Jump to ContentJump to Main Navigation
Show Summary Details

Proceedings on Privacy Enhancing Technologies

2 Issues per year

Open Access
See all formats and pricing

Are You Sure You Want to Contact Us? Quantifying the Leakage of PII via Website Contact Forms

Oleksii Starov
  • Department of Computer Science, Stony Brook University
  • :
/ Phillipa Gill
  • Department of Computer Science, Stony Brook University
  • :
/ Nick Nikiforakis
  • Department of Computer Science, Stony Brook University
  • :
Published Online: 2015-09-08 | DOI: https://doi.org/10.1515/popets-2015-0028


The majority of commercial websites provide users the ability to contact them via dedicated contact pages. In these pages, users are typically requested to provide their names, email addresses, and reason for contacting the website. This effectively makes contact pages a gateway from being anonymous or pseudonymous, i.e., identified via stateful and stateless identifiers, to being eponymous. As such, the environment where users provide their personally identifiable information (PII) has to be trusted and free from intentional and unintentional information leaks. In this paper, we report on the first large-scale study of PII leakage via contact pages of the 100,000 most popular sites of the web. We develop a reliable methodology for identifying and interacting with contact forms as well as techniques that allow us to discover the leakage of PII towards thirdparties, even when that information is obfuscated. Using these methods, we witness the leakage of PII towards third-parties in a wide range of ways, including the leakage through third-party form submissions, third-party scripts that collect PII information from a first-party page, and unintended leakage through a browser’s Referer header. To recover the lost control of users over their PII, we design and develop Formlock, a browser extension that warns the user when contact forms are using PII-leaking practices, and provides the ability to comprehensively lock-down a form so that a user’s details cannot be, neither accidentally, nor intentionally, leaked to third parties

Keywords: privacy; tracking; Personally Identifiable Information; HTTP Referer


  • [1] G. Acar, C. Eubank, S. Englehardt, M. Juarez, A. Narayanan, and C. Diaz. The Web never forgets: Persistent tracking mechanisms in the wild. In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), 2014.

  • [2] G. Acar, M. Juarez, N. Nikiforakis, C. Diaz, S. Gürses, F. Piessens, and B. Preneel. FPDetective: Dusting the Web for fingerprinters. In Proceedings of the ACM Conference on Computer and Communications Security (CCS), 2013.

  • [3] Alexa. Top 1 million websites. http://s3.amazonaws.com/alexa-static/top-1m.csv.zip.

  • [4] J. Angwin. Meet the Online Tracking Device That is Virtually Impossible to Block. http://www.propublica.org/article/meet-the-online-tracking-device-that-isvirtually-impossible-to-block, 2014.

  • [5] BrowserMob Proxy. http://bmp.lightbody.net/.

  • [6] A. Chaabane, Y. Ding, R. Dey, M. Ali Kaafar, and K. Ross. A Closer Look at Third-Party OSN Applications: Are They Leaking Your Personal Information? In Passive and Active Measurement conference (2014), Los Angeles, United States, Mar. 2014. Springer.

  • [7] P. Eckersley. How Unique Is Your Browser? In Proceedings of the Privacy Enhancing Technologies Symposium (PETS), pages 1-17, 2010.

  • [8] W. Enck, P. Gilbert, S. Han, V. Tendulkar, B.-G. Chun, L. P. Cox, J. Jung, P. McDaniel, and A. N. Sheth. Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM Transactions on Computer Systems (TOCS), 32(2):5, 2014. [Web of Science]

  • [9] S. Englehardt, D. Reisman, C. Eubank, P. Zimmerman, J. Mayer, A. Narayanan, and E. W. Felten. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web (WWW), pages 289-299, 2014.

  • [10] FourthParty: Web Measurement Platform. http://www.fourthparty.info.

  • [11] Ghostery. https://www.ghostery.com.

  • [12] J. HOFFMAN-ANDREWS. Verizon Injecting Perma-Cookies to Track Mobile Customers, Bypassing Privacy Controls. https://www.eff.org/deeplinks/2014/11/verizon-x-uidh, 2014.

  • [13] P. Hornyack, S. Han, J. Jung, S. Schechter, and D. Wetherall. These aren’t the droids you’re looking for: retrofitting android to protect data from imperious applications. In Proceedings of the 18th ACM conference on Computer and communications security, pages 639-652. ACM, 2011.

  • [14] F. Jacobs. How Reuters got compromised by the Syrian Electronic Army. https://medium.com/@FredericJacobs/the-reuters-compromise-by-the-syrian-electronic-army-6bf570e1a85b, 2014.

  • [15] B. Krishnamurthy, K. Naryshkin, and C. E. Wills. Privacy leakage vs. protection measures: the growing disconnect. In Web 2.0 Security and Privacy Workshop, 2011.

  • [16] B. Krishnamurthy and C. Wills. Privacy diffusion on the web: A longitudinal perspective. In Proceedings of the 18th International Conference on World Wide Web, WWW ’09, pages 541-550, New York, NY, USA, 2009. ACM.

  • [17] B. Krishnamurthy and C. E. Wills. On the leakage of personally identifiable information via online social networks. In Proceedings of the 2nd ACM workshop on Online social networks, pages 7-12. ACM, 2009.

