Don't give away your email address on the internet willy-nilly, especially if you live in the US

Android Police

By Jules Wang

Published May 21, 2022

Latest research finds lots of previously unidentified trackers that even pick up on passwords

If you participate in society to any extent, you've got data out there and it's more than what you think you've put out there. On the web, it's no different and no settings toggle will help you bring it all back. Some sites like to haunt users who initiate but don't finish signing up for a membership by catching the email address they put in —maybe even the password, too — and then send them reminders or other spammier messages. They suck, but they're a fact of life and, according to a new whitepaper, moreso in the U.S. than Europe.

The report, published by the USENIX Association and linked to us by ghacks.net, comes from European researchers who used a crawler to fill in email and password information on the internet's top 100,000 sites from U.S. and E.U. IP addresses and then perform dragnets on any trackers taking the bait. All runs took place over the course of May and June last year.

The top-line numbers are only encouraging from a proportional perspective: on desktop, 1,844 sites on the E.U. crawls passed on addresses to third parties including trackers, analyzers, and marketers while with the U.S. crawls, it was 2,950 sites; mobile results were similar at 1,745 and 2,744, respectively. Site categories that were most active in sharing emails include fashion and beauty (11.1% of 1,176 sites) and online shopping (9.4% of 3,658). Amazingly, none of the 528 pornography sites where the crawler filled an email address field had trackers.

If you wonder whether those cookie consent management policies on the sites you visit actually matter, you should know that only 7,720 of the 100,000 sites analyzed offer one and that even if you select the "reject all" option, 199 (or more) sites will grab your email if you're on a European IP. 201 (again, or more) sites will do so if they find you in the United States. Also very assuring, the scholars found 41 tracker domains that weren't on popular blocklists and 52 domains that also collected passwords, often using keystroke detection scripts — the researchers believe most if not all of these password collections are incidental and credit Russia's Yandex and American firm Mixpanel for taking action to correct the behavior when they were made aware of it. But many other companies did not bother to respond to questions about password collection or even requests as granted by the E.U.'s General Data Protection Regulation.

To be fair, there are plenty of nuances as to how data is collected (whether it's been obscured by a hash) or why (these results exclude instances where site hosts send email addresses to internal trackers for purposes such as preventing account duplication), but at the end of the day, if you're worried about your data splatter going all over the place, there's very little you can do to make sure everything gets cleaned up to the last bit. It is up to you to determine your level of participation on the internet — perhaps don't fill sign-up forms unless you actually intend on signing up for the service the site provides — and what risks you're willing to accept. These thoroughly-researched datasets can help drive your decisions, though.