Skip to Main Content.

Addressing a Threat to Personal Data Privacy

Spell-jacking – a new word emerging from the tech world. Learn its meaning and what can be done to protect personal data privacy. We use convenient third-party features on websites that can expose highly sensitive information about us without our even suspecting this is happening.

When we use spellcheck on a website, this can send the entire form we are working on to “the cloud.” The information is in flight and can be shared (or hacked) in unexpected ways. A September 2022 study by otto-js, a JavaScript security firm, found that the vast majority of enterprise websites send data with Personal Identifying Information (PII) back to Google or Microsoft when users access Chrome Enhanced Spellcheck or Microsoft Edge Editor. This can release passwords, Social Security numbers, and other personal information users would not approve. Through enabled features that are convenient for users (such as spellcheck or “show my password”), personal data is being shared in ways individuals did not expressly approve and would avoid if they could.

Otto-js co-founders Maggie Louie and Josh Summitt tell how this problem was discovered and share how risks can be mitigated. While legitimate enterprises have no interest in releasing PII to mal-actors, spell-jacking as such is currently unregulated or under-regulated. Learn how industry and regulators are addressing this issue – and what consumers can do about it to protect their own personal privacy. Helpful guides for developers and consumers are available on the otto-js website.

If you have ideas for more interviews or stories, please email


Privacy & Data Security Weekly Update

Need more Data Privacy updates?

Privacy and Data Security Weekly Update

Three things that happened recently. Three things you want to know. Three things moving forward. Delivered to your inbox weekly.

Newsletter Sign Up