A tech-law measurement and analysis of event listeners for wiretapping

73 points by lapcat 2 days ago

"We find evidence that 38.52% websites installed third-party event listeners to intercept keystrokes, and that at least 3.18% websites transmitted intercepted information to a third-party server, which aligns with the criteria for wiretapping."

They say they autopopulate fields based on field type, but address fields are common to have an autocomplete feature enabled. That would require transmitting data before submitting the form. I didn't see anything about rating probabilities of the transmitted data being benign and useful or nefarious and malicious.

lapcat - 2 days ago

The article is talking primarily about third-party tracking scripts. These would not be providing autocomplete to first-party forms.
The article does talk about one example which is not considered wiretapping: a Google search field with autocomplete that's intentionally embedded in the web page.

qingcharles - 2 days ago

Statutory private rights-of-action are devastating to companies on major breaches like this because it entitles large payouts. I'm all for statutory fines, because so many of these things require other means to get payouts (e.g. tort law) which benefits lawyers and settlements much more than statutory payouts do.

IIRC, this is what caused those huge payouts on the biometrics from Facebook and Google who didn't pay proper attention to per-state laws.

I'm assuming they are only tracking obvious third-party data escapes here (e.g. page includes off-domain JavaScript) rather than the less-obvious route here where the first-party receives the data and then shuffles it off to an outside party on the back-end.

kmoser - 2 days ago

I wonder if it would be possible to write a browser plugin to prevent keystroke monitoring. I realize this might break some sites that rely on intercepting keystrokes, but assuming that doesn't matter, is it even possible? I found a product called KeyScrambler but that seems to work at the OS level.

spartanatreyu - 2 days ago

It'd be really easy, in JS you can override anything on the document or window.
You're not supposed to and everyone is in a gentleman's agreement not to, but you could if you really wanted to.
For example, the following code:
console.log("Foo");
console.log("Bar");
console.log("Baz");
Prints out the following to the console:
> Foo
> Bar
> Baz
But if I was to run this code first:
const originalLog = console.log; let logCounter = 0; console.log = function log(str) { logCounter++; originalLog(`${logCounter}: ${str}`); }
Then the original code will now output:
> 1: Foo
> 2: Bar
> 3: Baz
So if you wanted to stop people messing with keystroke/input/change/etc events, you could:
1. make backup variables that reference the original addEventListener, onChange, onTouch, onInput, etc... functions
2. make up your own man-in-the-middle functions that inspect the events getting passed to them
3. if you want the event passed to your man-in-the-middle function to go through, just pass it to your backup variable that points to the original function
4. and if you don't want it to go through, then just don't call the original function.
------------------------------------------------
Or, you could just use an adblocker like uBlock Origin on Firefox, so the third party tracking script isn't loaded in the first place
lapcat - 2 days ago

Yes, it's definitely possible.

hammock - 2 days ago

Which websites are these listeners on? I saw the list of third parties but not the websites themselves.

Dotnaught - 2 days ago

Is there a way, perhaps via extension or user script, to override third-party keystroke event listeners?