Over 400 of the World's Most Popular Websites Record Your Every Keystroke (vice.com)

← Back to Stories (view on slashdot.org)

Over 400 of the World's Most Popular Websites Record Your Every Keystroke (vice.com)

Posted by BeauHD on Monday November 20, 2017 @03:30PM from the session-replay-scripts dept.

An anonymous reader quotes a report from Motherboard: The idea of websites tracking users isn't new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled "No Boundaries," three researchers from Princeton's Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world's most popular websites track your every keystroke and then send that information to a third-party server. Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers' findings. If you accidentally paste something into a form that was copied to your clipboard, it's also recorded. These scripts, or bits of code that websites run, are called "session replay" scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don't just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don't run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions. Most troubling is that the information session replay scripts collect can't "reasonably be expected to be kept anonymous," according to the researchers.

42 of 263 comments (clear)

Min score:

Reason:

Sort:

Web 3.0! by Frosty+Piss · 2017-11-20 15:36 · Score: 2

Quite often, these scripts are part of jQuery or some other JS framework that "needs" to know your keystrokes as a part of the web site interface, "application" if you will. Sure, this info can be used nefariously, but most likely the purpose is the web site interface mechanics itself.

--
If you want news from today, you have to come back tomorrow.
1. Re:Web 3.0! by Anonymous Coward · 2017-11-20 15:59 · Score: 5, Funny
  
  You're getting dangerously close to summoning him.
2. Re:Web 3.0! by Arzaboa · 2017-11-20 16:02 · Score: 2
  
  You use what called a hosts file. Can be found on Windows and Linux. Someone can add their two cents on IOS.
  You can always block them through an ad-blocker, noscript or things of that nature in your browser.
  --
  "Ribbit" - Unknown Frog.
3. Re:Web 3.0! by Lucky_Strikez · 2017-11-20 16:09 · Score: 3, Funny
  
  Yeah, but.... Surely there's SOME kind of tool that would help you manipulate said hosts file? :P Maybe someone could tell us about it?
4. Re: Web 3.0! by Anonymous Coward · 2017-11-20 16:14 · Score: 2, Informative
  
  Okay, notepad.exe
5. Re:Web 3.0! by Bite+The+Pillow · 2017-11-20 17:17 · Score: 2
  
  APK APK AP
  ***CONNECTION TERMINATED**+
  ---
  Filter error: Don't use so many caps.
  ---
  I earned these caps in the wasteland, and I'm gonna use them as I see fit. Are we clear?
  ---- .CRYSTAL.
6. Re:Web 3.0! by ITRambo · 2017-11-20 18:08 · Score: 5, Interesting
  
  These days websites also use HTML5's canvas fingerprinting to identify your computer. If there's a way to gather any useful information, to be used for marketing, it'll happen. Check out Canvas Defender. You can change your machines white noise at will to help mask it's identity. It's really a bit sad that all this crap goes on.
Google.com by Anonymous Coward · 2017-11-20 15:36 · Score: 3, Interesting

Yandex searches as you type, so its hardly surprising it captures and sends the keystrokes in realtime....
But then again, so does Google, so why isn't Google on that list?
Not good... by Anonymous Coward · 2017-11-20 15:42 · Score: 3, Funny

I started typing:
"I fucking hate you, Microsoft. I'm going to bomb your Azure datacenters and slit your throats. Eat shit and die, you incompetent fucks."
Then I deleted it and actually submitted:
"Dear Microsoft. I hereby request that you close my Azure account as I found the service unsuitable to my specific needs at this time. Thank you very much in advance. Sincerely yours, X."
So now you're telling me that they have seen the first version?
1. Re:Not good... by hcs_$reboot · 2017-11-20 18:02 · Score: 2
  
  The words "bomb" and "die" being in the text, the NSA got it even before MS.
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
2. Re:Not good... by hcs_$reboot · 2017-11-21 01:25 · Score: 2
  
  Interestingly, that's an anagram of "Mass Sin".
  
  --
  Slashdot, fix the reply notifications... You won't get away with it...
400 ? by rtb61 · 2017-11-20 15:48 · Score: 5, Interesting

How about a list please, a useful list, name of company, data stolen, scripts and cookies to be killed upon a slow smouldering flame. How can you say 400 without having a list of the 400. That 400 players to add to noscript and cookiemonster.

--
Chaos - everything, everywhere, everywhen
1. Re:400 ? by dfm3 · 2017-11-20 15:59 · Score: 5, Informative
  
  The page at the first link was updated with a link to their data, complete with a list of all the offending sites that are ranked in the top 10,000 by Alexa.
2. Re:400 ? by Arzaboa · 2017-11-20 16:04 · Score: 5, Informative
  
  Here is the list, linked to from the actual article. List of 400
  --
  "Ribbit" - Unknown frog
3. Re:400 ? by AmiMoJo · 2017-11-20 20:53 · Score: 2
  
  Privacy Badger fixes most of this automatically. It's a good option for less technical people.
  uBlock Matrix with "medium mode" (https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode) kills it completely. Without medium mode it also kills it, but you are reliant on the block list authors keeping up with whatever changes are made. Since this threat is so well known, they are probably on top of it.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
This is (sort of) old news by dfm3 · 2017-11-20 15:53 · Score: 5, Informative

As one of the links even mentions, Facebook was caught doing the same with status updates (recording everything you type, even if you delete it before posting) back in 2013. What's news here is the extent to which websites are doing this these days.

For years now I've been operating under the assumption that websites collect as much data on user interaction as possible, even including things like what links you mouse over (not necessarily click on), how long you spend reading content before moving on, and how long the cursor remains on different parts of the page. This is yet one more reason why I never browse without NoScript and uBlock Origin. Fortunately, as reported in the first link:

Does tracking protection help?

Two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts. EasyPrivacy has filter rules that block Yandex, Hotjar, ClickTale and SessionCam.

Now that this practice is getting a little more attention, here's hoping that more of these sites will be added to popular blocklists.

I have a nervous habit of idly swirling the mouse around while I read, and I've long suspected that sites were logging these movements. So, it's a habit that I've never tried to break, but rather I've been hoping that by passing the cursor over all sorts of page elements hundreds of times in the course of a few minutes, I'm screwing with their data collection somehow.
1. Re:This is (sort of) old news by theweatherelectric · 2017-11-20 16:13 · Score: 5, Interesting
  
  This is yet one more reason why I never browse without NoScript and uBlock Origin.
  In Firefox 57 there's now also the option to turn on its built-in tracking protection all the time, as opposed to only in private browsing mode.
2. Re:This is (sort of) old news by AReilly · 2017-11-20 16:49 · Score: 2
  
  The issue isn't that web sites are doing real-time analytics. It's that they've all out-sourced the process to a handful of third party companies. No one cares that the information they've provided to the company they are interacting with over SSL gets seen by that company: of course it does. What they care about is that this stream of data is parceled up and sent (not necessarily securely, according to the article) to some company you've never heard of, and have no business relationship with.
  
  --
  -- Andrew
3. Re:This is (sort of) old news by Anonymous+Brave+Guy · 2017-11-20 18:05 · Score: 5, Informative
  
  That's funny, my recollection is that we managed pretty well without the spying for at least a decade, and yet during that time the Web grew from an academic/enthusiast medium into a mass communication medium. It turned out that countless people were willing to contribute without trying to exploit others for profit as their only motive.
  Indeed, social media today, arguably including sites like this one, is still built almost entirely from contributions given freely by normal people. It's just that today, instead of everyone getting some web space as part of their normal ISP package and making their own home page or blog, we have a relatively small number of large, mostly ad-funded, mostly data-hoarding giants centralising our basic hosting instead. That has some advantages, of course, but also a very high price to pay for anyone who values privacy and security online.
  
  --
  If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
4. Re:This is (sort of) old news by thegarbz · 2017-11-20 21:43 · Score: 2
  
  In Firefox 57 there's now also the option to turn on its built-in tracking protection all the time, as opposed to only in private browsing mode.
  You should do that anyway if for no other reason than to actually speed up the internet. http://www.ieee-security.org/T...
List of Websites by Anonymous Coward · 2017-11-20 16:03 · Score: 5, Informative

The list of websites:
https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html
Re: Name names by Anonymous Coward · 2017-11-20 16:04 · Score: 4, Informative

https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html
privacy.trackingprotection.enabled in Fx 52 by tepples · 2017-11-20 16:22 · Score: 2

