This is another one of those papers that make your blood boil: through an experimental setup, the researchers found an astonishing amount of websites leaking email addresses entered by users to third party trackers …often even in cases where the user decides to not submit the form after all.
Email addresses—or identifiers derived from them—are known to be used by data brokers and advertisers for cross-site, cross-platform, and persistent identification of potentially unsuspecting individuals. In order to find out whether access to online forms are misused by online trackers, we present a measurement of email and password collection that occur before form submission on the top 100K websites.
The paper also discusses the legal aspects regarding GDPR, with their empirical data indicating that US users are a lot more likely to be tracked in this way. Ethical conduct on the web unfortunately remains a compliance issue for many, rather than thinking of the human beings using their services.
The browser extension featured on the page sounds like a neat tool for privacy audits as well (I haven't yet tested it myself):
We developed LeakInspector to help publishers and end-users to audit third parties that harvest personal information from online forms without their knowledge or consent.
The unethical (and no doubt mostly illegal) extraction of data from unsubmitted forms has been subject of earlier discussion:
It is hard to believe there are human beings out there who believe that this kind of conduct is appropriate:
You might fill in the contact form, but then have second thoughts. Do you really want to tell this company how much you’re worth or how in debt you are? You change your mind and close the page before clicking the Submit button and agreeing to Quicken’s privacy policy.
But it’s too late. Your email address and phone number have already been sent to a server at “murdoog.com,” which is owned by NaviStone, a company that advertises its ability to unmask anonymous website visitors and figure out their home addresses. NaviStone’s code on Quicken’s site invisibly grabbed each piece of your information as you filled it out, before you could hit the “Submit” button.