Slashdot Mirror
Over 400 of the World's Most Popular Websites Record Your Every Keystroke (vice.com)
An anonymous reader quotes a report from Motherboard: The idea of websites tracking users isn't new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled "No Boundaries," three researchers from Princeton's Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world's most popular websites track your every keystroke and then send that information to a third-party server. Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers' findings. If you accidentally paste something into a form that was copied to your clipboard, it's also recorded. These scripts, or bits of code that websites run, are called "session replay" scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don't just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don't run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions. Most troubling is that the information session replay scripts collect can't "reasonably be expected to be kept anonymous," according to the researchers.
Yandex searches as you type, so its hardly surprising it captures and sends the keystrokes in realtime....
But then again, so does Google, so why isn't Google on that list?
I started typing:
"I fucking hate you, Microsoft. I'm going to bomb your Azure datacenters and slit your throats. Eat shit and die, you incompetent fucks."
Then I deleted it and actually submitted:
"Dear Microsoft. I hereby request that you close my Azure account as I found the service unsuitable to my specific needs at this time. Thank you very much in advance. Sincerely yours, X."
So now you're telling me that they have seen the first version?
How about a list please, a useful list, name of company, data stolen, scripts and cookies to be killed upon a slow smouldering flame. How can you say 400 without having a list of the 400. That 400 players to add to noscript and cookiemonster.
Chaos - everything, everywhere, everywhen
As one of the links even mentions, Facebook was caught doing the same with status updates (recording everything you type, even if you delete it before posting) back in 2013. What's news here is the extent to which websites are doing this these days.
For years now I've been operating under the assumption that websites collect as much data on user interaction as possible, even including things like what links you mouse over (not necessarily click on), how long you spend reading content before moving on, and how long the cursor remains on different parts of the page. This is yet one more reason why I never browse without NoScript and uBlock Origin. Fortunately, as reported in the first link:
Does tracking protection help?
Two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts. EasyPrivacy has filter rules that block Yandex, Hotjar, ClickTale and SessionCam.
Now that this practice is getting a little more attention, here's hoping that more of these sites will be added to popular blocklists.
I have a nervous habit of idly swirling the mouse around while I read, and I've long suspected that sites were logging these movements. So, it's a habit that I've never tried to break, but rather I've been hoping that by passing the cursor over all sorts of page elements hundreds of times in the course of a few minutes, I'm screwing with their data collection somehow.
You're getting dangerously close to summoning him.
The list of websites:
https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html
https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html
Yeah, but.... Surely there's SOME kind of tool that would help you manipulate said hosts file? :P Maybe someone could tell us about it?
Previously I would have said NoScript
Use it again. NoScript has been released for Firefox 57.
Tell me again why Noscript isn't the default mode of every browser?
Why does, for example, slashdot think that I want to run software provided by truste.com, janrain.com or pro-market.net? I don't know any of those sites, and while I appreciate that slashdot trusts those sites not to harvest my data or harm my computer, they aren't exactly the party with skin in the game.
If you want to see how fucked up the web is, how fucked up we've allowed it to become, install noscript and set your browser to treat OCSP failures as hard errors. We have the technology to fix this. We just don't care enough to use it.
See that "Preview" button?
I do not much like this mis-behaviour and mostly browse using `links2`, a lynx-like text browser. Missing images is a feature :)
That proves (even if we've known that for a while) there is no control of web sites behavior. A concrete analogy is, you're angry after the tax office because you pay too much taxes, and start to write a letter, joking around, "go f..k yourself" etc... then throw that paper away and write the real one. Following this web site behavior, the tax officer is constantly looking over your shoulder - without you being even aware of that. This is totally unacceptable. The user should be at least made aware of that spying policy.
Slashdot, fix the reply notifications... You won't get away with it...
These days websites also use HTML5's canvas fingerprinting to identify your computer. If there's a way to gather any useful information, to be used for marketing, it'll happen. Check out Canvas Defender. You can change your machines white noise at will to help mask it's identity. It's really a bit sad that all this crap goes on.
So, this is completely overblown out of proportion. I'm a web dev, and more. Basically I've been deciding and implementing all sort of web things, including this "tracking" everybody is hung up about. Everywhere I worked at, the "tracking" is used for the good of a consumer as in ... analyzing data to provide better user experience, to make it easier for the users to find what they need ( granted: in effort to increase sales ), when they need it, and overall just increase user experience.
After 15 years of being in the business, I never seen tracking for malicious purposes (or purposes other than attempting to make it easier for YOU to use the website ).
I understand the concerns people are having, but jesus christ you people talk about it like we're filming you while in a shower, just because websites track where people click and what they insert into a web form ( on their own sites ) does not mean they CARE about you. No business cares about the individual.. but about statistics, percentages, numbers.
It's even said so in the article summary:
"Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages."
What on earth is so wrong about this ?
For people doing it, this is you "a3727fd0a20d5eef697d3c2f41bf0e4d". This is what they see and track, and care about.
Get over yourself, for god sake.