fields on hundreds of websites categorized as Pornography, we have not a single email leak," the researchers say, noting that previous studies of adult-oriented websites have relatively fewer third-party trackers than similarly popular general interest websites."

    Why do so many people always seem to be surprised by this? Porn has always been at the forefront of both technology and privacy. They have a very strong interest in not leaking anything about their customers to anyone, and are mostly run by large corporations that are perfectly capable of running a competent IT setup. If you're worried about online security, it's always been the small, amateur players you need to worry about - you make think your local church group is morally superior to a porn company, but their website will be an absolute disaster area in comparison.

  23. JBowler

    What about form autofill?

    I don't use autofill from any of the browsers, but I do have autofill turned on in Dashlane for many web sites. So the web site gets my email and, for that matter, password then I have to press "I Submit" to log in; I haven't actually done anything for that particular login until that point...

  24. hayzoos

    I wonder how many forms visited by Little Bobby Tables have caused havoc. Maybe he should visit more sites and try out their forms.

    1. sten2012

      Was wondering this too, if you dont submit the form or consent to its submission - did any computer misuse occur?

  25. Mmm interesting

    Useful that erase data feature. I have taken advantage of many initial registration only deals using this technique

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like