Are You Sure You Want to Contact Us? Quantifying the Leakage of PII via Website Contact Forms

Open access


The majority of commercial websites provide users the ability to contact them via dedicated contact pages. In these pages, users are typically requested to provide their names, email addresses, and reason for contacting the website. This effectively makes contact pages a gateway from being anonymous or pseudonymous, i.e., identified via stateful and stateless identifiers, to being eponymous. As such, the environment where users provide their personally identifiable information (PII) has to be trusted and free from intentional and unintentional information leaks. In this paper, we report on the first large-scale study of PII leakage via contact pages of the 100,000 most popular sites of the web. We develop a reliable methodology for identifying and interacting with contact forms as well as techniques that allow us to discover the leakage of PII towards thirdparties, even when that information is obfuscated. Using these methods, we witness the leakage of PII towards third-parties in a wide range of ways, including the leakage through third-party form submissions, third-party scripts that collect PII information from a first-party page, and unintended leakage through a browser’s Referer header. To recover the lost control of users over their PII, we design and develop Formlock, a browser extension that warns the user when contact forms are using PII-leaking practices, and provides the ability to comprehensively lock-down a form so that a user’s details cannot be, neither accidentally, nor intentionally, leaked to third parties

If the inline PDF is not rendering correctly, you can download the PDF file here.

  • [1] G. Acar C. Eubank S. Englehardt M. Juarez A. Narayanan and C. Diaz. The Web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS) 2014.

  • [2] G. Acar M. Juarez N. Nikiforakis C. Diaz S. Gürses F. Piessens and B. Preneel. FPDetective: Dusting the Web for fingerprinters. In Proceedings of the ACM Conference on Computer and Communications Security (CCS) 2013.

  • [3] Alexa. Top 1 million websites.

  • [4] J. Angwin. Meet the Online Tracking Device That is Virtually Impossible to Block. 2014.

  • [5] BrowserMob Proxy.

  • [6] A. Chaabane Y. Ding R. Dey M. Ali Kaafar and K. Ross. A Closer Look at Third-Party OSN Applications: Are They Leaking Your Personal Information? In Passive and Active Measurement conference (2014) Los Angeles United States Mar. 2014. Springer.

  • [7] P. Eckersley. How Unique Is Your Browser? In Proceedings of the Privacy Enhancing Technologies Symposium (PETS) pages 1-17 2010.

  • [8] W. Enck P. Gilbert S. Han V. Tendulkar B.-G. Chun L. P. Cox J. Jung P. McDaniel and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS) 32(2):5 2014.

  • [9] S. Englehardt D. Reisman C. Eubank P. Zimmerman J. Mayer A. Narayanan and E. W. Felten. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web (WWW) pages 289-299 2014.

  • [10] FourthParty: Web Measurement Platform.

  • [11] Ghostery.

  • [12] J. HOFFMAN-ANDREWS. Verizon Injecting Perma-Cookies to Track Mobile Customers Bypassing Privacy Controls. 2014.

  • [13] P. Hornyack S. Han J. Jung S. Schechter and D. Wetherall. These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In Proceedings of the 18th ACM conference on Computer and communications security pages 639-652. ACM 2011.

  • [14] F. Jacobs. How Reuters got compromised by the Syrian Electronic Army. 2014.

  • [15] B. Krishnamurthy K. Naryshkin and C. E. Wills. Privacy leakage vs. protection measures: the growing disconnect. In Web 2.0 Security and Privacy Workshop 2011.

  • [16] B. Krishnamurthy and C. Wills. Privacy diffusion on the web: A longitudinal perspective. In Proceedings of the 18th International Conference on World Wide Web WWW ’09 pages 541-550 New York NY USA 2009. ACM.

  • [17] B. Krishnamurthy and C. E. Wills. On the leakage of personally identifiable information via online social networks. In Proceedings of the 2nd ACM workshop on Online social networks pages 7-12. ACM 2009.

  • [18] Who are these tracking companies? Meet LeadLander. 2012.