  • [18] Who are these tracking companies? Meet LeadLander. http://www.abine.com/blog/2012/leadlander/, 2012.

  • [19] LeadLander. Website Visitor Analytics. http://www.leadlander.com.

  • [20] I. D. Marino. Ghost Driver / PhantomJSDriver. https://github.com/detro/ghostdriver.

  • [21] M. Marlinspike. New Tricks for Defeating SSL in Practice. In Proceedings of BlackHat 2009, DC, 2009.

  • [22] J. Mayer. Tracking the trackers: Where everybody knows your username. http://cyberlaw.stanford.edu/node/6740, 2011.

  • [23] J. R. Mayer and J. C. Mitchell. Third-party web tracking: Policy and technology. In IEEE Symposium on Security and Privacy, pages 413-427. IEEE Computer Society, 2012.

  • [24] J. Mikians, L. Gyarmati, V. Erramilli, and N. Laoutaris. Crowd-assisted Search for Price Discrimination in ECommerce: First results. In Proceedings of the 9th International Conference on emerging Networking EXperiments and Technologies (CoNEXT), 2013.

  • [25] M. Motoyama, K. Levchenko, C. Kanich, D. McCoy, G. M. Voelker, and S. Savage. Re: Captchas-understanding captcha-solving services in an economic context. In USENIX Security Symposium, volume 10, page 3, 2010.

  • [26] K. Mowery and H. Shacham. Pixel perfect: Fingerprinting canvas in HTML5. In Proceedings of the Workshop on Web 2.0 Security and Privacy (W2SP). IEEE Computer Society, May 2012.

  • [27] Network Advertising Initiative. Understanding Online Advertising. https://www.networkadvertising.org/faq.

  • [28] N. Nikiforakis, L. Invernizzi, A. Kapravelos, S. Van Acker, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. You are what you include: Large-scale evaluation of remote javascript inclusions. In Proceedings of the 2012 ACM Conference on Computer and Communications Security, CCS ’12, pages 736-747, New York, NY, USA, 2012. ACM.

  • [29] N. Nikiforakis, A. Kapravelos, W. Joosen, C. Kruegel, F. Piessens, and G. Vigna. Cookieless monster: Exploring the ecosystem of web-based device fingerprinting. In Proceedings of the 2013 IEEE Symposium on Security and Privacy, SP ’13, pages 541-555, Washington, DC, USA, 2013. IEEE Computer Society.

  • [30] N. Nikiforakis, S. Van Acker, F. Piessens, and W. Joosen. Exploring the Ecosystem of Referrer-Anonymizing Services. In Proceedings of the 12th Privacy Enhancing Technology Symposium (PETS), pages 259-278, 2012.

  • [31] D. Nix. You’re not anonymous. I know your name, email, and company. https://web.archive.org/web/20140103065932/http://blog.42floors.com/youre-notanonymous-i-know-your-name-email-and-company/, 2012.

  • [32] PhantomJS. Headless WebKit. http://phantomjs.org.

  • [33] E. Picard. We Don’t Need No Stinkin’ Third-Party Cookies. http://adexchanger.com/data-driven-thinking/we-dontneed-no-stinkin-third-party-cookies/, 2013.

  • [34] F. Roesner, T. Kohno, and D. Wetherall. Detecting and defending against third-party tracking on the web. In Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation, NSDI’12, pages 12-12, Berkeley, CA, USA, 2012. USENIX Association.

  • [35] A. Soltani, S. Canty, Q. Mayo, L. Thomas, and C. J. Hoofnagle. Flash cookies and privacy. In AAAI Spring Symposium: Intelligent Information Privacy Management, 2010.

  • [36] E. Steel. A Web Pioneer Profiles Users by Name. http://www.wsj.com/articles/SB10001424052702304410504575560243259416072, 2010.

  • [37] S. Sunam. Google Plus post on December 8, 2012, (accessed February 23, 2015). https://plus.google.com/+SumitSuman01/posts/2jLJ5B4yPYF.

  • [38] The Wall Street Journal. What They Know. http://www.wsj.com/public/page/what-they-know-digital-privacy.html.

  • [39] Trend Micro Site Safety Center. http://global.sitesafety.trendmicro.com/.

  • [40] B. Ur, P. G. Leon, L. F. Cranor, R. Shay, and Y. Wang. Smart, useful, scary, creepy: Perceptions of online behavioral advertising. In Proceedings of the Eighth Symposium on Usable Privacy and Security, SOUPS ’12, pages 4:1-4:15, New York, NY, USA, 2012. ACM.

  • [41] C. Yue and H. Wang. Characterizing insecure javascript practices on the web. In Proceedings of the 18th International Conference on World Wide Web, WWW ’09, pages 961-970, New York, NY, USA, 2009. ACM

Received: 2015-04-15

Revised: 2015-07-15

Accepted: 2015-07-15

Published Online: 2015-09-08

Published in Print: 2016-01-01

Citation Information: Proceedings on Privacy Enhancing Technologies. Volume 2016, Issue 1, Pages 20–33, ISSN (Online) 2299-0984, DOI: https://doi.org/10.1515/popets-2015-0028, September 2015

© 2015. This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 3.0 License. (CC BY-NC-ND 3.0)

Comments (0)

Please log in or register to comment.