According to new research from Princeton University’s Center for Information Technology Policy (CTIP), at least 482 of the world’s top 50,000 websites use a technology called “session replay scripts” to track every keystroke, mouse movement, and scroll that users make when visiting the website. The scripts and their frameworks are provided to the websites by third-party developers.
Some scripts collect personally identifiable information that is not stripped from the behavior data they provide to publishers’ sites.
The Princeton researchers noted:
Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.
Only four of six screen replay script makers reviewed do not include a user’s password in the data they provide to customers: FullStory, SessionCam, Hotjar, and Yandex. Two others included in the study — UserReplay and Smartlook — replace all user input, including passwords and credit card numbers, to equal length masking text.
Only two — FullStory and Smartlook — exclude all credit card information. Of the remaining four, Yandex supplies credit card data in clear text while the others mask it or send only the last four digits in plain text.
The researchers examined the pharmacy section of Walgreens.com, which embeds the screen replay script from FullStory. Because some of the data fails to be redacted, it is possible for a viewer of the replay script to put together a user’s name with a prescription. This is very likely to be information a user would not want the whole world to know.
The full report is available at the freedom-to-tinker.com website hosted by Princeton and includes a demonstration of how the tracking software works and a case study of Walgreens’ use of it. A list of all 482 sites that use session replay scripts is linked inside the report. According to an article in Wired, Walgreens no longer shares data with FullStory.