Every website you visit many be recording absolutely everything you are typing.
Many websites today are storing information that you include in their search bars. Brands use this technology to help market products that align with your past interests. But certain websites will record user typing even without submitting your searches, potentially exposing you to dangerous breaches.
A study was done on thousands of sites to determine which websites record user typing. This study, performed by researchers from KU Leuven, Radboud University, and the University of Lausanne, analyzed 100,000 of the most popular websites in use today. The researchers looked at sites that people visited while in the European Union and sites that people visited while in the United States. The study concluded that 1,844 websites in the EU obtained people’s email addresses without their knowledge, while 2,950 sites visited in the US obtained email addresses. These websites often have third-party marketing services that extract user data and not the site or brand themselves.
While it’s legal for websites to record user typing to create a formula of targeted ads for the consumer, extracting personal information like passwords starts to enter the nefarious and unethical territory. These researchers went a step further when analyzing these websites by looking at those reported to have had password leaks. This led the researchers to one particular third-party enterprise called Yandex, a Russian tech company. Yandex was responsible for 52 instances of collecting password information without consent and before submissions. Though all the cases have been resolved, this many password leaks tied to one tech giant is concerning for many internet users.
Güneş Acar, one of the researchers involved with the website study and professor at Radboud University, expressed his shock with how many websites record user typing. This collective thought they would see a “few hundred websites” that recorded information before user submission, but instead, they found thousands of sites. It was surprising for the group that more websites were collecting user data before they even hit the submit or search button. This complicates many people’s understanding of keylogging on the internet while opening up a new conversation on how to keep one’s personal information more protected.
The group of professors who took a deep dive into websites recording user typing stated they were inspired by various media reports surrounding the subject. Most notably, they were galvanized by published reports on Gizmodo, which documented third parties potentially grabbing user data. The study likened this behavior to something known as keyloggers, where programs record everything a user types for malicious intent. These researchers found that many websites were doing similar search grabs to keyloggers, where user typing was collected without submission.
The researchers also noted the difference between European Union and the United States websites. Some countries are more diligent at preventing websites from recording user typing, and how certain companies regionally are more careful about information leakage. The EU’s General Data Protection Regulation limits the number of third parties companies can use for their sites. The study didn’t conclude that this regulation was the sole reason for the significant difference between the US and EU’s keylogging instances.