Bookmark: "Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission"

Sebastian Greger


This is another one of those papers that make your blood boil: through an experimental setup, the researchers found an astonishing amount of websites leaking email addresses entered by users to third party trackers …often even in cases where the user decides to not submit the form after all.

Email addresses—or identifiers derived from them—are known to be used by data brokers and advertisers for cross-site, cross-platform, and persistent identification of potentially unsuspecting individuals. In order to find out whether access to online forms are misused by online trackers, we present a measurement of email and password collection that occur before form submission on the top 100K websites.

The paper also discusses the legal aspects regarding GDPR, with their empirical data indicating that US users are a lot more likely to be tracked in this way. Ethical conduct on the web unfortunately remains a compliance issue for many, rather than thinking of the human beings using their services.

The browser extension featured on the page sounds like a neat tool for privacy audits as well (I haven’t yet tested it myself):

We developed LeakInspector to help publishers and end-users to audit third parties that harvest personal information from online forms without their knowledge or consent.

The unethical (and no doubt mostly illegal) extraction of data from unsubmitted forms has been subject of earlier discussion:

I'm Sebastian, Sociologist and Interaction Designer. This journal is mostly about bringing toge­ther social science and design for inclusive, privacy-focused, and sustainable "human-first" digital strategies. I also tend to a "digital garden" with carefully curated resources.

My occasionally sent email newsletter has all of the above, and there is of course also an RSS feed or my Mastodon/Fediverse profile.