‘Hundreds’ Of Websites Track User Keystrokes

Web users are facing a new assault on their privacy after new research suggested that more than 480 websites are tracking every single keystroke made by visitors.

The claim comes in a study carried out by Princeton University, and it alleges that ‘session replay’ scripts are recording people’s keystrokes and then then send this valuable information to third-party servers.

But even worse, these ‘session replay’ scripts are also collecting information on mouse movements, and scrolling behaviour, as well as the entire contents of the pages people visit.

Tracking Sessions

The discovery by Princeton’s Center for Information Technology Policy (CITP) that over 400 of the world’s top websites use ‘session replay’ scripts to track user behaviour is not a new issue.

After all, it has been known for a while that certain websites and indeed PCs utilised keyloggers and analytics to track user behaviour and other surfing information.

But what makes this discovery so disturbing is that unlike traditional keyloggers and analytics that tend to just gather general statistics, these ‘session replay’ scripts do not strip out personally identifiable user information, meaning that hackers could exploit (identity theft, scams etc) or even blackmail users with this personal data.

“Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder,” the study warned.

“The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages,” said the researchers. “However the extent of data collected by these services far exceeds user expectations; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can’t reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user’s real identity.”

It named the top session replay companies as Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam. UK websites that use these companies include the Telegraph, Samsung, Reuters, US retail giant Home Depot and CBS News.

The researchers found these services in use on 482 of the Alexa top 50,000 sites.

The researchers do admit that while these services claim not to collect user data, they point out that the plug-and-play nature of these services make this impossible to achieve. The researchers proved this by setting up test pages and they installed replay scripts from six of the seven companies.

They found that their test pages recorded passwords in session recordings. They also found that ‘sensitive user inputs are redacted in a partial and imperfect way’, and that the ‘,anual redaction of personally identifying information displayed on a page is a fundamentally insecure model’.

The researchers also noted that recording services may fail to protect user data.

Online Privacy

The discovery of these services and their data collection methods is bound to raise legal questions, especially as these services seem to gather this data without specific user consent.

The Do Not Track campaign a couple of years ago proved immensely popular. It was designed to stop websites and advertisers from tracking the web browsing habits of people.

Indeed, online privacy is a big issue for some web users. Previous research from Symantec for example found that one in three of us have provided false information online in order to safeguard our privacy.

And firms such as Google have carried out country-wide roadshows in order to train Brits in how to protect themselves and ensure their privacy whilst online.

Quiz: What do you know about privacy?

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Cryptocurrency Warning From Bank Of England Governor

Blunt message from Bank of England governor Andrew Bailey, warning people only to buy cryptocurrency…

20 hours ago

Jeff Bezos Offloads $2 Billion In Amazon Shares

Needs some spending money...Amazon CEO Jeff Bezos has this week sold nearly $2 billion worth…

20 hours ago

Twitter Suspends Account Sharing Trump Posts

Shutdown again. An account has been suspended by Twitter for sharing the posts from Donald…

22 hours ago

IBM Claims Breakthrough With 2 Nanometer Chip

Research boffins at IBM are touting a major leap forward in performance and energy efficiency…

2 days ago

Twitter Now Prompts Users To Revise ‘Harmful Replies’

Trolls beware. Twitter releases feature that will deliver a 'reconsider prompt' for users, if they…

2 days ago

Old Routers Pose Security Risk, Warns Which?

Elderly routers that can no longer receive firmware updates posed security risk to millions of…

2 days ago