‘Hundreds’ Of Websites Track User Keystrokes

Web users are facing a new assault on their privacy after new research suggested that more than 480 websites are tracking every single keystroke made by visitors.

The claim comes in a study carried out by Princeton University, and it alleges that ‘session replay’ scripts are recording people’s keystrokes and then then send this valuable information to third-party servers.

But even worse, these ‘session replay’ scripts are also collecting information on mouse movements, and scrolling behaviour, as well as the entire contents of the pages people visit.

Tracking Sessions

The discovery by Princeton’s Center for Information Technology Policy (CITP) that over 400 of the world’s top websites use ‘session replay’ scripts to track user behaviour is not a new issue.

After all, it has been known for a while that certain websites and indeed PCs utilised keyloggers and analytics to track user behaviour and other surfing information.

But what makes this discovery so disturbing is that unlike traditional keyloggers and analytics that tend to just gather general statistics, these ‘session replay’ scripts do not strip out personally identifiable user information, meaning that hackers could exploit (identity theft, scams etc) or even blackmail users with this personal data.

“Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder,” the study warned.

“The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages,” said the researchers. “However the extent of data collected by these services far exceeds user expectations; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can’t reasonably be expected to be kept anonymous. In fact, some companies allow publishers to explicitly link recordings to a user’s real identity.”

It named the top session replay companies as Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam. UK websites that use these companies include the Telegraph, Samsung, Reuters, US retail giant Home Depot and CBS News.

The researchers found these services in use on 482 of the Alexa top 50,000 sites.

The researchers do admit that while these services claim not to collect user data, they point out that the plug-and-play nature of these services make this impossible to achieve. The researchers proved this by setting up test pages and they installed replay scripts from six of the seven companies.

They found that their test pages recorded passwords in session recordings. They also found that ‘sensitive user inputs are redacted in a partial and imperfect way’, and that the ‘,anual redaction of personally identifying information displayed on a page is a fundamentally insecure model’.

The researchers also noted that recording services may fail to protect user data.

Online Privacy

The discovery of these services and their data collection methods is bound to raise legal questions, especially as these services seem to gather this data without specific user consent.

The Do Not Track campaign a couple of years ago proved immensely popular. It was designed to stop websites and advertisers from tracking the web browsing habits of people.

Indeed, online privacy is a big issue for some web users. Previous research from Symantec for example found that one in three of us have provided false information online in order to safeguard our privacy.

And firms such as Google have carried out country-wide roadshows in order to train Brits in how to protect themselves and ensure their privacy whilst online.

Quiz: What do you know about privacy?