And even in earlier versions, such as the Firefox 52 that people are using in order to give Mozilla a few more months to make necessary APIs available to WebExtensions, the user can turn on Tracking Protection system-wide by entering about:config and turning on privacy.trackingprotection.enabled. The drawback is that several sites, such as TV Tropes, intentionally conflate tracking protection with an ad blocker and block page views until the user activates the "Disable protection for this site" control.
Re:I'm OK by tepples · 2017-11-20 16:39 · Score: 2, Insightful

Thick Thigh Tranny Bitches.com
Thick thighs, automotive gearboxes, and female dogs? That's an odd combination of topics for a website.
Re:I'm OK by Templer421 · 2017-11-20 16:46 · Score: 2

Manual Tranny or an Automatic Tranny?
Ford or Chevy?
What Engine and Year?
Re:NoScript, but... (use Brave) by theweatherelectric · 2017-11-20 16:59 · Score: 4, Informative

Previously I would have said NoScript
Use it again. NoScript has been released for Firefox 57.
Noscript by Orgasmatron · 2017-11-20 17:04 · Score: 3, Interesting

Tell me again why Noscript isn't the default mode of every browser?
Why does, for example, slashdot think that I want to run software provided by truste.com, janrain.com or pro-market.net? I don't know any of those sites, and while I appreciate that slashdot trusts those sites not to harvest my data or harm my computer, they aren't exactly the party with skin in the game.
If you want to see how fucked up the web is, how fucked up we've allowed it to become, install noscript and set your browser to treat OCSP failures as hard errors. We have the technology to fix this. We just don't care enough to use it.

--
See that "Preview" button?
1. Re:Noscript by theweatherelectric · 2017-11-20 17:37 · Score: 3, Informative
  
  temporary permissions
  They're still there. See the developer's blog post.
2. Re:Noscript by Mkkby · 2017-11-20 17:55 · Score: 2
  
  Yep, and this is why I won't DOWNGRADE to firefox 57. I'll stay frozen on 50 until NoScript has the full functionality it had before. Note, it's been released as of today but users are complaining of missing features and a terrible UI. Keep waiting.
  
  The internet is almost un-usable without an ad blocker and a JS blocker. I don't know how anyone can stand the slow load times and blinking/flashing ads in your face. Perhaps TV has made all this normal for most people.
3. Re:Noscript by thegarbz · 2017-11-20 21:45 · Score: 2
  
  Tell me again why Noscript isn't the default mode of every browser?
  Because by default it breaks most of the internet and only the most dedicated of geeks are happy to battle with the frustration of managing whitelists to make basic browsing work.
4. Re:Noscript by PeeAitchPee · 2017-11-21 01:00 · Score: 2
  
  The problem is the 99.9999% don't understand what you just wrote, or why it's important to them. They probably do know that one of the times they let a tech-minded friend help them, certain web pages stopped working. So we're back to the same reason that fucks up pretty much everything, eventually: once you let "normal people" use it, well, anything, shit will get broken. And once you let for-profit companies use it, its original intent will be perverted. That's why we have a crippled, adware-laden crapfest of an Internet run by corps and consumed by the unwashed masses versus what was envisioned for a worldwide public network 25+ years ago.
Ignored option by Hallux-F-Sinister · 2017-11-20 17:11 · Score: 2

[ ] Don't pay for every website you access, that's what ads are for. Let advertisers be unable target you and unable to track you specifically, etc., which means sellers of ads won't make as much money, and certain companies won't have billions or trillions of dollars that they only have because people tolerated this behavior. I typed a bunch of stuff after this, but no one is going to read it anyway.

