When you fill in a form or login to a web page, you probably expect that only the web service where you want to sign in gets your email address and password. Unfortunately, ad tech businesses that track people on the internet may capture the email address even before you hit any buttons on the page.

This data collection method applies to all forms and input fields on web pages. Information you submit to a web site may be collected by advertisers before you accept or submit the form, and before you have given your consent to collect your data. Even if you abandon the form, close it, or simply navigate to another page, your keystrokes have been recorded and stored in advertisers' databases.

The disturbing discovery was made by a group of researchers at Radboud University in The Netherlands, University of Lausanne in Switzerland and KU Leuven in Belgium. The researchers developed a program that simulated filling in login forms and other types of forms. It simultaneously monitored what happened to the user data that was processed in the background. They ran the test program on top 100,000 popular web sites, and discovered that when visited from a US address, 2950 web sites had advertisers that collected email addresses before the user clicked a button or accepted data collection. When web sites were visited from a EU address, 1844 web sites leaked email addresses to advertisers before user had pushed any button or approved data capture.

The researches also highlight at their web page Leaky Forms that 52 web sites leaked login passwords to advertisers. When the web sites received information about the password leak, each one corrected it. After the test program had collected information from the popular web sites, the team was notified that Facebook and TikTok had started to collect data from web site forms as well.

How is this possible? When a web page is loaded to a browser, it often includes small programs that the browser executes in the user's phone or computer. Typically, these programs are implemented in Javascript. The programs can read, write and manipulate data on a web page, collect user input, and send data where they want.

The owner of the web page is responsible for the content of the page. If it includes program code that does strange things, it is likely that the owner of the web page has decided to allow advertisers access the page. It is possible - and the research also indicates - that web page owner is not aware of every activity advertisers perform on their pages.

Is it possible to prevent leaking email addresses and other personal data?

Yes, it is possible to considerably restrict or even prevent data collection. A simple and easy way to protect yourself is to use a web browser that has good privacy features. This means moving away from browsers like Google Chrome and Microsoft Edge, and making Brave, Vivaldi, or Librefox the default browser on a computer. On a mobile device, DuckDuckGo, Qwant and Vivaldi are safe choices.

One step further is to use multiple privacy-focused browsers so that each browser has its own dedicated tasks. For instance, one browser is dedicated to banking, email, calendar, and other services that deal with sensitive information. Another browser is for social media access.

Despite the EU's GDPR regulation some web sites continue collecting user data without consent. These businesses are taking a considerable risk.