Are You Sure You Want to Contact Us? Quantifying the Leakage of PII via Website Contact Forms

Authors: Oleksii Starov (Department of Computer Science, Stony Brook University), Phillipa Gill (Department of Computer Science, Stony Brook University), Nick Nikiforakis (Department of Computer Science, Stony Brook University)

Volume: 2016
Issue: 1
Pages: 20–33

Download PDF

Abstract: The majority of commercial websites provide users the ability to contact them via dedicated contact pages. In these pages, users are typically requested to provide their names, email addresses, and reason for contacting the website. This effectively makes contact pages a gateway from being anonymous or pseudonymous, i.e., identified via stateful and stateless identifiers, to being eponymous. As such, the environment where users provide their personally identifiable information (PII) has to be trusted and free from intentional and unintentional information leaks. In this paper, we report on the first large-scale study of PII leakage via contact pages of the 100,000 most popular sites of the web. We develop a reliable methodology for identifying and interacting with contact forms as well as techniques that allow us to discover the leakage of PII towards thirdparties, even when that information is obfuscated. Using these methods, we witness the leakage of PII towards third-parties in a wide range of ways, including the leakage through third-party form submissions, third-party scripts that collect PII information from a first-party page, and unintended leakage through a browser’s Referer header. To recover the lost control of users over their PII, we design and develop Formlock, a browser extension that warns the user when contact forms are using PII-leaking practices, and provides the ability to comprehensively lock-down a form so that a user’s details cannot be, neither accidentally, nor intentionally, leaked to third parties.

Keywords: privacy, tracking, Personally Identifiable Information, HTTP Referer

Copyright in PoPETs articles are held by their authors. This article is published under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 license.