Every Keystroke You Make: A Tech-Law Measurement and Analysis of Event Listeners for Wiretapping

TL;DR

This paper investigates the use of JavaScript event listeners on websites to intercept keystrokes, analyzing their legal implications under U.S. wiretapping laws and revealing significant privacy risks and potential legal violations.

Contribution

It bridges the gap between technical measurement of web tracking and legal analysis of wiretapping laws, highlighting invasive tracking practices and their legal relevance.

Findings

38.52% websites installed keystroke interception event listeners

At least 3.18% transmitted intercepted data to third parties

Intercepted data used for unsolicited email marketing

Abstract

The privacy community has a long track record of investigating emerging types of web tracking techniques. Recent work has focused on compliance of web trackers with new privacy laws such as Europe's GDPR and California's CCPA. Despite the growing body of research documenting widespread lack of compliance with new privacy laws, there is a lack of robust enforcement. Different from prior work, we conduct a tech-law analysis to map decades-old U.S. laws about interception of electronic communications--so-called wiretapping--to web tracking. Bridging the tech-law gap for older wiretapping laws is important and timely because, in cases where legal harm to privacy is proven, they can provide statutory private right of action, are at the forefront of recent privacy enforcement, and could ultimately lead to a meaningful change in the web tracking landscape. In this paper, we focus on a particularly invasive tracking technique: the use of JavaScript event listeners by third-party trackers for real-time keystroke interception on websites. We use an instrumented web browser to crawl a sample of the top-million websites to investigate the use of event listeners that aligns with the criteria for wiretapping, according to U.S. wiretapping law at the federal level and in California. We find evidence that 38.52% websites installed third-party event listeners to intercept keystrokes, and that at least 3.18% websites transmitted intercepted information to a third-party server, which aligns with the criteria for wiretapping. We further find evidence that the intercepted information such as email addresses typed into form fields are used for unsolicited email marketing. Beyond our work that maps the intersection between technical measurement and U.S. wiretapping law, additional future legal research is required to determine when the wiretapping observed in our paper passes the threshold for illegality.