By Source Defense
It’s a scenario we’ve all experienced: You’re filling out an online form to obtain some sort of product, service, or information, and suddenly you have second thoughts. It doesn’t matter why, but you’ve decided you no longer want to go through with the transaction. So you close your browser before you hit the submit button. You breathe a sigh of relief.
Surprise! It’s now increasingly likely that the data you were inputting could have been captured without your permission. In the best case scenario, the website you were on or one of its many third-party digital partners quite possibly collected some or all of the data you entered into the form even though you never hit the submit button. In the worst case, cybercriminals may have stolen your data right at the point of input. For the user, this is a privacy nightmare. But for the website business owner and their Governance, Risk, and Compliance counterparts, this is a compliance nightmare that could have staggering consequences for the future of the business.
Researchers from KU Leuven, Radboud University, and the University of Lausanne crawled and analyzed 100,000 top websites and found 1,844 of them gathered email addresses from EU users without their consent. A staggering 2,950 of these websites logged emails from U.S. visitors. Many of the sites studied did not appear to conduct the data-logging independently but incorporated third-party marketing and analytics services that actively conducted the form scraping.
Providing information through a web form by pressing the submit button generally indicates the user has consented to provide that information for a specific purpose. But web pages that run JavaScript code can be programmed to respond to events before a user presses a form’s submit button.
If this sounds like what a data thief might do, that’s because the behavior is similar to so-called keyloggers or data skimmers – typically malicious programs that log everything a visitor types into a web form. Some of the sites studied by the researchers logged data keystroke by keystroke, but many grabbed complete submissions from one field when users clicked to the next.
GDPR Implications
Since the introduction of the European Union’s General Data Protection Regulation (GDPR), most mainstream websites have started to show dialogs to get users’ consent for personal data processing. The acceptance or refusal to give consent may affect how the website and the third parties may collect, process, and share users’ personal data. But the research to date on this issue paints a different picture.
“While one expects less tracking and data collection when refusing to give consent, prior research showed that in certain cases, the opposite may be true,” states the research report from Leuven, Radboud, and Lausanne. The research states that websites are more likely to use sophisticated tracking techniques such as ID syncing and fingerprinting when users reject cookies.
GDPR applies when personal data are processed. Personal data are defined broadly in the GDPR to mean any information related to an identifiable person is personal data (Article 4.1). For example, an email address, an IP address, a tracking cookie, an identification number, and an ‘online identifier’ are almost always personal data. But even hashed or encrypted email addresses are generally personal data, as far as they contain a unique identifier that can be linked to a person.
So, when website owners or third parties exfiltrate an email address, they process personal data, and the GDPR applies. An organization that processes personal data is considered a ‘controller’ in GDPR parlance. The ‘controller’ is responsible for complying with the GDPR and can be fined for noncompliance. In the case of email exfiltration, the website owner and the third party are considered ‘joint controllers’ and are both accountable under GDPR.
The GDPR has six overarching principles that website owners and their digital supply chain partners must abide by when processing the personal data of EU citizens:
- Personal data must be processed fairly and transparently (Article 5).
- The controller must provide comprehensive information about what it does with personal data in an intelligible and easily accessible form, using clear and plain language (Article 11).
- GDPR requires detailed information about the processing purposes and the recipients of the personal data (Articles 13 and 14).
- Controllers can provide such information in a privacy notice.
- Controllers can only collect personal data if they specify a clear purpose in advance. And the controller is not allowed to use the data for ‘incompatible’ new other purposes (Article 6(1)(b)).
- The controller always needs a legal basis to process personal data (Article 6).
Protect Your Brand & Profit Margin
According to a Source Defense survey on web trust, an overwhelming majority of consumers have real concerns about filling out online forms, with 93% of respondents indicating that they were concerned about data security when filling out forms. And 91% of respondents said that companies who ask customers to complete online forms are responsible for protecting their personal information. Your clients have an expectation that you will care for their data – both in securing the data from breach (i.e. protecting it from a cybercriminal) as well as (and even potentially more so) ensuring that their data won’t be scraped by your partners for future use.
The consequences of failing to protect customer data are severe. Half of the survey respondents (49%) said they would cut ties with that organization and never do business with them again if there were a data breach…we didn’t ask at the point we took the survey about the data scraping issue but we’re willing to bet the percentage goes up.
Protecting data at the point of input is both a data privacy compliance and security concern. On the data privacy side of things, you have a responsibility to monitor and control the behavior of the partners you let into your website code/interact with your users. On the security side of things, you need to understand that client-side attacks have been around for years, but they remain a blind spot for many organizations. Every client-side web attack is different, but they all rely on the fact that the attackers can gain access to the browser of the customer who is visiting the website and can steal the customer’s personal and financial information in real-time. These attacks are accelerating at an alarming rate, with a client-side attack occurring every 39 seconds.
Organizations that ignore this increasing data privacy compliance and cyber risk can face exorbitant fines, legal costs, reputation damage, and drops in stock valuation. GDPR is increasingly enforcing noncompliance with hefty and material fines. Lawsuits and class-action lawsuits are also common following both data leakage and data breach incidents. Legal fees aside, companies often incur additional fees in settlements. Remember that in 2013, the Target data breach cost the company nearly $300 million in settlements and legal fees.
6 Things You Can Do Right Now
- Implement a control system capable of identifying and controlling all 3rd party JavaScript on your web pages. You need complete visibility into the 3rd party digital supply chain, knowing how your partners are, verifying their purpose, controlling their actions based on your data privacy compliance requirements. It is critical to control the access of all 3rd party JavaScript on your web pages; therefore, ensuring the control system can identify and control each external JavaScript is crucial to the process.
- Make sure JavaScript coming from first-, second-, third-, or fourth-tier supply chain partners are monitored and managed by the system.
- Ensure the “whitelisted” 3rd parties cannot bypass the applied security policies. Some access policy platforms will use easily bypassed methods to limit 3rd party access, such as CSP/SRI or JavaScript Proxying. These are easily bypassed and are considered ineffective.
- Ensure security controls remain effective even if 3rd party resources change. Third-party code changes rapidly and is often generated dynamically.
- Implement security controls that protect the entire duration of a visitor’s session. Auditing and inventorying known 3rd party resources are ineffective as additional resources can be called into a session anytime, from moments after page load to minutes or even hours later.
- Ensure controls implemented do not themselves introduce additional vulnerability. Security controls introduced to address 3rd party risk may present some risks themselves.
Request a Demo to learn more about how Source Defense can help you mitigate a material risk to your organization, keep your partners from overreaching and defend your enterprise from Client-Side Attacks.
Source Defense is a mission critical element of web security. It is a data privacy compliance and security solution that protects sensitive user data collected on websites from data leakage or theft by extending security to the client-side. Source Defense is the market leader in Client-side Security for websites, providing real-time threat detection, protection, and prevention of vulnerabilities originating in JavaScript. Source Defense’s patented Website Client-side Security Platform offers the most comprehensive & complete solution addressing threats and risks from the increased usage of JavaScript, libraries, and open source in websites today.
PCI DSS 4.0 makes client-side security a priority.
Source Defense delivers a solution for 6.4.3 and 11.6.1 without adding a burden to your security teams.
