Gizmodo Investigation Exposes Websites Collecting Form Data Before You Hit ‘Submit’

Great investigative work by Kashmir Hill and Surya Mattu for Gizmodo:

During a recent investigation into how a drug-trial recruitment company called Acurian Health tracks down people who look online for information about their medical conditions, we discovered NaviStone’s code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as soon as they typed or auto-filled it into an online form. That way, the company would have it even if those people immediately changed their minds and closed the page. […]

We decided to test how the code works by pretending to shop on sites that use it and then browsing away without finalizing the purchase. Three sites — hardware site Rockler.com, gift site CollectionsEtc.com, and clothing site BostonProper.com — sent us emails about items we’d left in our shopping carts using the email addresses we’d typed onto the site but had not formally submitted. Although Gizmodo was able to see the email address information being sent to Navistone, the company said that it was not responsible for those emails.

They weren’t responsible for sending the emails, but they were responsible for the email addresses being sent to those websites in the first place. Sending form data surreptitiously is morally wrong, and everyone knows it.

This might sound hyperbolic, but I mean it: I think we’d be better off if JavaScript had never been added to web browsers.

Thursday, 22 June 2017