There is a lot that happens on a website that you – the site visitor – don’t see or don’t know about. And why should you? You don’t need to understand the inner workings of machines to know how to use them. Isn’t that is one of the promises of digital transformation efforts: making your life easier by taking away the burden of the underlying complexity?

The implicit assumption of you not knowing what’s under the hood is that those folks responsible for this complexity abstraction have your interests at heart – or, at the very least, will not behave in such unacceptable ways out of the fear of being exposed. This assumption is based on all of us having similar moral compasses, underwritten by appropriate legal limitations. For this to work, however, we – the public – need to understand enough about what is going on, and rely on whistleblowers and our elected officials (and their bureaucratic underlings) to actually understand the consequences of what is happening, and then understand what can be done about it – if anything.

I am a big proponent on shining a light on the underhand or nefarious behaviour of companies and organisations acting against the interests of individuals in pursuit of a motive that isn’t in the public’s best interest. I am not putting myself out there as an arbiter of what is right or wrong. What I deem to be underhand or nefarious may not be perceived as such by (many) others. I am not here to tell you what is right or wrong: my goal is to opine and inform, so you are hopefully more aware of what is happening around you that you are probably not aware of. I actually have little faith in politicians being able to properly grapple with technology issues in order to set sensible rules and boundaries, and even less faith in bureaucrats to do this right either.

So, in this spirit, let’s shine a light on how websites can act (in my opinion) against your interests. Let’s start with a common online occurrence: clicking on a link in a social media feed.

As you are scrolling through your social media feed, and something grabs your attention. Something amusing, not too serious perhaps. Certainly more interesting that what’s on TV or whatever work you are supposed to be doing. You click, and are bounced to a website to read more. You scroll and click to access the content.

Dancing around the outside of the main screen will be a number of advertisements for all sorts of offerings typically customised to you based on your browsing history. The website you are visiting makes their money by renting parts of their site to third-party advertisers – monetisation is the generic term for this. You are vigilant about never clicking on these adverts out of fear of being infected by malicious code or otherwise losing what little online privacy you have left. You read the ‘Top 10 List for…’ or whatever you clicked through to, shut the window, and return to your social media feed.

But the reality is, you have given away quite a lot of personal information through these simple steps. Your social network site knows heaps about you. How often you visit, what you look at, the posts that you spend time looking at, where you click through to, and how long you stay there. They probably know how old you are, where you live, the types of devices you use to access the web, where you work, and many of your other predilections. Your social network site – where most users spend the most time – has the ability to track everything you do on their site – and they do. And not just clicks and text entered. Pauses, scrolls, when you go to another tab, or another app. Their tracking is extremely pervasive and very granular. This data is analysed – by your social network provider as well as third-parties that buy that data – for behavioural tells, which feed prediction engines. These sites know you better that you do. You are then packaged up and sold to advertisers and marketers wanting to fine-tune their advertising spend. But you should already know this.

If you are not paying for it, you’re not the customer; you’re the product being sold.

Andrew Lewis

When you get to that external website – the one that offers to tell you the ‘Top 10 List for…’ – the monitoring doesn’t stop. The website owner solely monetises you through those adverts dancing around the periphery of your screen. So they want to know what you are up to as well, again so they can target that perfect advert – for which they get paid more.

Most of us are familiar with website cookies and how – conceptually at least – they work. Cookies are a little file the site leaves on your device. They can be used to improve that targeted marketing, as well as help with user security and performance. They have been around almost as long as the web itself, and have been the primary way users get tracked between visits to websites. You may have noticed recently a huge increase in sites asking you if it is OK for them to leave cookies on your device, and which ones you are OK with. This is basically to comply with the European Union’s General Data Protection Regulation (GDPR), which came into effect in May 2018. The GDPR is a very tough law, designed to protect European internet users from the excesses of hidden intrusion by websites. While the law technically only applies to sites in the EU (or targeting customers there), many websites around the world have implemented the safeguards for non-EU users as well to reduce their liability risk under this law. As a result, most websites in OECD countries have severely curtailed the use of cookies for tracking.

At the same time, browser vendors are starting to erect walls to reduce the utility of cookies, particularly third-party cookies and trackers.

Which means the advertisers need to come up with new methods to effectively track you. And they have – and will undoubtedly continue to in response to even slow-moving regulations.

The genesis of the approaches taken by these advertisers is based on earlier privacy workarounds. Cookies are limited in their ability to work across sites (an earlier privacy win for consumers), and most browsers by default now block other types of code being installed on your device (e.g., tracking software). Instead, attention has turned to massive-scale data matching built on big data engines. Armed with these capabilities, these marketers can track you across sites based on any unique, persistent identifier. And the most common identifier is your email address.

