"Autofill can insert your personal information into multiple controls at once, like filling out
an entire address form for you as a convenience. NaviStone's code can snatch it up and send it
as each field is filled."
GIZMODO reported on a company called NaviStone
with code that gets embedded in clients' ecommerce sites. NaviStone's code collects and
transmits the data you're providing regardless of whether you
actually perform the transaction.
During a recent investigation into how a drug-trial
recruitment company called Acurian Health tracks down people who look online for information
about their medical conditions, we discovered NaviStone’s code on sites run by Acurian, Quicken
Loans, a continuing education center, a clothing store for plus-sized women, and a host of other
retailers. Using Javascript, those sites were transmitting information from people as soon as
they typed or auto-filled it into an online form. That way, the company would have it even if
those people immediately changed their minds and closed the page.
The GIZMODO report further explains that while the NaviStone technology is giving retailers
the option to collect your data in real-time, whether the retailers opt to take advantage of
the collection capability could come down to policy. My interpretation: There may be a distinction
between NaviStone's collection and what portion of it the retailer is interested in. (Just because
the retailer doesn't want particular data until you submit the form doesn't mean the software
isn't collecting it in real-time anyway.
GIZMODO also claims that NaviStone changed their collection policy as a result of the GIZMODO
investigation:
[GIZMODO] decided to test how the code works by pretending to shop on sites that use it and
then browsing away without finalizing the purchase. Three sites—hardware site Rockler.com,
gift site CollectionsEtc.com, and clothing site BostonProper.com—sent us emails about items
we’d left in our shopping carts using the email addresses we’d typed onto the site but had
not formally submitted. Although Gizmodo was able to see the email address information being
sent to Navistone, the company said that it was not responsible for those emails.
. . . As a result of our reporting, though, NaviStone says it will no longer collect
email addresses from people this way. "While we believe our technology has been
appropriately used, we have decided to change the system operation such that email addresses
are not captured until the visitor hits the 'submit' button," [NaviStone COO Allen] Abbott
wrote.
I may have some personal experience with this. I was browsing the web store for the band STYX
some time ago and abandoned the transaction. I received several e-mails from the site, reminding
me that I'd left items in my cart.
The NaviStone technology is not necessarily ground-breaking — JavaScript's ability to execute
in the browser client is a cornerstone of the modern Web — but using it to report data
prior to submitting the form is, at the very least, a betrayal of netizens' trust. (An expert
GIZMODO contacted on this very topic concluded that a legal complaint could be viable.) And it
is reporting the data — it's encoding it as a file and sending it each time the value of a form
control gets changed, like a textbox getting filled in or a selection is made in a dropdownlist.
See the GIZMODO article for the illustrated play-by-play.
This application of client-side technology could have some serious ramifications for the autofill
capability in your browser. Autofill can insert your personal information into multiple controls
at once, like filling out an entire address form for you as a convenience. NaviStone's code
can snatch it up and send it as each field is filled.
This might sound a bit alarmist, but consider disabling the feature
in your browser, or at the very least, think twice before allowing it to run on unfamiliar sites.
|