You Shall Not Register! Detecting Privacy Leaks Across Registration Forms

Most of the modern web services offer their users the ability to be registered on them via dedicated registration pages. Most of the times, they use this method so the users can profit by accessing more content or privileged items. In these pages, users are typically requested to provide their names, email addresses, phone numbers and other personal information in order to create an account. As the purpose of the tracking ecosystem is to collect as many information and data from the user, this kind of Personally Identifiable Information (PII) might leak on the 3rd-Parties, when the users fill in the registration forms. In this work, we conduct a large-scale measurement analysis of the PII leakage via registration pages of the 200,000 most popular websites. We design and implement a scalable and easily replicable methodology, for detecting and filling registration forms in an automated way. Our analysis shows that a number of websites (≈≈5%) leak PIIs to 3rd-Party trackers without any user’s consent, in a non-transparent fashion. Furthermore, we explore the techniques employed by 3rd-Parties in order to harvest user’s data, and we highlight the implications on user’s privacy.