Researchers from UC Davis, Maastricht University, and other institutions have uncovered widespread silent keystroke interception across websites, revealing that many sites collect user typing data before forms are ever submitted. The study examined how third-party scripts capture and share information in ways that may constitute wiretapping under California law.
Research methodology
The research team analyzed 15,000 websites using a custom web crawler and discovered alarming privacy practices. They found that 91 percent of sites used event listeners—JavaScript code that detects user actions like typing, clicking, or scrolling. While most event listeners serve basic functions, a significant portion monitor typing activities in real time.
Key findings revealed that 38.5 percent of websites had third-party scripts capable of intercepting keystrokes. More concerning, 3.18 percent of sites actually transmitted intercepted keystrokes to remote servers, behavior that researchers note matches the technical definition of wiretapping under California's Invasion of Privacy Act (CIPA).
Data collection and privacy violations
The captured data included email addresses, phone numbers, and free text entered into forms. In documented cases, email addresses typed into forms were later used for unsolicited marketing emails, even when users never submitted the forms. Co-author Shaoor Munir emphasized that email addresses serve as stable identifiers, enabling cross-site tracking and data broker enrichment.
Legal implications
Legal implications center on CIPA's strict two-party consent requirement, unlike federal wiretapping laws requiring only one-party consent. The study provides evidence that some tracking practices could qualify as wiretapping, potentially enabling private lawsuits since enforcement doesn't rely solely on government action.
Privacy risks and recommendations
Privacy risks extend beyond legal compliance. Users have minimal control over data once it leaves their browsers, with sensitive information collected and shared without disclosure. Munir highlighted scenarios where users type private information then delete it without submitting, unaware that data was still captured and transmitted to third parties.
This practice violates user expectations on two levels: that only first-party websites access provided information, and that only submitted information reaches different parties. For organizations, customer trust erosion poses significant risks when users discover silent keystroke capture.
The researchers recommend regulatory clarity, treating embedded analytics and session-replay vendors as third parties unless users expressly consent. They also advocate updating federal consent requirements to mirror CIPA's two-party protection standards, ensuring nationwide user privacy protection.
