0

I believe that if one delivers a keylogger by say email and use it to extract data entered into text boxes without the users knowledge or consent on a web site then that is illegal. If the same is done with javascript deployed on the web site is that legal?

Many web sites use "replay scripts" which are designed to record keystrokes, mouse movements, scrolling behavior, other forms of interaction, and webpage contents in order to send that data to marketing firms for analysis. From a 2017 paper this is the sort of data collected (note this is all without clicking a "submit" button, just filling in text boxes):

Summary of the automated redaction features for form inputs enabled by default from each company Filled circle: Data is excluded; Half-filled circle: equivalent length masking; Empty circle: Data is sent in the clear

This redaction is far from perfect. For example, FullStory redacts credit card fields with the autocomplete attribute set to cc-number, but will collect any credit card numbers included in forms without this attribute. This data is sent to marketing and analytics domains before form submission and without the user giving consent.

Is this legal? As far as jurisdiction is concerned, any would be interesting as this is kind of global.

Improve this question
4
  • I am not sure if it is a technical misconception going on here. A web page has per se access to all the data entered into forms on that web page, wether it is using a key logger or by all other means being available to a web page. You don't need a key logger to have access to the data even without the user clicking a submit button.
    – jarnbjo
    Commented May 16, 2022 at 9:07
  • 1
    A pure html form will not provide the data entered in text fields to the server until the submit button is pressed. The javascript of these libraries does exactly that.
    – User65535
    Commented May 16, 2022 at 9:08
  • Good luck finding a web page still using pure HTML forms. Almost all web pages in common use are rich applications, with lots of additional functionality beyond what pure HTML offers. Even without an explicitely embedded key tracker, you must expect that the data you enter can be sent to the server for other purposes before you actively submit anything, be it for validation, autocomplete or any other reason.
    – jarnbjo
    Commented May 16, 2022 at 10:47
  • @jarnbjo That is pretty much what the articles/papers are saying (except the reason is explicitly marketing/data collection because of who the data is sent to), and this question is if it is legal.
    – User65535
    Commented May 16, 2022 at 12:19

1 Answer 1

Reset to default
2

From the perspective this is potentially fine, from the perspective probably not.

For a violation, it would be necessary to show that authorization was exceeded. But the user has implicitly authorized the website to run JavaScript in the browser, and the user has willingly entered information into the website.

In the US context, it might be more interesting that such scripts could be a PCI-DSS violation on pages that process credit card information, but that is a contractual/civil and not a criminal issue.

If the website is in scope of the /CPRA or similar state-level privacy laws, further limitations might apply.

In the and context, things are very different.

  • Per , collection of personal data is permissible e.g. when it is necessary for a legitimate interest which outweighs the data subject's interests. In some cases, collection of data for analytics purposes might be covered by this. But since most users would not reasonably expect keystroke capturing or similarly invasive tracking, it would be difficult to show that the legitimate interest actually outweighs the data subject's rights and interests. On that basis alone, use of such techniques would likely require consent, that is: an informed and freely given unambiguous opt-in decision by the user. Consent is never the default.

  • But the GDPR is not the most relevant law at play. Instead, the ePrivacy directive (and its implementation PECR in the UK) prohibts access to information stored on the end user's device unless either this access is strictly necessary for a service explicitly requested by the user, or if the user gave consent. Per common interpretation, keylogging is access to information stored on the device. Such invasive tracking is not strictly necessary to deliver the website. Thus, ePrivacy effectively requires consent in this context.

So in an UK/EU context, such trackers/keyloggers would only be lawful with consent. The GDPR's definition of consent which applies here is a fairly high bar to clear – a mere notification of the sort “by using this site you consent to XXX” is not valid. To make an informed decision, the user must first be able to understand what data will be collected for which purposes. Consent must be specific for a purpose, so consent e.g. for ad personalization likely cannot be bundled together with consent for keystroke/mouse logging. A potentially compliant way to use such tracking could be to invite some users into a focus group, and to only load the invasive tracking code after the user has explicitly given informed consent.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .