Ad-tech firms grab email addresses from forms before they're even submitted Tracking, marketing, and analytics firms have been exfiltrating the email addresses of internet users from web forms prior to submission and without user consent, according to security researchers. Some of these firms are said to have also inadvertently grabbed passwords from these forms. In a research paper scheduled to …
I started an order with John Lewis and got as far as filling in my details on the order form before the process crashed due to my blockers and for one reason or another I never completed the order. John Lewis started sending me marketing emails shortly after that. I complained and they pointed to the incomplete order being a "relationship" under GDPR rules that permitted them to send me stuff. I raised a case with the ICO and they confirmed that by completing the form, even though I'd not submitted it or given informed consent, that this constituted enough of a relationship under the GDPR regs for John Lewis to send me marketing mail as long as there was a clear way to unsubscribe.
I really don't understand the ICO's position there. As you say, you didn't provide informed consent, and claiming a relationship because you happened to use their website really does not sound like the law being interpreted as intended - otherwise all tracking would become legal.
You're now making me regret buying two 'white goods' appliances from them in the last six weeks :(
-> I really don't understand the ICO's position there.
You indeed do not understand. The ICO is a pretend-we-care-about-the-consumer thing from the government. Look how they 'fine' cold marketing callers 0.0001 pence per call. In general, the government hates the consumer and loves the businessman.
" even though I'd not submitted it or given informed consent even though I'd not submitted it or given informed consent"
Recital 44 states "Processing should be lawful where it is necessary in the context of a contract or the intention to enter into a contract" and Article 6(1)(b) states "(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract"
Unfortunately, as reported, the ICO seems in this case to have interpreted the filling in of the unsubmitted form as constituting a 'request' associated with an intent to enter into a contract.
That's pretty far fetched as, in normal interpretation, hitting the submit button would be considered as making the 'request', but since the GDPR came into force the ICO appears to have consistently tried to avoid getting involved in low key individual cases, concentrating instead in high profile large scale breaches of trust and data leakages. Consequently, it is possible that decisions in such individual cases might sometimes be subject to liberal interpretation of the law.
I have myself been informed by an ICO case officer that it is lawful for an organisation not to disclose all processing conducted on the basis of legitimate interest, but when I challenged that I was told that it was only 'an opinion' and I was entitled to pursue the matter in court at my own expense. That 'opinion' of course specifically contravenes the Regulation, as it denies data subjects their statutory right to object to specific processing on that basis by allowing it to be concealed from the data subject. However, as the regulator, the ICO is the arbiter, so there's nowhere affordable to go to challenge it.
So much for the reality of data protection. This sort of decision clearly encourages the 'box ticking' pseudo compliance which HMG are now seeking to 'eliminate' (i.e. bury under a cloud of vague "results oriented" directives). It has even been recommended that the Article 30 requirement to maintain records of processing should be eliminated as too burdensome, despite such records being the sole evidential reference point for ensuring that procesing remains lawful. I suspect we're doomed.
"That 'opinion' of course specifically contravenes the Regulation, as it denies data subjects their statutory right to object to specific processing on that basis by allowing it to be concealed from the data subject. "
The action in that case outght to be against the ICO for thwarting the will of Parliament
Well, obviously "taking back control" meant giving the tories the power to dispense with any rules that stop them from: Giving billions of pounds of public money to their mates, cracking down on any form of opposition to their power, and screwing over the general public for the benefit of their corporate sponsors.
As one AC put it: The consumer is meant to consume, not complain.
"Tracking, marketing, and analytics firms have been exfiltrating the email addresses of internet users from web forms prior to submission and without user consent, according to security researchers."
I would bet every form that starts telling you that your email address isn't valid from the first letter until you complete typing it in has uploaded everything before you hit submit. The submit button is only there to confirm you really intended to submit.
"as long as there was a clear way to unsubscribe."
Presumably the first step would be to complete the form and submit it, in order to create and access your account with the unsubscribe button.
This kind of shit happens a lot, there are many sites I simply will not open up enough blockers to do business with, I just go to a competitor. They never seem to grok that it is their loss not mine.
"Presumably the first step would be to complete the form and submit it, in order to create and access your account with the unsubscribe button"
Exactly what is expected in several actual cases I've examined. And sadly, because of the specific wording of the legislation (in English at any rate) that would appear to be strictly lawful, even if unreasonable in principle.
Indeed in one case an organisation that acted as a processor for others but nevertheless retained for its own internal use profiles of data subjects contracting via it with those others, informed me that my sole recourse to avoid said profiling was to issue an Article 17 Right to Erasure request after every transaction. As such transactions were forced on me by the third parties with which | wished to do business choosing to make use of this processor, that seemed to me quite unreasonable, but the ICO didn't event blink at it as there was a statutory right and I was free to exercise it. Letter of the law yet again.
I tend to shitcan the domain into my spam folder (yes i use a popular advertsiser's webmail feature, i'm aware of the issues but have done a risk assessment ;) ). That way the AI learns that domain is a spammer. The more people who do this, the less effective their marketing emails will be. Hit the buggers in the wallet
Sometimes it's the principle that matters.
In February I encountered a system failure that prevent my car parking payment being processed.
I wrote to the car park operator, letting them know.
They sent me a PCN, I told them off, they told me to appeal, I appealed, they rejected my appeal but did offer me a reduction from £100 to the £15 fee plus a £5 admin charge. So I wrote back and they changed it to £0 parking fee and £20 admin charge.
So I took the case to Popla, and midway through that process the car park operator tried to charge me £100 again and threatened a 'debt recovery fee'.
Which means that although Popla have now ruled in my favour I'm going to keep going, and pursue these cowboys. Because it's the principle that matters.
My total outlay thus far: minus fifteen pounds, as I never did pay for parking. Sure, there's some of my time involved, but everybody needs a hobby.
A bit of an old thread but I thought worth adding this to it.
I encountered a problem with the RBS Mobile Banking App (Android). If I try to go to the "Manage my cards" section it DEMANDS I select one of the Google accounts on my phone. Something which you can't get past to get at the card management functions.
The brain dead morons who wrote the app bundled the Google Pay bits in with card management and ASSUMNED that anyone going into that part of the app MUST be wanting to setup/use Google Pay.
WRONG! VERY VERY WRONG!!!
I raised this as an official complaint with RBS and the official reply was "We've followed our complaints process and happen to disagree that this is a problem - fuck off".
So this is now a complaint against RBS directly with the FSA on the grounds that they demanding I supply them with data they do not need and have no right to before they will allow me access to the card management functions in the app despite them having nothing to do with Google Pay. Plus they have handled it in a really poxy way.
Oh I also complained about them ramming charity begging messages down my throat AFTER I had logged into the app WITHOUT my consent.
Yeah, his IT guys want multiple support calls every minute from anybody and everybody in the company frustrated that their web browsers don't work properly.
They want the overhead of maintaining a whitelist for each browser, and keeping it updated with every software installation, external service sign-up and new plug-in required, plus pre-emptively identifying when external services have updated their own site.
Above all, I completely agree that they want to demonstrate competence at fully securing a system, even though it'll get them accused of incompetence for failing to provide a working one.
> his IT guys want multiple support calls every minute from anybody and everybody
If that is the level of digital literacy at your company then you have even bigger problems than IT incompetence.
Thankfully there are solutions. The French got it right on this one:
I'm sorry but nearly half a century after the invention of the personal computer, there is no excuse for such a poor level of literacy.
It started OK in the 80s when kids learnt the basics of computer architecture and were taught programming. Nowadays they receive instruction on how to use Facebook and how to shop on Amazon.
Incidentally, my partially French company use Pix as part of the hiring process (as well as continuous learning).
You'd be amazed at the number of people applying for software development positions who fail miserably at those tests. :(
Anecdotally, finance types and other spreadsheet botherers seen to perform the best. Perhaps stereotypes are not so accurate, after all?
...inadvertently grabbed passwords...
What a load of crap! These tracking pimps do not take stuff "inadvertently". This is done because of gross negligence or premeditation. Both are enough reason to put them up against the wall and make sure they never ever get access to the internet again.
Reversal of burden of proof in these cases would be one change in the GDPR making life a lot easier. These firms caught in this crap should not be allowed to hide behind the "oh, we're so sorry" bullshit mantle.
The Client is as much raw meat as the people using their site. The people writing the site for them.....that's a different matter.
I really liked Web 1.0. It worked and it was impossible to grab information from people unless they gave it to you. Sure, the web pages were a little boring but then I can read so I don't really need to have stuff flying around all over the place.
"Honest, guv'nor, we had no idea we was doin' that!"
Sometimes that may actually be true. In my experience, most businesses (particularly those that outsource their online development) never look at the code that's delivered, or even ask what it does in detail. They just accept it and run it. There are quite probably many cases where the devs include questionable functionality out of habit or because 'it might be useful' and they know nothing about the legislation.
