NaviStone is an Ohio-based startup that advertises itself as a service to unmask anonymous website visitors and find out their home addresses.
There are at least 100 websites that are using NaviStone’s code, according to BuiltWith, a service that tells you what tech sites employ.
Gizmodo tested dozens of those websites and found that majority of sites captured visitors’ email addresses only, but some websites also captured their personal information, like home addresses and other typed or auto-filled information.
How Websites Collect ‘Data’ Before Submitting Web Forms
Using JavaScript, the websites in question were sending user’s typed or auto-filled information of an online form to a server at “murdoog.com,” which is owned by NaviStone, leaving no option for people who immediately change their minds and close the page.
When the publication asked NaviStone that how it unmasks anonymous website visitors, the company denied revealing anything, saying that “its technology is proprietary and awaiting a patent.”
However, when asked whether email addresses are gathered in order to identify the person and their home addresses, the company’s chief operating officer Allen Abbott said NaviStone does not “use email addresses in any way to link with postal addresses or any other form of PII [Personal Identifiable Information].”
“Rather than use email addresses to generate advertising communications, we actually use the presence of an email address as a suppression factor, since it indicates that email, and not direct mail, is their preferred method of receiving advertising messages,” Abbott said.
“Three sites—hardware site Rockler.com, gift site CollectionsEtc.com, and clothing site BostonProper.com—sent us emails about items we’d left in our shopping carts using the email addresses we’d typed onto the site but had not formally submitted,” Gizmodo writes.
After the story had gone live, NaviStone agreed to no longer collect email addresses from visitors this way, as Abbott said, “While we believe our technology has been appropriately used, we have decided to change the system operation such that email addresses are not captured until the visitor hits the ‘submit’ button.”
Disable Auto-Fill; It’s Leaking Your Information!
In order to protect yourself from such websites collecting your data without your consent, you should consider disabling auto-fill form feature, which is turned on by default, in your browser, password manager or extension settings.
At the beginning this year, we also warned you about the Auto-fill feature, which automatically fills out web form based on data you have previously entered in similar fields but can be misused by attackers hiding fields (out of sight) in the web form and stealing your personal information without your knowledge.
Here’s how to turn this feature off in Chrome:
Go to Settings → Show Advanced Settings at the bottom, and under the Passwords and Forms section uncheck Enable Autofill box to fill out web forms with a single click.
In Opera, go to Settings → Autofill and turn it off.
In Safari, go to Preferences and click on AutoFill to turn it off.