Spread the love! TechSpot Tech Gift Shortlist 2017

Several popular websites use scripts to record visitor activity

By Cal Jeffrey · 12 replies
Nov 21, 2017
Post New Reply
  1. Most of us have come to accept that some of our information is going to be tracked when using the Internet. We have gotten used to seeing ads for those watches we were looking at on Amazon weeks ago showing up on Facebook. Most people do not even bother reading privacy policies anymore but that does not mean it is no longer important to know what kind of information is being tracked and how it is being collected.

    Researchers at Princeton University’s Center for Information Technology Policy (CITP) have discovered that more of your information is being tracked than you might know. Their study has uncovered that several popular websites are using scripts that log every keystroke and mouse click and save recordings of them to third-party servers. Even if you cancel or abandon the web form, everything you typed is still recorded and saved.

    The keylogging software, called “session replay scripts,” is being openly used by multiple sites. The scripts are usually employed by third-party providers such as FullStory, SessionCam, Clicktale, SmartLook, UserReplay, Hotjar and Yandex. Administrators can pull up any recorded session and play it back like a video.

    According to lead researcher Steve Englehardt, most people do not even realize they are being tracked in this manner since session replay disclosures are buried “deep into the privacy policy.”

    “I’m just happy that users will be made aware of it,” Englehardt told Motherboard in a telephone interview.

    Englehardt and his colleagues, Gunes Acar and Arvind Narayanan, studied six of the seven session replay providers mentioned above and found that software from one company was being used on 482 of the top 50,000 sites (as ranked by Alexa). Of the nearly 500 listed websites, there are several well-known names including WordPress, Microsoft, Spotify, Xfinity and Walgreens.

    Upon being presented with the research, Walgreens issued a statement.

    “We take the protection of our customers’ data very seriously and are investigating the claims made in the study that was published yesterday. As we look into the concerns that were raised, and out of an abundance of caution, we have stopped sharing data with FullStory.”

    Bonobos, another company identified in the list, told Wired that they have also stopped sharing data with FullStory. “We are continually assessing and strengthening systems and processes in order to protect our customers’ data,” the spokesperson said.

    “Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details, and other personal information displayed on a page to leak to the third-party as part of the recording,” warn the researchers. It is also possible for passwords to be revealed despite the fact that the software is supposed to redact them.

    There are tools included with the session replay scripts that can be used to redact sensitive information but in testing the software, CITP found that some data is only partially redacted or not removed at all. On Walgreens' website, for instance, data such as medical conditions, prescriptions and users’ real names were being collected despite having redaction protocols in place.

    Regardless of how trustworthy companies like FullStory and the others may or may not be, the researchers see a concern with those firms being targets for malicious attacks. They point to Yandex, Hotjar and SmartLook as examples which operate session replay dashboards on unencrypted HTTP rather than secure HTTPS pages.

    Thanks to the team’s research, session replay providers are reviewing their practices as well. Yandex and SmartLook are already looking into ways to improve the security of their dashboards.

    Kevin Goodings, CEO of SessionCam, stated, "Everyone at SessionCam can get behind the CITP’s conclusion: ‘Improving user experience is a critical task for publishers. However, it shouldn’t come at the expense of user privacy.’ The whole team at SessionCam lives these values every day. The privacy of your website visitors and the security of your data is of paramount importance to us.”

    If you would like to see the 482 websites that are confirmed to be using session replay scripts, the list is published on Princeton’s Web Transparency website.

    Image and video courtesy Princeton University

    Permalink to story.

     
  2. andrewdoyle88

    andrewdoyle88 TS Booster Posts: 111   +95

    Translation = We were selling your data but since you found out we'll stop now.
     
    Reehahs, senketsu, Kenrick and 3 others like this.
  3. psycros

    psycros TS Evangelist Posts: 1,822   +1,231

    Anyone who isn't using a top-tier security package and either TOR or a decent commercial VPN is asking for trouble. The antivirus guys need to start getting really aggressive about blacklisting sites that engage in this kind of dangerous spying. I figured that remote keylogging was being used on a lot of sites and so I always tried to NEVER type something in a web form unless I was comfortable with the site admins reading it. But I guess I should've realized it would be used for more than that. It blows my mind is people who buy *internet-connected* "smart" junk with mics and cameras for their homes. Whatever happened to common sense?
     
    Last edited: Nov 21, 2017
  4. Evernessince

    Evernessince TS Evangelist Posts: 1,973   +1,166

    And Ajit pai thinks we don't even need Net Neutrality cause companies will be behave without rules. No what we need are NN rules for ISPs and much stricter data privacy laws.
     
    Reehahs, psycros and senketsu like this.
  5. Kenrick

    Kenrick TS Evangelist Posts: 542   +353

    Noscript should disable all of them.
     
    BSim500 likes this.
  6. Evernessince

    Evernessince TS Evangelist Posts: 1,973   +1,166

    I would say yes to the VPN but those internet protection suites don't really do anything you can't do yourself. Script blocking, Firewall, and ad-blocking can all be found free elsewhere.
     
  7. regiq

    regiq TS Rookie

    I'm afraid the antivirus companies do more or less the same - live of selling your data. It's all in their TOSes and policies...
     
  8. psycros

    psycros TS Evangelist Posts: 1,822   +1,231

    And just like death and taxes, here comes the "you don't need antivirus" guy. Pretending malware doesn't exist won't make it go away no matter how much you want it to. Grow up.
     
  9. jobeard

    jobeard TS Ambassador Posts: 10,981   +930

    Well- - Back in the early 2000's I was asked to implement a Replay system from a website monitoring system (so there would not be any thing like keylogging). I ranted and raved on the ethics and legal liability of accessing / replaying the user experience. I was fortunate to get away with taking the high ground and kept my job. Just think, I could have been the ancestor to Julian Assange (wikileaks)
     
  10. Evernessince

    Evernessince TS Evangelist Posts: 1,973   +1,166

    Grow up? As in actually avoiding shady websites and practicing computer common sense? 99% of viruses are contracted by the user. I haven't had a virus in over 10 years. If you are in need of protection you are either doing something shady, ignorant of computers in general, or going to websites you know aren't secure. I know well not to click that fake download button but the question is: Do you? Here you are defending software which is designed for the average person who doesn't know better. You are on a tech website, big surprise people here are smart enough to know how not to get malware.

    I'm less like the "don't need anti-virus guy" and more like the "uses common sense guy". But yeah, I do use Maleware bytes in single scan mode once in awhile and guess what? It never finds anything. Good thing too, cuz what a waste of resources it would be to run it all the time.
     
  11. Angga B

    Angga B TS Rookie

    Big brother already watching you
    Now little brother(s) are also trying to watch you

    What in the world is this game? Do they sincerely think 1984 was a manual book?
     
    regiq likes this.
  12. BobHome

    BobHome TS Member

    So, what are you trying to tell us? Are you suggesting we avoid these sites?
    (Avon, CBS, Chevrolet, RedHat, Nintendo, Microsoft, Skype, T-Mobile, etc.)
     
  13. regiq

    regiq TS Rookie

    There are quite a few things we can do to try to change this ill situation:
    Read the terms of services and other company policies and make conscious choices of services that we use;
    Promote services that don't share (or - better - gather) your data and REALLY respect your privacy (mostly the ones which business model does not rely on user profiling - we should be able to pay for that);
    Block tracking scripts and domains in browsers, routers, devices, so it's not profitable to the companies;
    Inform friends about that practices to increase awareness of the problem;
    Put some pressure on the legislators - in the end only the law could make it stop;
    Remember: demand creates supply.
     

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...