Hundreds of popular websites sent keystrokes, mouse movements, scrolling behavior and the contents of visited pages to third parties, without the user’s consent, according to a report compiled by researchers from Princeton University. The cause are so-called ‘session replay’ scripts.
(Website heatmap – credits City University Interaction)
These scripts store the user’s behavior so this can be replayed later. “As if someone is looking over your shoulder”, the researchers write in their report. The purpose of these scripts is to get insights in how visitors interact with websites and discover broken or confusing pages. The amount of data these scripts collect exceed the user’s expectations, according to the researchers.
Collected data includes e.g. the text they write in forms on websites, before they are even sent, and also exact mouse movements. And, what users also don’t expect, the data isn’t anonymized. Some companies even allow website publishers to couple their real identity to the collected data. For their research, the researchers analyzed the 7 most used ‘session-replay’ scripts, specifically those of Yandex, FullStory, HotJar, UserReplay, Smartlook, Clicktale and SessionCam. The scripts were found on 482 websites in Alexa’s top 50,000.
The researchers warn that data collection of these replay scripts can cause sensitive data to leak such as medical conditions, credit card data and other personal information. The script vendors do offer methods to filter and remove sensitive data, but the website publisher has to manually walk through each page and check whether it collects personal data, something not all publishers do. The researchers found that at least one of the websites sent the password from the registration form to a third party, even if the registration form wasn’t even submitted.
Users of ad blockers also risk that their data is collected by third parties and/or vendors of replay scripts. The two most popular adblock filters, EasyList and EasyPrivacy, don’t block the replay scripts from FullStory, SmartLook and UserReplay. EasyPrivacy does have filter rules for Yandex, HotJar, ClickTale and SessionCam.
UserReplay offers publishers the possibility to not collect data from users who have the ‘Do Not Track’ setting in their browser enabled. However none of the top 1 million Alexa sites respects the Do Not Track rules.
“Improving user experience is a critical task for publishers. However it shouldn’t come at the expense of user privacy,” the researchers conclude.
(demonstration of how HotJar replays user’s actions on a website)