\geek

0
2017.06.21This is Why Your Browser's Autofill Can Compromise Your Privacy

animated GIF of code scrolling on a computer screen

"Autofill can insert your personal information into multiple controls at once, like filling out an entire address form for you as a convenience. NaviStone's code can snatch it up and send it as each field is filled."

 

GIZMODO reported on a company called NaviStone with code that gets embedded in clients' ecommerce sites. NaviStone's code collects and transmits the data you're providing regardless of whether you actually perform the transaction.

During a recent investigation into how a drug-trial recruitment company called Acurian Health tracks down people who look online for information about their medical conditions, we discovered NaviStone’s code on sites run by Acurian, Quicken Loans, a continuing education center, a clothing store for plus-sized women, and a host of other retailers. Using Javascript, those sites were transmitting information from people as soon as they typed or auto-filled it into an online form. That way, the company would have it even if those people immediately changed their minds and closed the page.

The GIZMODO report further explains that while the NaviStone technology is giving retailers the option to collect your data in real-time, whether the retailers opt to take advantage of the collection capability could come down to policy. My interpretation: There may be a distinction between NaviStone's collection and what portion of it the retailer is interested in. (Just because the retailer doesn't want particular data until you submit the form doesn't mean the software isn't collecting it in real-time anyway.

GIZMODO also claims that NaviStone changed their collection policy as a result of the GIZMODO investigation:

[GIZMODO] decided to test how the code works by pretending to shop on sites that use it and then browsing away without finalizing the purchase. Three sites—hardware site Rockler.com, gift site CollectionsEtc.com, and clothing site BostonProper.com—sent us emails about items we’d left in our shopping carts using the email addresses we’d typed onto the site but had not formally submitted. Although Gizmodo was able to see the email address information being sent to Navistone, the company said that it was not responsible for those emails.

. . .

As a result of our reporting, though, NaviStone says it will no longer collect email addresses from people this way.

"While we believe our technology has been appropriately used, we have decided to change the system operation such that email addresses are not captured until the visitor hits the 'submit' button," [NaviStone COO Allen] Abbott wrote.

I may have some personal experience with this. I was browsing the web store for the band STYX some time ago and abandoned the transaction. I received several e-mails from the site, reminding me that I'd left items in my cart.

The NaviStone technology is not necessarily ground-breaking — JavaScript's ability to execute in the browser client is a cornerstone of the modern Web — but using it to report data prior to submitting the form is, at the very least, a betrayal of netizens' trust. (An expert GIZMODO contacted on this very topic concluded that a legal complaint could be viable.) And it is reporting the data — it's encoding it as a file and sending it each time the value of a form control gets changed, like a textbox getting filled in or a selection is made in a dropdownlist. See the GIZMODO article for the illustrated play-by-play.

This application of client-side technology could have some serious ramifications for the autofill capability in your browser. Autofill can insert your personal information into multiple controls at once, like filling out an entire address form for you as a convenience. NaviStone's code can snatch it up and send it as each field is filled.

This might sound a bit alarmist, but consider disabling the feature in your browser, or at the very least, think twice before allowing it to run on unfamiliar sites.




You may:
  • view all of the content in this category
  • Search for specific content