Some of the largest websites on the Internet use third-party software to track everything you do on their sites — including what you type, click, and scroll through.
Basic website tracking — page views, searches — isn’t news to anyone who pays attention to issues of online privacy and security. We’ve discussed website users being tracked, and we also offer a useful primer series on how Internet ads work.
The scope and depth of the tracking may unnerve even jaded readers, though. New research investigated the use of session replay scripts, which track what exactly users do while browsing, on some of the Web’s top sites. These sites are capturing everything you type, mouse over, and click on. You know, sort of like a keylogger. For performance diagnostics, some of it makes sense: When you run a website that can have hundreds of thousands of pages, you need to learn what people are doing on them and if any pages are broken or not working as intended.
Problems arise, however, because the software is capable of tracking a great deal of information that isn’t necessarily useful for website developers, and because third parties have access to that information. A group of researchers from Princeton University reported on the phenomenon, saying: “Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third-party as part of the recording. This may expose users to identity theft, online scams, and other unwanted behavior.”
As the researchers also pointed out, this sort of playback software is “like somebody looking over your shoulder,” while you’re online. Watch the video below to learn more about how it works.
With that sort of recording also comes additional information that, if (or when) leaked, could be dangerous indeed. The research noted that this software has the ability to:
- Record passwords entered — and, although the developers tried to ensure that any password entered was redacted, it wasn’t perfect, and it didn’t work fully on mobile versions of sites.
- Capture sensitive data such as credit card numbers and dates of birth.
- Record data input into text boxes, even if that data isn’t submitted to the site — in other words, even if you don’t click “Search” or “Submit” or press Enter.