However that, in theory at least, doesn't absolve the organisation deploying the code from responsibility for the resulting intrusion into privacy.
for FecalBarf?
The blocklist (downloadable from several sources) I'm currently using has over 800 domains/IP addresses associated with Zuckfart.
Yes, I detest FB and the rest of the antisocial media crowd.
It is a constant war of attrition. If this keeps going, Fartpaper and the rest will soon own most of the internet. Sooner or later these empires will crash and burn just like Rome. May it be soon... very soon.
don't worry Cleggy... I'm not on your platform nor any of the others so you can't ban me.
The paper does out some domains in it on page 7. (https://www.usenix.org/system/files/sec22fall_senol.pdf) I am going to use that list to make sure all of them are on my NoScript block list.
How often does one fill out a form then decide not to click "submit"?
I mean, sure, it is sleazy and possibly even illegal depending on where you live, but I already assumed they were doing this and I'll be shocked if there is even one Reg reader who is surprised by this.
It provides an opportunity to mess with them though, you can go to web sites and fill in a false email address like say that of your local legislator, police office or what have you...and no one can blame you for what happens after because you never clicked submit!
It's a problem depending on what you're doing.
SurfShark, for example, require an email to start the process of signing up to their services. I was looking for a VPN provider for multiple machines and was going through the process, but I only got as far as putting in an email.
Not even a few hours later I get a load of emails from them about completing the order.
Now if the website is demanding an email right at the first part of the process, and not allowing you to continue to see the plans etc, that then becomes a problem as all I've really consented to was to view the packages they provide. I've not consented to being harassed by them asking me to carry on the order.
Does that signup require a real email address though? You can probably put in whatever you want, it is on you if you give them the real thing.
If I need to provide an actual email for something I don't want to maintain a relationship with (for example some site that requires you create an account for the one time I'll ever need to access their support materials) I use my good old spam catcher @hotmail.com email for stuff like that. If they send a link to verify that email I'll do what I have to do 3 or 4 times a year and sign in to that account to click on the verification link. If they send spam it all goes to filling up some Microsoft hard drive. Win win!
You can probably put in whatever you want
Indeed. I frequently use this to tell the site what I think about requiring an email in exchange for basic info.
If you make up an email address for a COmpany in the Cook Islands (.ck), you can substitute a preposition for the noun.
If you are not careful, autocomplete will also send your name, address and phone number. So far I have not seen credit card number, expiry date and CVC in auto complete, but I am sure that is only one developer's typo away from happening.
It is tempting to enable javascript, go to the John Lewis website, enter my MP's email address and half complete an order.
"If you are not careful, autocomplete will also send your name, address and phone number. So far I have not seen credit card number, expiry date and CVC in auto complete, but I am sure that is only one developer's typo away from happening."
I'm not that familiar with auto complete as I like the misery of typing in all of my details every single time, but I'm fairly sure on my wife's iPhone her credit card details are part of some sort of auto complete? So it could well happen, but I don't know enough first hand about the facility.
Isn't that a browser function and not a website function? Your privacy worry is with your browser's vendor (i.e. Google if you use Chrome) not the website.
With Firefox I have to type the first letter in a field to see the autocomplete options presented, it doesn't prefill anything but I don't use Chrome (and don't know if I've changed the settings on Firefox) so maybe it is actually the filling the fields in a way the website can see. If so mark that down as reason #563 to never use Chrome!
I met autocomplete with Brave which is a descendent of Chromium. The first thing I did when I saw it happen was to grep for my address in Brave's files, then disable autocomplete and finally grep again to make sure my address had gone. I strongly recommend doing something similar with Firefox. The only way to be certain that the browser does not leak personal information is if you have checked to make sure that information is not stored.
Yes a browser function, but a website issue ...
With a potential for any of those data items to be asked for, stored and disseminated without you knowing.That latter being the real problem.
There was some hoohah about it recently, but also a few years ago - which is when I first noticed, turned auto off and installed one of the password (and other credential) managers that does require human input.
I'm sure I can remember a story from a few years ago that revealed Facebook was extracting and analysing your posts even before you submit them. So if you were editing a post before publishing, or if you decided not to post after all, it didn't matter, Facebook still had it and added it to their analytics.
I'm not surprised at all that this is happening, I presume that at least some websites track every key stroke and mouse movement you make whilst there. I don't know how that might be done, just assume it is.
I do it regularly, usually to find out how much shipping will cost if a retailer has for some reason decided not to make that information available up front.
But then I don't do it with my own details, you just need to fill the forms with enough vague bullshit to get an answer.
"How often does one fill out a form then decide not to click 'submit'?"