  • [19] LeadLander. Website Visitor Analytics.

  • [20] I. D. Marino. Ghost Driver / PhantomJSDriver.

  • [21] M. Marlinspike. New Tricks for Defeating SSL in Practice. In Proceedings of BlackHat 2009 DC 2009.

  • [22] J. Mayer. Tracking the trackers: Where everybody knows your username. 2011.

  • [23] J. R. Mayer and J. C. Mitchell. Third-party web tracking: Policy and technology. In IEEE Symposium on Security and Privacy pages 413-427. IEEE Computer Society 2012.

  • [24] J. Mikians L. Gyarmati V. Erramilli and N. Laoutaris. Crowd-assisted Search for Price Discrimination in ECommerce: First results. In Proceedings of the 9th International Conference on emerging Networking EXperiments and Technologies (CoNEXT) 2013.

  • [25] M. Motoyama K. Levchenko C. Kanich D. McCoy G. M. Voelker and S. Savage. Re: Captchas-understanding captcha-solving services in an economic context. In USENIX Security Symposium volume 10 page 3 2010.

  • [26] K. Mowery and H. Shacham. Pixel perfect: Fingerprinting canvas in HTML5. In Proceedings of the Workshop on Web 2.0 Security and Privacy (W2SP). IEEE Computer Society May 2012.

  • [27] Network Advertising Initiative. Understanding Online Advertising.

  • [28] N. Nikiforakis L. Invernizzi A. Kapravelos S. Van Acker W. Joosen C. Kruegel F. Piessens and G. Vigna. You are what you include: Large-scale evaluation of remote javascript inclusions. In Proceedings of the 2012 ACM Conference on Computer and Communications Security CCS ’12 pages 736-747 New York NY USA 2012. ACM.

  • [29] N. Nikiforakis A. Kapravelos W. Joosen C. Kruegel F. Piessens and G. Vigna. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Proceedings of the 2013 IEEE Symposium on Security and Privacy SP ’13 pages 541-555 Washington DC USA 2013. IEEE Computer Society.

  • [30] N. Nikiforakis S. Van Acker F. Piessens and W. Joosen. Exploring the Ecosystem of Referrer-Anonymizing Services. In Proceedings of the 12th Privacy Enhancing Technology Symposium (PETS) pages 259-278 2012.

  • [31] D. Nix. You’re not anonymous. I know your name email and company. 2012.

  • [32] PhantomJS. Headless WebKit.

  • [33] E. Picard. We Don’t Need No Stinkin’ Third-Party Cookies. 2013.

  • [34] F. Roesner T. Kohno and D. Wetherall. Detecting and defending against third-party tracking on the web. In Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation NSDI’12 pages 12-12 Berkeley CA USA 2012. USENIX Association.

  • [35] A. Soltani S. Canty Q. Mayo L. Thomas and C. J. Hoofnagle. Flash cookies and privacy. In AAAI Spring Symposium: Intelligent Information Privacy Management 2010.

  • [36] E. Steel. A Web Pioneer Profiles Users by Name. 2010.

  • [37] S. Sunam. Google Plus post on December 8 2012 (accessed February 23 2015).

  • [38] The Wall Street Journal. What They Know.

  • [39] Trend Micro Site Safety Center.

  • [40] B. Ur P. G. Leon L. F. Cranor R. Shay and Y. Wang. Smart useful scary creepy: Perceptions of online behavioral advertising. In Proceedings of the Eighth Symposium on Usable Privacy and Security SOUPS ’12 pages 4:1-4:15 New York NY USA 2012. ACM.

  • [41] C. Yue and H. Wang. Characterizing insecure javascript practices on the web. In Proceedings of the 18th International Conference on World Wide Web WWW ’09 pages 961-970 New York NY USA 2009. ACM

Journal information
Cited By
All Time Past Year Past 30 Days
Abstract Views 0 0 0
Full Text Views 454 251 11
PDF Downloads 169 107 4