You type your email address into a website form but never hit submit. Hours later, a marketing email shows up in your inbox. According to new research, that is not a coincidence.
A team of researchers from UC Davis, Maastricht University, and other institutions has found that many websites collect keystrokes as users type, sometimes before a form is ever submitted. The study explores how third-party scripts capture and share this information in ways that may fit the legal definition of wiretapping under California law.
Mapping old laws to new practices
Wiretapping laws were written decades ago to prevent unauthorized interception of phone conversations. Over time, courts have extended these laws to cover newer technologies like email and certain web tracking tools. The researchers set out to see if today’s web practices also fall under these rules.
They focused on event listeners, which are pieces of JavaScript code that websites use to detect user actions like typing, clicking, or scrolling. Event listeners are common and often harmless. However, they can also capture what a person types in real time and send that data to a third party.
Shaoor Munir, a co-author of the study, told Help Net Security why his team took a careful approach when defining what counts as wiretapping. “In our paper, we adopt a deliberately strict definition of wiretapping. Under California’s CIPA § 631, wiretapping can include contemporaneous interception of a user’s communications. Websites routinely attach client-side event listeners that capture what people type before they press submit. In our measurements, we observed such captures on approximately 40 percent of sites,” Munir said.
Because the law was written before the modern web existed, courts have sometimes required extra evidence. To reflect this, the researchers only counted a case as wiretapping if they could confirm that data was sent to a remote server, not just captured locally. This stricter approach lowered the reported numbers but ensured accuracy.
Website keystroke tracking is widespread
The researchers built a custom web crawler and tested 15,000 websites from across the internet. They discovered that 91 percent of sites used event listeners in some way. While most were used for basic functions like tracking page loads or clicks, a significant portion were used to monitor typing.
In total, 38.5 percent of websites had third-party scripts installed that could intercept keystrokes. On 3.18 percent of sites, those intercepted keystrokes were also sent to a remote server. That behavior, the researchers note, matches the technical definition of wiretapping under CIPA.
The data captured included email addresses, phone numbers, and free text typed into forms. In some cases, email addresses entered into a form were later used for unsolicited marketing emails, even though the user never submitted the form.
Munir explained why email addresses are especially sensitive: “Email addresses serve as stable and highly specific identifiers. Capturing them before users even submit a form enables linkage across sites and enrichment by adtech or data brokers,” he said.
He added that there are even greater risks when sites prompt users to type in medical or financial information. “On websites that prompt users to enter sensitive medical or financial information, this data collection practice poses enormous privacy risks,” Munir said.
Top 20 most frequently listened to event types and the percentage of websites on which the event listener is installed. (Source: Publicly available study)
Why this matters legally
Under CIPA, every party to a conversation must consent before an interception takes place. This is stricter than federal wiretapping laws, which require consent from only one party.
The study does not declare any specific company’s actions illegal. Instead, it provides evidence that some tracking practices could qualify as wiretapping depending on how courts interpret the law. This matters because CIPA allows individuals to bring private lawsuits. That means enforcement does not rely only on government action.
Munir said regulators and lawmakers need to take steps to bring clarity. “Clarify third-party status under § 631: § 631 targets third-party eavesdroppers and aiders or abettors. Embedded analytics and session-replay vendors should be treated as third parties unless the user has expressly consented to their participation. Being embedded by the site should not convert a vendor into a party,” he explained.
He also called for changes at the federal level to better align with state protections. “To protect users nationwide, there’s a need to update ECPA’s consent requirement to mirror CIPA’s two-party consent,” Munir said.
Privacy risks for users and organizations
From a privacy perspective, the study highlights how little control users have over their data once it leaves their browser. Even without submitting a form, sensitive information can be collected and shared with multiple parties, often without disclosure.
Munir described why this silent data collection is so concerning. “Consider a scenario where a user types private information in a text box on a website and then deletes it without submitting because they might be uncomfortable sharing that information even with the first-party website. They would have no idea that even though they never submitted this information, it was still captured and transmitted to a third-party,” he said.
He added, “This defies two levels of users’ expectations of privacy: first, that only the first-party is privy to information users provide, and second, that only information actually submitted by users can be read by different parties on the website.”
For organizations, the risks extend beyond legal compliance. If customers learn that a website silently captures keystrokes, trust can erode quickly. The researchers suggest that companies review how third-party scripts are used and make sure users understand when and why their data is collected.
As a side note, at Help Net Security your privacy is not a slogan. It’s how we operate. We don’t track you. We don’t require accounts or logins. Our website is open to everyone, and when you leave, we don’t follow you.
Source link