Your email address is – for most people – the perfect tracking identifier. It is unique (it couldn’t work otherwise) and generally persistent: you keep your email address a long time. In many cases, you will have at least two addresses: one personal (e.g., a Gmail account), one business (provided by your employer). Most people use their personal email address when signing up for personal services and items online, wanting to keep the two email flows separate. Your may only keep your work email a few years (depending how often you change jobs), but you keep your personal email – typically – forever.

It is this ubiquitous use on websites that makes it so easy to track you. Through simple data matching – using your unique email address – data brokers can extract a huge amount of information about your online behaviour, which of course they can on-sell. But it gets better (for them, not so much for you): you use that same email address when completing forms offline as well. Think of all the places offline where you have provided that personal email address. That is the potential sum total space across which your activity can be tracked.

And, it gets worse. A recent working paper by European security researchers outlined their findings that you don’t even need to submit data to a website to have your identifying information captured.

Here’s the scenario. You go to that website with the Top 10 List. While you are there, up pops an invitation to get something really desirable (individualised to your personal profile of course). All you need to do is complete a form with your name and email address. But, before you hit submit, you realise this as the scam that it is, and close your browser. You’re safe, right?

In an evaluation (‘crawl’) of the top 100,000 websites from the EU and US, the researchers found that ‘users’ email addresses are exfiltrated to tracking, marketing and analytics domains before form submission and without giving consent on 1,844 websites in the EU crawl and 2,950 websites in the US crawl.‘ In other words, those forms capturing your details had keyboard loggers operating – software that takes note of every keypress you make while on the site, capturing and sending your email address to a third-party tracker site before you hit submit – and more concerningly, even if you do not submit. These keyboard loggers appear to be all coded in Javascript, so run cross-platform seamlessly.

It appears that in at least some cases, even the website owners are not aware that this is happening. The guilty party is one of those third-party advertisers the website owner has allowed to be embedded in their site. Other site owners and the third-party data collectors argued the use of this type of data collection is legitimate, even if the end user is not aware. I don’t agree.

Form abandonment and drop out is very high on almost all sites, and I think those users not hitting the submit button have a reasonable expectation the data they have entered is not captured.

To add to the risk – and brighten your day – it is not just your email address that gets stolen. Remember, your keyboard is being monitored. So that includes your password as well. I have written previously about the need to use unique passwords when you register on different sites, but this finding reinforces that need. You also need to be careful about entering any sensitive or private information online – like credit card numbers and phone numbers. Even if the data entry is obscured (**********) as you enter it, a keyboard logger can still be uplifting and saving your data.

Something else to note is that some of the websites in the study above made deliberate decisions about when to track the user based on their location. While 1,844 of the sites apparently didn’t care they were breaking the GDPR law inside the EU, 1,106 websites only enabled the tracking when they were outside that jurisdiction.

The researchers also reported that: Since our crawler fills a distinct email address for each website, we are able to attribute the received emails to distinct websites. In the six-week period following the crawls, we received 290 emails from 88 distinct sites on the email addresses used in the desktop crawls, despite not submitting any form. Most emails offer a discount, or just invite us back to their site.

In other words, these sites blatantly used this stolen email data in their remarketing efforts. I think these sites are hoping you don’t remember whether or not you left your email address. Most people don’t keep notes to know if they did or not.

What You Can Do

What can you do to improve your security in light of this finding?

1. Don’t enter data on forms unless you really intend committing – and accept your data may be purloined. Not really a security tip, more about awareness.
2. Use unique passwords when creating new accounts. This can create issues with remembering passwords, but reduces the risk of your password being stolen.
3. Use an email alias service. These services map a one-off ‘pseudonymous’ email address to your real address. This reduces the ability of these sites to track you as your email address is unique on each site, but you still receive their spam emails.
4. Have more than one personal email address. This spreads the risk rather than solves it. For this to really be effective, use different names/personas on each site as well, else the data matching algorithms might well still find and link you to all these email addresses.
5. Change your personal email address periodically. Some people already do this, and it is a hassle when you make the change. If you do this, don’t simply change the email address on those websites you are registered on: the trackers might be able to detect the change and link the email accounts. You need to create new user identities on those websites as well.
6. Register your own domain, and create your own unique email addresses for each site. This also reduces the ability of these sites to track you as your email address is unique on each site. Again, you still get the spam emails, but you can now trace who sent them.
7. Don’t provide your phone number on these forms. It is rare that a phone number is required, or is used in account authentication, so even if you do have to enter a number, make one up if you have any concerns.
8. Only ever enter your credit card number on a secure payment gateway, and never into a site directly.
9. Still turn off tracking cookies. This remains a good precaution.

The research paper authors developed a proof-of-concept browser plug in that notifies the user when this type of data logging is detected. If this gets productised, it may be a useful add-on to your browser.

The research paper is well worth a read. One thing I really liked was that they named some of the guilty parties they found – and therefore some potential sites to avoid.