Friday, June 30, 2017

Web Form Data Sent Before You Click “Submit”

Kashmir Hill and Surya Mattu:

But it’s too late. Your email address and phone number have already been sent to a server at “murdoog.com,” which is owned by NaviStone, a company that advertises its ability to unmask anonymous website visitors and figure out their home addresses. NaviStone’s code on Quicken’s site invisibly grabbed each piece of your information as you filled it out, before you could hit the “Submit” button.

[…]

In yesterday’s report on Acurian Health, University of Washington law professor Ryan Calo told Gizmodo that giving users a “send” or “submit” button, but then sending the entered information regardless of whether the button is pressed or not, clearly violates a user’s expectation of what will happen. Calo said it could violate a federal law against unfair and deceptive practices, as well as laws against deceptive trade practices in California and Massachusetts. A complaint on those grounds, Calo said, “would not be laughed out of court.”

1 Comment RSS · Twitter


A lot of web forms immediately submit data when you start entering it. Anything that does any kind of non-trivial live validation on the data does that. Google's search field, probably the most commonly used web form, does it. The problem here isn't auto-submitting data, it's what they do with that data.

Leave a Comment