Slashdot Mirror

← Back to Stories (view on slashdot.org)

Over 400 of the World's Most Popular Websites Record Your Every Keystroke (vice.com)

Posted by BeauHD on from the session-replay-scripts dept.

An anonymous reader quotes a report from Motherboard: The idea of websites tracking users isn't new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled "No Boundaries," three researchers from Princeton's Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world's most popular websites track your every keystroke and then send that information to a third-party server. Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers' findings. If you accidentally paste something into a form that was copied to your clipboard, it's also recorded. These scripts, or bits of code that websites run, are called "session replay" scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don't just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don't run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions. Most troubling is that the information session replay scripts collect can't "reasonably be expected to be kept anonymous," according to the researchers.

13 of 263 comments (clear)

  1. 400 ? by rtb61 · · Score: 5, Interesting

    How about a list please, a useful list, name of company, data stolen, scripts and cookies to be killed upon a slow smouldering flame. How can you say 400 without having a list of the 400. That 400 players to add to noscript and cookiemonster.

    --
    Chaos - everything, everywhere, everywhen
    1. Re:400 ? by dfm3 · · Score: 5, Informative

      The page at the first link was updated with a link to their data, complete with a list of all the offending sites that are ranked in the top 10,000 by Alexa.

    2. Re:400 ? by Arzaboa · · Score: 5, Informative

      Here is the list, linked to from the actual article. List of 400

      --
      "Ribbit" - Unknown frog

  2. This is (sort of) old news by dfm3 · · Score: 5, Informative

    As one of the links even mentions, Facebook was caught doing the same with status updates (recording everything you type, even if you delete it before posting) back in 2013. What's news here is the extent to which websites are doing this these days.

    For years now I've been operating under the assumption that websites collect as much data on user interaction as possible, even including things like what links you mouse over (not necessarily click on), how long you spend reading content before moving on, and how long the cursor remains on different parts of the page. This is yet one more reason why I never browse without NoScript and uBlock Origin. Fortunately, as reported in the first link:

    Does tracking protection help?

    Two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts. EasyPrivacy has filter rules that block Yandex, Hotjar, ClickTale and SessionCam.

    Now that this practice is getting a little more attention, here's hoping that more of these sites will be added to popular blocklists.

    I have a nervous habit of idly swirling the mouse around while I read, and I've long suspected that sites were logging these movements. So, it's a habit that I've never tried to break, but rather I've been hoping that by passing the cursor over all sorts of page elements hundreds of times in the course of a few minutes, I'm screwing with their data collection somehow.

    1. Re:This is (sort of) old news by theweatherelectric · · Score: 5, Interesting

      This is yet one more reason why I never browse without NoScript and uBlock Origin.

      In Firefox 57 there's now also the option to turn on its built-in tracking protection all the time, as opposed to only in private browsing mode.

    2. Re:This is (sort of) old news by Anonymous+Brave+Guy · · Score: 5, Informative

      That's funny, my recollection is that we managed pretty well without the spying for at least a decade, and yet during that time the Web grew from an academic/enthusiast medium into a mass communication medium. It turned out that countless people were willing to contribute without trying to exploit others for profit as their only motive.

      Indeed, social media today, arguably including sites like this one, is still built almost entirely from contributions given freely by normal people. It's just that today, instead of everyone getting some web space as part of their normal ISP package and making their own home page or blog, we have a relatively small number of large, mostly ad-funded, mostly data-hoarding giants centralising our basic hosting instead. That has some advantages, of course, but also a very high price to pay for anyone who values privacy and security online.

      --
      If you disagree, post your argument. (-1, Overrated) isn't your personal censorship tool for views you don't like.
  3. Re:Web 3.0! by Anonymous Coward · · Score: 5, Funny

    You're getting dangerously close to summoning him.

  4. List of Websites by Anonymous Coward · · Score: 5, Informative

    The list of websites:

    https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html

  5. Re: Name names by Anonymous Coward · · Score: 4, Informative

    https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html

  6. Re:NoScript, but... (use Brave) by theweatherelectric · · Score: 4, Informative

    Previously I would have said NoScript

    Use it again. NoScript has been released for Firefox 57.

  7. Re:Web 3.0! by ITRambo · · Score: 5, Interesting

    These days websites also use HTML5's canvas fingerprinting to identify your computer. If there's a way to gather any useful information, to be used for marketing, it'll happen. Check out Canvas Defender. You can change your machines white noise at will to help mask it's identity. It's really a bit sad that all this crap goes on.

  8. Re:Overblown. Gonna play devil's advocate. by afgam28 · · Score: 4, Insightful

    Let's suppose that there are no malicious uses of web tracking, that it is solely used to improve the user experience. There's still a big problem, which is that a lot of software developers are just incompetent when it comes to security. And sorry to break it to you, but your post proves that you're one of them.

    If you don't see the problem with a key logger on a site that contains a password field, and then sending those logged keys to a third-party, and through unencrypted channels, then you need to be fired from your job as a web dev asap.

  9. Re:Overblown. Gonna play devil's advocate. by AmiMoJo · · Score: 4, Insightful

    Looking at the number of sites that use anti-patterns (malicious UIs designed to trick the user) I'd say you have lived a very sheltered life.

    Getting you to buy more stuff IS abuse in many cases. Jacking up prices because your page view times and mouse hover positions suggest that you will pay 10% more is also abuse, and spying. It's creepy AF.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC