Martech firms among third parties scooping email addresses from websites prior to submission

Email addresses and passwords are being collected from website logins and sent to trackers before consumers submit the data or give consent, according to a new research paper. Some of that data is apparently going to martech providers. Email addresses can be used to track consumer behavior both on- and off-line,

Of the 100,000 sites examined, email addresses were collected from 1,844 websites in the EU and 2,950 sites in the U.S., according to “Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission.”

U.S. vs. EU results. “Comparing results from the EU and the U.S. vantage points, we found that 60% more websites leaked users’ emails to trackers, when visited from the U.S. Measuring the effect of consent choices on the exfiltration, we found their effect to be minimal. Based on our findings, users should assume that the personal information they enter into web forms may be collected by trackers — even if the form is never submitted,” write researchers Asuman Senol (imex-COSIC, KU Leuven), Gunes Acar (Radboud University), Mathias Humbert (University of Lausanne and Frederik Zuiderveen Borgesius (Radboud University).

Among the third-party collectors of email addresses are martech firms such as Adobe (Bizible), Criteo, Facebook, LiveRamp, Neustar, Oracle Netsuite (Bronco Marketing Platform), Salesforce Pardot and Taboola. Among the top websites where emails were collected before form submission were USA TODAY, Trello and The Independent in Europe; Business Insider, Issuu and Time in the U.S.

Read next: Why data compliance is more than consent management

The paper, to be presented at USENIX Security’22 in August, reported, “Taboola said in certain cases they collect users’ email hashes before form submission for ad and content personalization; they keep email hashes for at most 13 months; and they do not share them with other third parties. Taboola also said they only collect email hashes after getting user consent; however, our findings and subsequent manual verification showed that was not always the case.”

While this activity is legal at a federal level in the U.S., it is banned in the EU under GDPR.

The worst offending categories include: Fashion/Beauty (11.1% EU; 19% U.S.) Online Shopping (9.4% EU; 15.1% U.S.); and General News (6.6% EU; 10.2% U.S.). The least problematic: “Despite filling email fields on hundreds of websites categorized as Pornography, we have not [found] a single email leak.”

Why we care. With the end of cookies, it is inevitable that marketers will look for new sources of consumer data. Few are as useful as email addresses which are unique and persistent and can be tracked across the web and in the real world via things like loyalty programs. However, taking them without consent is a blatant violation of law in the EU and privacy expectations in the U.S. Also, the researchers found passwords being taken by what we in the martech field call “session replay scripts.” These are in practice indistinguishable from what the rest of the world calls keylogger malware.

About The Author

Constantine von Hoffman is managing editor of MarTech. A veteran journalist, Con has covered business, finance, marketing and tech for CBSNews.com, Brandweek, CMO, and Inc. He has been city editor of the Boston Herald, news producer at NPR, and has written for Harvard Business Review, Boston Magazine, Sierra, and many other publications. He has also been a professional stand-up comedian, given talks at anime and gaming conventions on everything from My Neighbor Totoro to the history of dice and boardgames, and is author of the magical realist novel John Henry the Revelator. He lives in Boston with his wife, Jennifer, and either too many or too few dogs.