Marketing companies have been accused of using built-in browser autofill features to learn the email addresses of, and potentially identify, web users, according to research published last week.
Browsers such as Chrome, Firefox, Safari, Edge and Vivaldi have autofill features that allow them to save your email address when you access a website. Password managers have also been targeted.
However, according to researchers at Princeton University, marketers and others could be tapping this feature as a surreptitious means of gleaning website visitors' email addresses, potentially linking anonymous web surfers with accounts in marketing and other databases.
The researchers identified two marketing companies that they say have been using this tactic to prey on internet users - in contravention of European Union data protection laws. They estimate that at least 1,100 sites have used this technique to access private and confidential data.
Security concerns around autofill technology has been raised in the past, but it's the first time researchers have linked the feature to web tracking for marketing and other purposes.
The marketing firms, they add, haven't been stealing password data, but have been using the feature to identify the digital signature of email addresses.
Adthink and Audience are the two marketing firms identified by the researchers. Both are based in Europe and, although the researchers weren't able to identify the use cases of the data, the technique will almost certainly arouse the interest of data protection officers in their home countries.
Princeton researcher Gunes Acar suggested that "hashed email addresses" can be used as "persistent identifiers" and enable the companies to more accurately track users, even if they regularly clear cookies or switch devices.
An email address is invariably tied to a whole trail of digital footprints whenever it is used for website or internet service sign-ups. All that information can be gold for marketing firms looking to target particular people or groups of people.
While the researchers don't have a clear idea of what the firms are using the data for, there is evidence that suggests that Adthink could be collecting this information for identifying gender and nationalities.
Neither companies have commented on the situation, but an Adthink-owned website states: "We do not collect any personal information. We do not know who you are. We do not know your residential address, your email address, your phone number or any other personally identifiable information about you."
Acar added: "This is one of the problems with online tracking: it's an opaque process, especially once the data is collected from the users' computers.
"It's hard to be certain about the exact use of the data without looking into server side processing and data transfers."
Home Office faces investigation into police database with 20-million mugshots ruled unlawful six years ago
Database contains millions of images of people who haven't even been charged
Google boss Sundar Pichai claims that AI will be "more profound" for humanity than fire or electricity
Who needs fire when you've got "your plastic pal who's fun to be with"?
Torvalds takes a break from his weekend yoga session to indulge in a spot of primal scream therapy
Lancashire Constabulary becomes the first police force to use Amazon Alexa to communicate with the public