All the Major Websites You Visit Record Your Every Keystroke and Mouse Movement

laptop (2)

TechViews News   …..

By now Internet users have come to expect websites and Internet Service Providers to perform some sort of tracking on their online activities. However, most people have yet to grasp just how invasive that tracking has become.

We usually focus on forms that require us to fill in personal information, or with email providers that read, catalogue and resell transmitted information. We know that web search engines collect everything we search for, but what about daily, basic web surfing or reading articles? It is now apparent that tracking/keylogging routines are way more intrusive than we may like to believe.

Researchers from Princeton’s Center for Information Technology Policy (CITP) have recently started a new series titled “No Boundaries,” which talks about how third-party scripts run and track a user’s every keystroke. The first post in the series focuses on exfiltration of personal data by session-replay scripts (via Motherboard.) “You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make,” the researchers write.

But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics for web publishers, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

Those of us in the Internet Security community feel exactly that way – as if someone is really watching over your shoulder. While few years back it was all about Google that used to do this as users complained about seeing advertisements based on their Gmail conversations or Google web searches, it is far more prevalent across most all websites now. Some of the world’s most-visited sites run this software with “session replay scripts” that track every move you make on their websites without a user’s explicit permission.

“Take yourself offline if you really don’t want anyone to follow you” has become the advice of the decade whenever you start talking about user security or privacy.

How session replay scripts fail to anonymize data

Since this collected data is often shared with publishers and is tied with a user’s real identity, those third party companies can profile user information based on data sent from multiple products or websites, mostly tied to a user’s login IP address or unique machine identifier. Anonymity cannot “reasonably be expected,” researchers warn despite many websites’ continued promises that user data is anonymized.

Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third-party as part of the recording.

This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes.

These session replay scripts also track users when they start filling up a registration form but never submit it. One of the recording software companies, FullStory, claims it only redacts credit card fields if the “autocomplete” attribute is set to “no-number.” If not, it will collect complete credit card info along with any other information that was inadvertently filled in.

And more importantly, these scripts also make even the HTTPS secured websites insecure as they run non-encrypted HTTP pages.

Once a session recording is complete, publishers can automatically review and catalogue the data using a dashboard provided by the recording service. This allows an active man-in-the-middle to inject a script into the playback page and extract all of the recorded data. This means that page content that was previously protected by HTTPS is now vulnerable to passive network surveillance.

Walgreens, one of FullStory’s clients, also had its user data leaked, including medical conditions and prescriptions. The company has now said it would stop using session replay scripts. “We take the protection of our customers’ data very seriously and are investigating the claims made in the study that was recently published,” Walgreens said. “As we look into the concerns that were raised, and out of an abundance of caution, we have stopped sharing data with software recording companies.”

While some companies have suggested they would stop using these invasive analytics tools, it is unlikely that websites and advertisers will stop pushing for these tools as they continue to record every keystroke, mouse movement, and scrolling behavior.

“I don’t think most users realize that when they interact with a website that their information about that visit is being shared with 40 to 100 third parties,” Ashkan Soltani, a security and privacy researcher said. While many expect these companies to record only what a user visits, they are now capturing “not only that I visited that page, but also what content I submitted and which websites I then move on to.”

Be Safe – Backup Your Data Regularly!


And don’t forget to take advantage of our FREE subscription to the Newsletter. A must-read if you are interested in Internet Security.