"Dark Pattern #514": when the form is structured as a series of pages which present unacceptable-to-you info-demands and/or T&Cs a few pages in. By that time, you've already filled-in some info, which they've already grabbed.
Also: how many websites have you been to where the weblinks at the bottom of the page to "Our Privacy Policy" and "Terms and Conditions" go nowhere useful, i.e., to the company's "Under Construction" page?
Recently I was filling out a form and by mistake momentarily filled a work email and I corrected to my personal one before submitting and paying the order. The order was a digital delivery and got stuck apparently because tapparenty to the seller he payment email and the order email. But I was in sure that I put the right personal email on both. Then it hit to my mind the work email may have been submitted via async calls on input text loosing focus and then I thought may be I am just getting old and nothing else .... No this is a whole new threat for online purchases security. Not bad having a dedicated card with small maximum amount to mitigate the risk.
Quite agree, it is one of the reasons I have continued to host my own mail rather than relying on my ISP provided solution or something like Hotmail/Yahoo/Outlook.com It allows me complete control over the mail and freedom in which email addresses to put in as much detail as need to track who is selling on my accounts (or possibly being scraped by ne'er-do-wells)
Not sure you have that quite right. Gmail ignores any dot in the first part of your Gmail address, so madeup.example@gmail.com is the same as madeupexample@gmail.com so you could play with the position of the dot to identify some misuse perhaps. The alias feature is putting a + sign followed by any text you like - madeupexample+dontspamme@gmail.com gives you more options to play with.
Both ways of doing it can be ignored / circumvented by less scrupulous spammers.
Agree. I've been using plussed addresses for 20-odd years now. It's a sendmail feature, but I think it's common: start with a prefix of some sort, add a '+' and some text (normally the vendor's name), and set up sendmail for the prefix only. If the vendor turns out to be an ***hole you block the combo. For some years, though, I was plagued by second-rate coders assuming that '+' wasn't a valid character in a mail address and rejecting the address as invalid.
Doesn't stop anyone harvesting your name and address, though. But, of course, I'm sure we always lie about those unless we need a real delivery.
It depends. If you're an RAF fighter/bomber pilot you could fix it damn quickly. As it stands, fighting NoScript go get some sites to actually function is a royale pain. At least most sites don't actually use indexes where the add networks provide part of the key and therefore the site won't atually work without them.
"The boffins created their own software to measure email and password data gathering from web forms"
That's outrageous! Our TOS specifically prohibits analyzing our website without authorization. You will be hearing from our lawyers concerning the Computer Misuse Act. (Aside: Get the lobbyist on the phone ASAP.)
Our one moral compass, our spiritual North Star, in these dark days.
I'll never visit a Fashion/Beauty website again, and as a result the world will be a little less beautiful and central Scotland a little less fashionable.
Seriously though, the obvious reason porn websites don't do this is it would destroy their business model, We should make that the case for the morally corrupt websites too.
[I often say 'pun unavoidable' when in truth I sometimes could've avoided it. 12 excellent puns were avoided in this post, you can guess. Spare me this anecdote: I sent a tracklist of old sex songs to an artist I knew entitled, "NSFW". She replied, "I work in a sex shop."]
I assume not.
Too explain more easily, if I click on a form then firefox provides a dropdown list of emails I have entered into forms before and allows me to click one to prefill that input box. I am guessing the website does not get to see all the email options but only the one if I choose to click on it.
As a subscriber to the theory of "if it's possible and it benefits them, they will do it", I've always assumed that this kind of thing has been going on for as long as web pages have been dynamic anyway. It's nice for my "paranoia" to be vindicated.
Disclaimer: I'm not pretending to be clever, just careful.
""A somehow surprising result was the following: despite filling email fields on hundreds of websites categorized as Pornography, we have not a single email leak," the researchers say, noting that previous studies of adult-oriented websites have relatively fewer third-party trackers than similarly popular general interest websites."
Why do so many people always seem to be surprised by this? Porn has always been at the forefront of both technology and privacy. They have a very strong interest in not leaking anything about their customers to anyone, and are mostly run by large corporations that are perfectly capable of running a competent IT setup. If you're worried about online security, it's always been the small, amateur players you need to worry about - you make think your local church group is morally superior to a porn company, but their website will be an absolute disaster area in comparison.
I don't use autofill from any of the browsers, but I do have autofill turned on in Dashlane for many web sites. So the web site gets my email and, for that matter, password then I have to press "I Submit" to log in; I haven't actually done anything for that particular login until that point...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
