These Forms Collect Your Data Even If You Don’t Hit “Submit”

If you fill in a web form and hit “submit,” you expect your data to get whisked off into the great ether, and probably from there to be shared with third parties. But you probably don’t expect your keystrokes — and form auto-fill fields — to be captured and sent away as-entered, before you hit submit. And yet, a new report claims, that may be exactly what’s happening.

Gizmodo recently delved into a startup you’ve never heard of that may be sharing data — even sensitive medical data — that you never even knew you were giving up, just based on how you fill in fields on the web.

It started out with a dive into a company called Acurian Health, which recruits participants for clinical drug trials.

The company, Gizmodo writes, has targeted individuals with freakish accuracy based on internet activity users would have thought to be anonymous. One particularly troubling example was a family that received a letter for their young son from Acurian “accurately identifying his medical condition and soliciting him for a drug trial.”

Acurian says it uses “powerful guesswork,” based on mining publicly available data and “lifestyle data” purchased from data brokers.

Among that data, however, turns out to be information purchased from a startup that promises customers it can pinpoint-identify anonymous website visitors to help harvest their identities even if they don’t submit contact information or consent to having it shared.

The company, NaviStone, says it specializes in matching up “anonymous website visitors to postal names and addresses.” In other words, tracing back your digital presence until your physical presence can be found, identified, and marketed to.

NaviStone manages this by taking information you entered in certain web form fields — like, say, email or phone number — and capturing it at the instant of entry, Gizmodo explains. That way even if you change your mind and never hit “submit,” close the tab, and walk away, some part of your data gets collected.

As Gizmodo continues to explain, this is some scary stuff, particualrly when put together with data from mega pharmacy chain Walgreens. But the problem doesn’t stop with medical data.

Because Gizmodo kept investigating, and found at least 100 sites using NaviStone’s code.

Of the dozens of sites it reviewed, only one actually mentioned this in its privacy policy, Gizmodo reports. That site, gardeners.com, included a clause stating, “Information you enter is collected even if you cancel or do not complete an order.” Every other site only mentioned standard tracking technologies, like beacons, cookies, and pixels, which are a different sort of mechanism entirely.

NaviStone did not explain to Gizmodo the particulars of how it works, saying that its technology is proprietary and the company is still awaiting a patent. The company’s chief operating officer only told Gizmodo that its main purpose is to boost other businesses’ direct mail efforts, since if a consumer does actually go through with submitting an email address, that indicates they’d prefer digital contact anyway.

Gizmodo’s reporters, though, tested out the code for themselves, pretending to shop on some sites that used it. In several instances, they received emails about abandoned carts — even though they’d never actually submitted email addresses, only entered them.

“Although Gizmodo was able to see the email address information being sent to Navistone,,” they report, “the company said that it was not responsible for those emails.”

NaviStone, however, apparently doesn’t like being caught. The company told Gizmodo that as a result of the report, it would no longer collect data in this exact way.

Gizmodo also provides a handy tutorial if you want to delve a little bit into your browser’s guts and see how this information-scraping works. Just, uh, maybe don’t use your real contact info to try it out.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.