This post dives into results of the influential preprint Every Keystroke You Make: A Tech-Law Measurement and Analysis of Event Listeners for Wiretapping [1], submitted to USENIX Security 2026, a security and privacy conference. While not yet peer-reviewed (review decision comes in Jan 2026), it is already shaping discussions of how web tracking meets wiretapping law.

1. Why this matters now

Modern privacy regimes such as the GDPR and CCPA bring strong privacy requirements, yet their lack of robust enforcement makes the compliance limited. By contrast, the California Invasion of Privacy Act (CIPA) and the federal version Electronic Communications Privacy Act (ECPA) grant private rights of action and statutory damages, fuel for class actions. Recent rulings [2-6] show courts treating hidden website monitoring as potential “wiretapping.” The Every Keystroke You Make study [1] gives the first quantitative evidence that many websites install JavaScript event listeners that capture user keystrokes and transmit those inputs to third parties, behavior aligning with statutory interception elements.

2. Conservative-by-design measurement (Sec. 3)

The authors engineered their methodology to avoid false positives: a site is counted only when it both (a) captures keystrokes or form text before submission and (b) sends that data to an external domain. While the authors refrain from inserting a legal judgment on the actions, any flagged instance is virtually a smoking gun for live interception due to the conservative design of the analysis. The California-based crawl of 15k sites thereby defines a credible lower bound on real-world violations.

3. Evidence of live interception (Sec. 4.3)

4. Mapping code to statute (App. C)

The paper’s legal framework links browser behaviors to statutory elements:

This mapping gives counsel a ready matrix for assessing risk, while showing marketers where tracking crosses into statutory danger zones.

5. Jurisdictional nuance

Although the crawl originated from California, it did not restrict to websites targeting California residents. Under Moody v. Textron [10], CIPA enforcement might be limited to communications involving California users only. Consequently, the highest exposure lies with consumer-facing sites marketing to Californians rather than B2B portals. Also, according to Williams v. DDR Media, LLC (2024) [11], extraction of processed (hashed) input values are not considered wiretapping.

These two small legal limitations of the work are still not dismissing the value that it brings.

6. Key takeaways (adapted from paper highlights)

Wiretapping law is the sleeping giant of privacy enforcement. Private rights of action make it a potent complement, or alternative, to GDPR and CCPA compliance.

Detected interceptions are definitive. Because the methodology errs on omission, each positive finding represents a near-certain statutory interception.

Third-party scripts drive the risk. Most capture originates from embedded analytics or adtech vendors.

Email capture without submission is the clearest smoking gun. Marketers using such data risk both wiretapping liability and consent-based marketing violations.

Immediate steps: Audit vendor scripts; demand input masking; update privacy notices to disclose or bar keystroke capture [1].

Strategic outlook: Web compliance is no longer just about consent banners – it is about avoiding the label of interceptor. Old law has new teeth.

Table 5 – Top Domains Registering Event Listeners and Forwarding Data (Sec. 4.3)

1. Shaoor Munir et al., Every Keystroke You Make: A Tech-Law Measurement and Analysis of Event Listeners for Wiretapping, arXiv:2508.19825 (2025). Preprint submitted to USENIX Security 2026 (review decision expected Jan. 2026).
2. Greenley v. Kochava Inc., No. 3:22-cv-01327 (S.D. Cal. 2023).
3. Javier v. Assurance IQ LLC, 78 F.4th 1302 (9th Cir. 2023) (holding that consent under California Penal Code § 631 must be secured prior to interception).
4. In re Google Inc. Gmail Litigation, 2013 WL 5423918, at *12 (N.D. Cal. Sept. 26, 2013) (finding that generic privacy notices were insufficient at the pleading stage to establish consent).
5. Popa v. Harriet Carter Gifts, Inc., 52 F.4th 121 (3d Cir. 2022) (interpreting analogous Pennsylvania wiretapping law and remanding for consideration of adequacy and timing of notice; subsequent district-court proceedings addressed implied consent based on posted notices).
6. Saleh v. Nike, Inc.; Johnson v. Blue Apron, LLC; Smith v. LoanDepot.com, LLC (additional 2023–2024 California Invasion of Privacy Act cases cited in Appendix C of [1]).
7. Asuman Şenol et al., Leaky Forms: A Study of Email and Password Exfiltration Before Form Submission, USENIX Security 2022 (finding that approximately 3% of websites extract private inputs such as email addresses prior to form submission).
8. Karel Kubicek et al., Automating Website Registration for Studying GDPR Compliance, Proceedings of the ACM Web Conference 2024 (finding that approximately 2% of websites send “finish your registration” emails to users who did not complete registration).
9. Manolis Chatzimpyrros, Konstantinos Solomos, and Sotiris Ioannidis, You Shall Not Register! Detecting Privacy Leaks Across Registration Forms, Springer, 2019 (reporting that approximately 0.03% of websites send emails without crawler form submission).
10. Moody v. Textron Inc., No. 22-cv-09459 (C.D. Cal. 2024).
11. Williams v. DDR Media, LLC et al., No. 3:22-cv-03789 (N.D. Cal. 2023).