Hundreds of top websites record everything you do as if they’re ‘looking over your shoulder’
'What can go wrong? In short, a lot,' say researchers
Your support helps us to tell the story
From reproductive rights to climate change to Big Tech, The Independent is on the ground when the story is developing. Whether it's investigating the financials of Elon Musk's pro-Trump PAC or producing our latest documentary, 'The A Word', which shines a light on the American women fighting for reproductive rights, we know how important it is to parse out the facts from the messaging.
At such a critical moment in US history, we need reporters on the ground. Your donation allows us to keep sending journalists to speak to both sides of the story.
The Independent is trusted by Americans across the entire political spectrum. And unlike many other quality news outlets, we choose not to lock Americans out of our reporting and analysis with paywalls. We believe quality journalism should be available to everyone, paid for by those who can afford it.
Your support makes all the difference.Hundreds of the world’s top websites are recording everything you do, including your keystrokes, mouse movements and scrolling behaviour, a new report has found.
It’s as if they’re “looking over your shoulder”, and it isn’t always clear that they’re collecting your data.
What’s more, they’re sending this information to third-party “session replay” companies, and their methods can expose you to identity theft and online scams.
Princeton University researchers have found that 482 of the Alexa top 50,000 sites are doing this, and that the practice can cause sensitive personal information to leak.
This can include things like addresses, medical conditions and credit card details, which can also be linked to your name, and could in turn expose you to online scams or even identity theft.
“What can go wrong? In short, a lot,” wrote Steven Englehardt, one of the researchers, in a blog post.
“The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations ... This data can’t reasonably be expected to be kept anonymous.”
The researchers analysed seven popular session replay firms, and found that some websites that use their services send users’ private information to them despite being required to first redact sensitive information from recordings, and having the tools to do so.
This is because the process is difficult and time-consuming.
“To effectively deploy these mitigations a publisher will need to actively audit every input element to determine if it contains personal data,” says Mr Englehardt. “This is complicated, error prone and costly, especially as a site or the underlying web application code changes over time.”
As a result, the recordings include a lot more data than they should, such as users’ names, their full credit card number, expiration date, CVV number and billing address, the length of their passwords and even their doctor’s name and the medication they’re on.
“Improving user experience is a critical task for publishers,” said Mr Englehardt. “However it shouldn’t come at the expense of user privacy.”
A list of websites that use third-party session replay scripts is available here.
Join our commenting forum
Join thought-provoking conversations, follow other Independent readers and see their replies
Comments