Most of the times, I look for something online and the next moment, I find its advertisement on almost every other web page or social media site I visit. Have you ever experienced it? I’m sure, you have!
Most of you who have spent enough time on the internet might be knowing that several websites have third-party analytics scripts to record its users’ online activities including the log of pages they have visited. But a recent study from Princeton University has suggested that more and more sites are recording our every move online, including our keystrokes, mouse clicks, searches, scrolling behavior, and even every word we type.
Security researchers from Princeton University’s Centre for Information Technology Policy (CITP) analyzed the Alexa top 50,000 websites in the world and found that as many as 482 websites, many of which are high profile, are using a new web-tracking technique to track every move of their users.
Dubbed “Session Replay,” the technique is used even by most popular websites, including Adobe, Al-Jazeera, Godaddy, Microsoft, Reuters, Rotten Tomatoes, Samsung, Skype, Spotify, The Guardian, VK, and WordPress, to record every single movement a visitor does while navigating a web page, and this incredibly extensive data is then sent off to a third party server for analysis.
“Session replay scripts” are usually designed to gather data regarding user engagement that can be used by website developers to improve the end-user experience. They are widely used by companies to gain insight of how their users interact with their site and discover broken or confusing pages.
What’s particularly concerning is that the extent of data collected by these services far exceeds user expectations, by recording beyond the information we purposely give to a website. These scripts keep a record of even the text we accidentally pasted into a form and later cleared it before hitting ‘Submit.’
“This data can’t reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user’s real identity,” Princeton researcher Steven Englehardt wrote in a blog post.
It’s worth noting that collection of content by a third-party provider might cause leaking of sensitive information like password, credit card details, medical details, banking information, etc. Such data could be further used to perform identity theft and online scams. Some of the notable sites which were found to be recording user sessions include Autodesk, Comcast, Crunchbase, HP, Intel, Lenovo, Windows, Yandex, etc.
“We do not present the above examples to point fingers at a certain website. Instead, we aim to show that the redaction process can fail even for a large publisher with a strong, legal incentive to protect user data,” the blog post says.
Besides the fact that this practice is happening without people’s knowledge, the people in charge of some of the websites also did not even know that the script was implemented, which makes the matter a little scary.
The researchers also shared a video which shows how much detail these session recording scripts can collect on a website’s visitor.
https://www.youtube.com/watch?v=l0Yc8s0DTZA
Here’s how you can protect yourself:
A quick tip for blocking session replay scripts is to use a popular ad-blocking tool, AdBlock Plus. The tool will enable you to get protection against all of the suspected threats mentioned in the Princeton study. AdBlock Plus formerly only protected against some but has now been updated to block all as a result of the researchers’ work.
What are your thoughts on such session replay techniques being used by reputed websites? Share your thoughts here.