This study addresses the legal and privacy implications of third-party keyboard event monitoring on websites, a pervasive yet underexamined tracking technique. Method: We systematically apply U.S. federal and California wiretapping statutes to web-based keyboard interception, conducting a large-scale measurement across over one million websites via instrumented browsers to identify JavaScript listeners that satisfy the statutory definition of “electronic communication interception” and exfiltrate keystroke data. Results: We find that 38.52% of sites deploy third-party keyboard listeners; among these, 3.18% explicitly transmit sensitive user inputs—such as email addresses—to external servers, constituting probable unlawful interception under existing wiretapping law. This work not only exposes significant legal risks inherent in modern tracking practices but also establishes, for the first time, a verifiable, legally grounded mapping between web tracking behaviors and anti-wiretapping statutes—providing empirical foundations and a methodological framework for interdisciplinary regulation and technical governance.

The privacy community has a long track record of investigating emerging types of web tracking techniques. Recent work has focused on compliance of web trackers with new privacy laws such as Europe's GDPR and California's CCPA. Despite the growing body of research documenting widespread lack of compliance with new privacy laws, there is a lack of robust enforcement. Different from prior work, we conduct a tech-law analysis to map decades-old U.S. laws about interception of electronic communications--so-called wiretapping--to web tracking. Bridging the tech-law gap for older wiretapping laws is important and timely because, in cases where legal harm to privacy is proven, they can provide statutory private right of action, are at the forefront of recent privacy enforcement, and could ultimately lead to a meaningful change in the web tracking landscape. In this paper, we focus on a particularly invasive tracking technique: the use of JavaScript event listeners by third-party trackers for real-time keystroke interception on websites. We use an instrumented web browser to crawl a sample of the top-million websites to investigate the use of event listeners that aligns with the criteria for wiretapping, according to U.S. wiretapping law at the federal level and in California. We find evidence that 38.52% websites installed third-party event listeners to intercept keystrokes, and that at least 3.18% websites transmitted intercepted information to a third-party server, which aligns with the criteria for wiretapping. We further find evidence that the intercepted information such as email addresses typed into form fields are used for unsolicited email marketing. Beyond our work that maps the intersection between technical measurement and U.S. wiretapping law, additional future legal research is required to determine when the wiretapping observed in our paper passes the threshold for illegality.