Study: Taboola collects emails without user consent

Online forms Credit: Shutterstock
Online forms Credit: Shutterstock

The Israeli content recommendation company denies the charges made in research by European universities.

Filling in online forms, such as for a hotel booking or price quote for a car are routine and the forms are often discarded when we decide to go for an alternative deal. Users assume that the information on the form remains private.

However, new research by Switzerland's University of Lausanne, Netherland's Radboud University and the University of Leuven in Belgium has found that not only is the information collected from registration forms that are not completed but there is also an Israeli angle to the subject. The research was published earlier this month University of Leuven's website and will be presented in August at the Usenix security conference in the US.

"Violation of privacy laws in Europe, the US and Israel"

According to the European research, Israeli content recommendation company Taboola (Nasdaq: TBLA) is one of the leading companies that collects personal information from online forms in ads, even before users press the send button, which in practice denotes consent to collecting the information. Among the websites in which information was leaked to Taboola was US Today, the Independent and Business Insider.

In addition to Taboola, others that collect email information without explicit approval include Meta, Adobe, and Live Ramp. Russian company Yandex was also included in the research as the only company that collects emails as well as passwords.

One of the writers of the research, Asuman Senol of the University of Leuven, told "Globes" that they had not expected such remarkable results in which thousands of sites were collecting user details without approval. The research was initiated after it was revealed that user details had leaked from users on online mortgage accounts in the US.

Senol said, "We can't know why Taboola deals with this type of tracking but it is the biggest company and email addresses represent the strongest identification factor for tracking users between websites and devices."

Taboola sends data to the server in a stacked way, a mixed way that prevents its identification. Senol added, "In a further analysis, we found that many of the websites in which we found leaks from the web to Taboola, began using consent banners, which prevent any communication of users with the site before giving consent. This significantly reduced the number of leaks to Taboola."

Excluding exceptional cases, the collection of identifying information about users without their conscious consent to the way it is gathered, the purpose or identity of the collector, constitutes a violation of privacy law," Adv. Oshrit Aviv, an expert in technology and privacy law, who works in the digital ad industry in Europe, told "Globes," "and that is without mentioning computer laws on the Internet and spam laws in various countries. The act of stacking does not remedy the situation, as the collection itself is prohibited in the first place in the way it is done, and because those who have the source values, can easily learn about the identity of the users - despite the stacking."

All means are allowed for collecting personal information

To check which companies were implementing the collection of personal details and on what scale, the researchers built an investigative program that examines the collection of data on the 100,000 largest websites, focusing on online forms within ads. These forms encourage users to put in their details in order to receive special offers or price quotes for various products and services.

Even though only pressing the send button after filling in the form, telephone number or email address represents agreement by the customer to having their details sent, the Java script code on the form means that orders can be implemented even before the form is completed and sent.

Tracking user behavior on the web by moving the cursor on the screen, typing letters and words, browsing a site and scrolling up and down, are acceptable practices among companies tracking users, and is done, among other things, by using software or is embedded in the code. Israeli software in the past in this fields included Clicktale, which was acquired by a French company.

Targeted advertising directly to email boxes is considered one of the most effective areas of advertising, so getting users' email addresses has become especially popular for many companies. Moreover, an email address has become an alternative among more and more digital marketing companies for software cookies - a type of code that identifies the user across various applications and sites - which is installed by apps and advertising software fighting, ostensibly, Apple, Google and Mozilla.

Europe plans restricting data collection

Europe currently plans significantly restricting the ability of digital advertising companies to collect details of users and share them with new sites and other advertisers, which would restrict the power of companies like Taboola and Meta. Some in the EU even want programmed advertising to be made illegal.

This research is likely to harm companies like Taboola and a long list of digital advertising companies, some of which are Israeli. "Unfortunately, this case is easily connected to a series of cases that plays into the hands of the EU in its efforts to eradicate the phenomenon of online advertising and the 'digital spying' that accompanies it," says Adv. Aviv. "It's a shame, because it undermines the industry's attempts to act in a transparent and law-abiding manner.

"For some years the EU has been campaigning against the digital ad giants and practice of programmed advertising, which has included a range of fines amounting to €1.65 billion for infringing European privacy laws. As somebody who works a great deal with the EU, I can tell you how serious this campaign is and how every additional revelation of the practice of the greed for collecting information provides material for future aggressive legislation."

Taboola: We don't collect information without consent

Taboola said in response, "The company fully complies with the European GDPR privacy regulations and is committed to the privacy and transparency of its customers, users and partners.

"We stress that when we receive the 'non-agreement' from users, we do not collect information at all. When we receive agreement from users who actively provide their mail, we collect the email address in a stacked way so that the company does not hold or keep any personal information of users anywhere in our records.

"Following the enquiry, we checked out the possibility that we had collected stacked emails without consent, and even though no data was found to support this - to be on the safe side we have anyway taken steps to correct the possibility that stacked emails were collected."

Full disclosure: "Globes" has a commercial relationship with Taboola

Published by Globes, Israel business news - - on May 29, 2022.

© Copyright of Globes Publisher Itonut (1983) Ltd., 2022.

Online forms Credit: Shutterstock
Online forms Credit: Shutterstock
Twitter Facebook Linkedin RSS Newsletters גלובס Israel Business Conference 2018