[hvdijk]

That's not what they mean by "keylogger" and some reasonable people would agree with them on their naming. Suppose you have a log-in page, and a user name field, password field, and a "Log in" button. If a website secretly submits everything entered into the password field even when "Log in" isn't clicked, such as when a user accidentally pastes a password for another website and realises it before logging in, I think most people would call that a keylogger.

In Gitlab's case, it seems to be their search function. It provides search results without needing to press Enter or clicking a button. From a technical POV, this is the exact same kind of keylogging as the above, it's only the intent that makes this okay and the above not so.

[_flux]

Would you agree that keylogger is a term for malicious software with the purpose of stealing private data such as credentials?

Is this is the case, then the latter is not keylogging.

The former is some sort of logging, but I wouldn't call it keylogging; after all, you are still entering data to the particular filed intended for entering credentials, to be sent to the remote server for verification. If the purpose of the remote server is something more nefarious, then it is keylogging.

The feature would even make sense if the server would let you in without pressing enter; but for understandable reasons this is not really a thing..

[hvdijk]

> Would you agree that keylogger is a term for malicious software with the purpose of stealing private data such as credentials?

No, I would not. Keylogger, I would say, is what the name implies: is a term for software that records keystrokes. In order for the term to be useful we have to limit it to such software where the recording is not obvious to the user, as otherwise even Notepad would count, but we do not have to limit it to malicious software.

[_flux]

So, basically, Google Docs is a keylogger?

Would that go along with the common consensus, or perhaps water down the term to near meaningless? Maybe Firefox is keylogging my input as well; and in fact, so is Linux. Keyboard itself, definitely.

Once I had X11 enter old keystrokes (so it had missed the read position in the input ring buffer and every stroke entered a key from the past); keyloggers all around.

Kidding aside, I believe it is important to use terminology all parties agree on; after all, words are a tool for communicating. Even if an individual finds a deeper or "fundamental" meaning in a word outside the typical use of a word, attempting to use and understand it in such a way hinders communication.

[BTCOG]

It honestly sounds like you've come to allow all types of keylogging to become (to yourself only) allowable and called by any other name. Yes, if Google Docs does actually take each keystroke and record it and save record of it, even once backed out/deleted from a field, this is in fact keylogging.

[luke2m]

I want my Linux box or my keyboard to get my keystrokes. I don’t want my typing on a website before submitting a form sent to a third party. Key logging is how Blacklight describes it.

[hvdijk]

Agreed, if there is consensus on what a word means it's unnecessarily distracting to use it in a different sense. In this case, the common meaning of keylogger is not restricted to malicious software, so we shouldn't insist here that it is.

[eitland]

> In this case, the common meaning of keylogger is not restricted to malicious software, so we shouldn't insist here that it is.

The common meaning of keylogger is restricted to stealthily recording an unsuspecting users keyboard input.

Malicious or not depends on the user who uses it and what they use it for and possibly also is in they eye of the beholder, but Google Docs or a an auto complete search field is not a keylogger by any definition I've seen used.

But what do I know, I've only been interested in this since the nineties.

[ChrisLomont]

>the common meaning of keylogger is not restricted to malicious software

Over 99% of the hits on a google search use keylogger restricted to malicious software (sampled the first dozen or so pages). The first sentence in Wikipedia is "Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored". The top definition googling a definition is "a computer program that records every keystroke made by a computer user, especially in order to gain fraudulent access to passwords and other confidential information."

What metric did you use to conclude that the "common meaning" is not this common meaning? Not a single place I have found claims the common meaning is anything other than surreptitiously recording user keystrokes for nefarious purposes. Do you have even one such link?

[hvdijk]

I'm curious what you searched for, because the majority of the very first page of Google search results agrees with me, actually. Two of these say define keyloggers in a way that is inherently malicious, most give a neutral definition. They do go on to say how such software can be used by criminals, but most do not say that keyloggers are inherently malicious, and some very specifically deny that:

https://www.csoonline.com/article/3326304/what-is-a-keylogge...:

> Keyloggers are a type of monitoring software designed to record keystrokes made by a user.

https://securelist.com/keyloggers-how-they-work-and-how-to-d...:

> The term ‘keylogger’ itself is neutral, and the word describes the program’s function.

https://en.wikipedia.org/wiki/Keystroke_logging:

> Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored.

https://home.sophos.com/en-us/security-news/2019/what-is-a-k...:

> A keylogger is an insidious form of spyware.

https://www.kaspersky.co.uk/resource-center/definitions/keyl...:

> Keyloggers are used for legitimate purposes like feedback for software development but can be misused by criminals to steal your data.

https://www.mcafee.com/blogs/consumer/family-safety/what-is-...:

> A keylogger (short for keystroke logger) is software that tracks or logs the keys struck on your keyboard, typically in a covert manner so that you don’t know that your actions are being monitored. This is usually done with malicious intent to collect your account information, credit card numbers, user names, passwords, and other private data.

