You’ve read the news about session replay scripts and how they enable over 400 websites to track your every keystroke and mouse click and you’re, understandably, concerned. If you haven’t been following the news, researchers at Princeton University’s Centre for Information Technology Policy (CITP), discovered that 400 of the most popular websites in the world, including The Telegraph and BBC Good Food are running code capable of tracking everything you type into a website. This means that, without your knowledge or express consent, your information is being taken and used by third-party servers.
You may be thinking that websites recording your activity so you can be remarketed products is nothing new, and it isn’t. In this instance, however, session replay scripts are far more wide reaching than just what you decided to click and buy.
Here, some of the most trafficked websites in the world are recording every keystroke you make – be it a site search or text chat with an assistant. If you start to fill out a form with email addresses, phone numbers or personal details and then decide not to follow through, those sites already have the information they wanted.
Thankfully, there is a way to protect yourself against these sites and session replay scripts as a whole. Released as part of CITP’s research is a searchable list of every site that’s been found to use session replay scripts. It also, rather handily, tells you if that site is guilty for sending your information away to third-party servers.
How to block session replay scripts:
The easiest way to avoid session replay scripts is to head to CITP’s searchable list and actively avoid using those sites. It may mean you’ll have to change up your browsing habits, but you’ll probably be better off for it.
If you don’t want to switch up your browsing habits, and I don’t blame you, you can use AdBlock Plus. While AdBlock Plus kills 99% of the revenue most publications, such as Alphr, get from your page vitists, it’s now updated itself to stops session replay scripts on the 487 sites listed by CITP. You’ll have to pay for AdBlock Plus, which seems a bit weird to pay for something to stop paying for other content, but it does work.
How it was discovered over 400 sites use session replay scripts to scrape your information
For years, keyloggers have been synonymous with dodgy downloads and spyware that finds its way onto your PC. Now, the technology is much more rife and commonplace, and it appears to be being used in one of the most intrusive ways possible.
Research from Princeton University’s Centre for Information Technology Policy (CITP) discovered that 400 of the most popular websites – including The Telegraph and BBC Good Food – are running code that’s capable of tracking everything you type without your knowledge or express consent.
What’s even more worrying is that your keystrokes and data, including information you’ve typed and then deleted, are being sent to a third-party server.
As Motherboard notes, it’s a similar situation to what Facebook was doing with user’s incomplete status updates. In 2013, when it was revealed facebook was logging what was being said and then deleted before a post was published, people got mad. But now, with all these notable websites looking at what it is you’re writing and clicking, we’re almost entirely unaware it’s going on.
In fairness to the sites discovered to be using such keystroke-logging services, it’s not actually their intention to obtain this information. Instead it’s a direct consequence of using something called a “Session Replay Script”. These web scripts are used to track engagement and help with UX design to inform site owners how they can improve a visitor’s journey through their website. Unfortunately, these scripts record practically everything and send them away to be analysed.
It gets worse when you discover that, as the research team put it, it can’t “reasonably be expected to be kept anonymous’. As Motherboard explains, one such session replay script-making company FullStory actually gives site owners linked tracking information. They’d be able to see who a particular user was and watch back their entire site activities in real time – including everything they type.
Here’s a video of what FullStory’s Session Replay Script can do, but many other companies developing them also do similar:
As part of their research post, “No boundaries: Exfiltration of personal data by session-replay scripts”, the team from Princeton released a list of sites that used the scripts – but only sites that have been confirmed to send such recordings off to third parties.
Looking at the list of sites, there’s some rather worrying culprits. A quick glance shows that WordPress.com, Microsoft.com, Adobe.com and Spotify.com all use these tracking scripts. The Telegraph website is also a tracking culprit along with BBC Good Food. Thankfully, these sites haven’t been listed for doing more than simply using the software, sites that seem to actually record and send the data away to a third-party seem to be an odd mix, with Russian search website Yandex leading the charge.
Curiously, HP’s own website was listed as sending data along with Atlassian, Xfinity and Comcast.
Many companies that send this data do also offer up redaction services to remove sensitive information, but there’s plenty out there that don’t. That information leaking into the public sphere could have serious privacy implications.
“Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details, and other personal information displayed on a page to leak to the third-party as part of the recording,” the researchers wrote in their post.
Researchers noted that personal information and passwords usually slipped through any redaction software, even if it was only partially. Interestingly, both Session Replay Script providers UserReplay and SessionCam completely block information by tracking where a user clicks before they type. However, if information is displayed by default on a screen, such as logging into a site’s account page, your personal data is left unredacted.
In most cases, that’s fine. But when one site, such as American pharmacy chain Walgreens, lists previous medical conditions and prescriptions on your user page by default, all that information could easily fall into the wrong hands.
If you’re wondering just how likely that is to happen, it turns out things actually get worse. As noted in their post, the researchers discovered that these session tracking companies are actually in a position to be vulnerable to targeted hacks. Not only are they high-value targets, but many of the analytics dashboards their clients use run on non-encrypted HTTP pages instead of HTTPS pages.
By using HTTP over HTTPS, “this allows an active man-in-the-middle to inject a script into the playback page and extract all of the recording data,” the researchers explained.
Since the report went out, a handful of the sites using Session Replay Scripts and vendors responsible for creating them have commented on the matter. Many responses show that a lot of sites weren’t quite aware of how these things worked, and so are looking into halting such services or improving them to keep user data safe. On the development side, of the few that spoke up on the matter, SessionCam provided a blog post outlining their concerns and reassuring users that security and privacy are their prime concern.
As SessionCam is actually the safest provider of Session Replay Scripts, at least from a user’s privacy perspective, the post is rather reassuring that the company is all for keeping user data safe.
“Everyone at SessionCam can get behind the CITP’s conclusion: ‘Improving user experience is a critical task for publishers. However, it shouldn’t come at the expense of user privacy.’,” wrote SessionCam. “The whole team at SessionCam lives these values every day. The privacy of your website visitors and the security of your data is of paramount importance to us.
“I am grateful to the CITP for raising the issue and examining the questions. We will keep working to provide even stronger security and to give our clients and their customers the peace of mind they need.”
There is one way to defend against these session replay scripts, install AdBlock Plus. Previously it protected you against a handful of these trackers but now, following the Princeton study, it’s updated to protect you against every script listed by the researcher’s post.