--
Our reign has gone on long enough. Indeed. Summon the meteors.
1. Re:Ignored option by Pascoea · 2017-11-21 04:17 · Score: 2
  
  I typed a bunch of stuff after this, but no one is going to read it anyway.
  There are apparently 400 sites out there that will.
A Lot of Trouble by techdolphin · 2017-11-20 17:13 · Score: 2

It seems like these websites are going to a lot of trouble to discover that I can't type and can't spell.
Duh! Autocomplete REQUIRES some tracking by redelm · 2017-11-20 17:22 · Score: 3, Insightful

You know how Goggle and others do autocomplete on your search entries? Or spell check in text boxen? Or mouse zooming? How could they do this if every mouse/keystroke was not sent to them? Of course some loaded script does, and whatever else it does is probably described as "trojan".
I do not much like this mis-behaviour and mostly browse using `links2`, a lynx-like text browser. Missing images is a feature :)
Web Sites Behavior Control by hcs_$reboot · 2017-11-20 17:59 · Score: 3, Insightful

That proves (even if we've known that for a while) there is no control of web sites behavior. A concrete analogy is, you're angry after the tax office because you pay too much taxes, and start to write a letter, joking around, "go f..k yourself" etc... then throw that paper away and write the real one. Following this web site behavior, the tax officer is constantly looking over your shoulder - without you being even aware of that. This is totally unacceptable. The user should be at least made aware of that spying policy.

--
Slashdot, fix the reply notifications... You won't get away with it...
Re:NoScript, but... (use Brave) by theweatherelectric · 2017-11-20 20:10 · Score: 2

If you want UI changes in NoScript then tell the developer of NoScript. He says he wants to hear everyone's UI ideas.
Overblown. Gonna play devil's advocate. by geekymachoman · 2017-11-20 21:18 · Score: 3, Interesting

So, this is completely overblown out of proportion. I'm a web dev, and more. Basically I've been deciding and implementing all sort of web things, including this "tracking" everybody is hung up about. Everywhere I worked at, the "tracking" is used for the good of a consumer as in ... analyzing data to provide better user experience, to make it easier for the users to find what they need ( granted: in effort to increase sales ), when they need it, and overall just increase user experience.

After 15 years of being in the business, I never seen tracking for malicious purposes (or purposes other than attempting to make it easier for YOU to use the website ).

I understand the concerns people are having, but jesus christ you people talk about it like we're filming you while in a shower, just because websites track where people click and what they insert into a web form ( on their own sites ) does not mean they CARE about you. No business cares about the individual.. but about statistics, percentages, numbers.

It's even said so in the article summary:
"Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages."

What on earth is so wrong about this ?
For people doing it, this is you "a3727fd0a20d5eef697d3c2f41bf0e4d". This is what they see and track, and care about.

Get over yourself, for god sake.
1. Re:Overblown. Gonna play devil's advocate. by afgam28 · 2017-11-20 23:02 · Score: 4, Insightful
  
  Let's suppose that there are no malicious uses of web tracking, that it is solely used to improve the user experience. There's still a big problem, which is that a lot of software developers are just incompetent when it comes to security. And sorry to break it to you, but your post proves that you're one of them.
  If you don't see the problem with a key logger on a site that contains a password field, and then sending those logged keys to a third-party, and through unencrypted channels, then you need to be fired from your job as a web dev asap.
2. Re:Overblown. Gonna play devil's advocate. by AmiMoJo · 2017-11-21 00:47 · Score: 4, Insightful
  
  Looking at the number of sites that use anti-patterns (malicious UIs designed to trick the user) I'd say you have lived a very sheltered life.
  Getting you to buy more stuff IS abuse in many cases. Jacking up prices because your page view times and mouse hover positions suggest that you will pay 10% more is also abuse, and spying. It's creepy AF.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
3. Re:Overblown. Gonna play devil's advocate. by bluegutang · 2017-11-21 02:37 · Score: 3, Insightful
  
  For people doing it, this is you "a3727fd0a20d5eef697d3c2f41bf0e4d".
  No, this is you: ID "a3727fd0a20d5eef697d3c2f41bf0e4d", username bob123, email address bobsmith123@gmail.com.
  And email address bobsmith123@gmail.com can be correlated with a Facebook account, medical history, credit rating, and much more.
Re:Duh! Autocomplete REQUIRES some tracking by DNS-and-BIND · 2017-11-20 22:43 · Score: 2

Here's a fun party trick: go to Google.com, type in "Hillary Clinton", and try to get autocomplete to say something bad about her. Then, try it with "Donald Trump" (impeachment was the first auto-complete result I got, it may vary with your location).
During the James Damore scandal, I couldn't get Google to suggest anything at all about his name. It just suggested variations on "d'amore", the French word for love. Weird, eh?

--
Shutting down free speech with violence isn't fighting fascism. It IS fascism!