If you have spent enough time on the internet then you know that when you search for shoes, you will be shown advertisements of shoes online. If you search for cars, you will see ads and content about cars. This may be ok from an advertising perspective but there is more to it than meets the eye. Princeton has conducted a research in which they say, “This is the first post in our “No Boundaries” series, in which we reveal how third-party scripts on websites have been extracting personal information in increasingly intrusive ways”. You read it right, intrusive ways.
According to the researchers’ findings if you go to a site, it not only records everything you’ve typed and clicked but also record the things that you have typed and deleted. If you remember, Facebook received flack for doing something similar in 2013. The social networking giant recorded what users typed, even if what was typed never ended up being posted. These codes or scripts used to track this data are called “session replay”.
According to the research, “You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behaviour, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder”.
Yes, the data is collected as if it were someone looking over your shoulder as you browse the internet. This is scary as there is a lot of personal information that can be leaked leading to fraud and identity theft leading to something from an episode of Black Mirror.
The research goes on to say that passwords are included in session recordings, sensitive user inputs are redacted in a partial and imperfect way, manual redaction of personally identifying information displayed on a page is a fundamentally insecure model, and recording services may fail to protect user data.
According to Motherboard, “Since the Princeton researchers released their research, both Bonobos and Walgreens said they would stop using session replay scripts. “We take the protection of our customers’ data very seriously and are investigating the claims made in the study that was published yesterday. As we look into the concerns that were raised, and out of an abundance of caution, we have stopped sharing data with FullStory,” a spokesperson from Walgreens told me in an email last Thursday.”
If you would like to see the list of websites tracking user’s data, you can do so here.