https://searchsecurity.techtarget.com/definition/keylogger:

> Keyloggers are often used as a spyware tool by cybercriminals [...]. Keylogger recorders may also be used by: [...] These uses could be considered ethical or appropriate in varying degrees.

https://www.malwarebytes.com/keylogger/:

> Keyloggers are a common tool for corporations, which information technology departments use to troubleshoot technical problems on their systems and networks—or to keep an eye on employees surreptitiously. The same goes for, say, parents, who want to monitor their children’s activities.

https://enterprise.comodo.com/what-is-a-keylogger.php:

> At its most basic definition, a keylogger is a function which records or keystrokes on a computer. Taken at this basic level, a keylogger looks absolutely harmless. In the hands of a hacker or a cybercriminal, a keylogger is a potent tool to steal away your information.

https://us.norton.com/internetsecurity-malware-what-is-a-key...:

> A keylogger is a type of spyware that can be used to track and log the keys you strike on your keyboard, capturing any information typed. Keyloggers are insidious because you don’t know they’re there, watching and recording everything you type.

[karaterobot]

Strongly disagree that most people think of autosuggest in a search form as a keylogger. I've never once heard it referred to as such, outside this thread.

I think most people think of a keylogger as a malicious program that secretly records your keyboard activity when you don't know about it. If they think about it at all, they think of autosuggest as analogous to a form submission.

[volkk]

this is such a classic HN argument, it's almost comical. pedants from every part of the world going at it and even including google search results, picking apart each word that the original author meant to prove their point. this is the kind of conversation that would make me want to rip my head off in an office environment.

but from my POV i would also say that 95% of the time i've ever bumped into the term, it was always used in a cyber attack context. the other 5% was from corporate overlords wanting to spy on your actions.

[leesalminen]

It’s not obvious to the user that when they type in a search bar their text will be used to find relevant content on the site?

[hvdijk]

Indeed, it's not necessarily going to be obvious to a user that when they type in a search bar their text will be used to find relevant content on the site even before the user clicks a "Search" button.

[syshum]

TIL that all software that accepts keyboard I/O is now a "keylogger"

wow...

[BTCOG]

Nope. A keylogger is any field taking whatever your input without your knowledge, and "logging" it. So as he said above, if you were accidentally typing in sensitive info in a password field, or a chatbot window and without clicking a button to send that info off, they are logging it. That is still keylogging. Just because it's not a RAT keylogger doesn't mean it's not logging keystrokes.

[DougBTX]

The technical difference would be that a keylogger logs keystrokes regardless of where the focus is, whereas normal "respond to key events" logic would be restricted to capturing key events in a field where the user understands the focus to be.

"Type to search" is OK, as the key events processed are restricted to the ones typed into the search field. A key logger would attach an event listener to capture key presses in any field, or even if no field is selected.

It is the same technical difference between a UI which has an explicit "paste" button, which reads from the clipboard only when that button is pressed, vs a web app which reads from the clipboard indiscriminately, in the off-chance that there's something interesting (a password for a different website?) stored in the clipboard.

[manigandham]

A real keylogger would see CTRL+V not your password. This isn't logging keystrokes.

Reasonable people wouldn't call it a keylogger because they assume that a form input will actually receive what you input.

[hvdijk]

> A real keylogger would see CTRL+V not your password.

Fair point, though that's more of a corner case.

> Reasonable people wouldn't call it a keylogger

Not a fair point. If your starting assumption is that everyone who disagrees with you is unreasonable, please take a moment to reflect.

[manigandham]

You also said "reasonable people". I'm using the same term. Take a moment to read your own post.

[hvdijk]

I specifically said "some reasonable people" to allow for the possibility that other reasonable people could come to a different conclusion.

[manigandham]

If both conclusions can be reached by "reasonable" people then that term is contextually meaningless. Why argue semantics when your own usage is irrelevant?

And I stand by my position that considering an autocomplete to be a keylogger is unreasonable because the obvious purpose of the input is to accept you what you type. Automatically submitting may be a slight surprise but doesn't change the intent as you wouldn't type in the box if you were never going to submit it anyway.

[hvdijk]

Don't be too sure of that: you'd be surprised how often I misuse the browser's location bar when I need to make a very quick note when I don't have time to first open a text editor. Once I typed what I wanted to type, I then have time to open a text editor and copy it there. This became a habit for me back when browsers did not try to provide search suggestions in the address bar. I now still turn off the suggestions now to make sure I do not accidentally send data online that I want to keep private.

[bobthechef]

...which implies there exist unreasonable people. In common speech, qualifiers are added when there is a need to distinguish. You wouldn't say "some people with brains" unless there existed brainless people and there was a need to distinguish them from the other.

[jfrunyon]

Their search function should simply be using an oninput or onchange event on a particular element, not global input. That is a technical difference.