Email addresses and passwords are being collected from website logins and sent to trackers before consumers submit the data or give consent, according to a new research paper by several academics. Some of that data is apparently going to martech providers. Email addresses can be used to track consumer behavior both on- and off-line,
Of the 100,000 sites examined, email addresses were collected from 1,844 websites in the EU and 2,950 sites in the U.S., according to “Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission.”
U.S. vs. EU results. “Comparing results from the EU and the U.S. vantage points, we found that 60% more websites leaked users’ emails to trackers, when visited from the U.S. Measuring the effect of consent choices on the exfiltration, we found their effect to be minimal. Based on our findings, users should assume that the personal information they enter into web forms may be collected by trackers — even if the form is never submitted,” write researchers Asuman Senol (imex-COSIC, KU Leuven), Gunes Acar (Radboud University), Mathias Humbert (University of Lausanne and Frederik Zuiderveen Borgesius (Radboud University).
The top third-party collectors of email addresses include martech firms Taboola, Bizible (part of Marketo), Glassboxdigital.io, rlcdn.com (AtData, formerly TowerData, formerly Rapleaf), Fullstory, Wunderkind, Awin and Zenaps.
Awin issued a statement in response to queries: “We’re currently investigating the behavior of this technology but can reassure users that the information is immediately hashed before it reaches us and is only collected to ensure proper attribution to the services they engage.”
None of the other companies have so far responded to requests for comment.
Read next: Why data compliance is more than consent management
The paper, to be presented at USENIX Security’22 in August, reported, “Taboola said in certain cases they collect users’ email hashes before form submission for ad and content personalization; they keep email hashes for at most 13 months; and they do not share them with other third parties. Taboola also said they only collect email hashes after getting user consent; however, our findings and subsequent manual verification showed that was not always the case.”
While this activity is legal at a federal level in the U.S., it is banned in the EU under GDPR.
Get the daily newsletter digital marketers rely on.
The worst offending categories include: Fashion/Beauty (11.1% EU; 19% U.S.) Online Shopping (9.4% EU; 15.1% U.S.); and General News (6.6% EU; 10.2% U.S.).
Why we care. With the end of cookies, it is inevitable that marketers will look for new sources of consumer data. Few are as useful as email addresses which are unique and persistent and can be tracked across the web and in the real world via things like loyalty programs. However, taking them without consent is a blatant violation of law in the EU and privacy expectations in the U.S.
About The Author
