A new study from Princeton University has shown that your keystrokes, mouse movements, scrolling behaviour, and the entire contents of the pages you visit may be tracked and recorded by hundreds of companies.
The study revealed that no fewer than 480 websites of the world’s top 50,000 sites are known to have used a technique known as ‘session replay’, which, although designed to allow companies to gain an understanding of how customers use websites, also records an alarming amount of potentially dangerous information.
The researchers found that companies are now tracking users individually, sometimes by name.
The session replay software offered by seven firms, and detected in the study was FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar and Yandex.
The research showed that companies using the software (on 492 sites) were sharing information about individuals with one or more of the seven replay companies, and that the percentage of sites giving information to the software companies was likely higher, because the software companies only track just a sample and not the total of visits to a website.
Companies Using The Software
As indicated in the research, some companies believed to be using session replay software include the Telegraph website, Samsung, Reuters, Home Depot (US retailer) and CBS News.
What’s The Risk?
As pointed out by the researchers, this kind of software is like someone looking over your shoulder, and that the extent of the data collected may far exceed user expectations, without any visual indication to the website visitor that such monitoring is taking place.
Security commentators have noted that among the general browsing data collected by these third-party replay scripts, they are also capable of collecting some very sensitive and personal information e.g. medical conditions and credit card details. Depending on how this data is transmitted and stored (where and how securely?) this could expose people to risks such as identity theft and online scams.
The research also raised the question of whether state-sponsored surveillance is being carried out with session replay software, when it was noted that Yandex (one of the session replay software companies) is also Russia’s largest search engine.
What Does This Mean For Your Business?
Creeping surveillance and monitoring for multiple purposes is now part of our daily lives and includes e.g. CCTV, monitoring / surveillance of behaviour and Internet use at work, tracking via our mobile phones, EPOS / supermarket recording of our purchases, storage of our browsing history as part of the Investigatory Powers Bill / ‘Snooper’s Charter’, social media monitoring, and government attempts to gain back-doors into and stop end-to-end-encryption of popular platforms like WhatsApp.
Keystroke monitoring in itself is nothing new, but the difference now is that cyber-crime is at a high, data protection has become a more public issue with data breach reports in new regulations on the way in (GDPR), and the fact that the latest session replay software is capable of recording so much detail including our most sensitive data and interests.
For businesses, session replay software could be an asset in understanding more about customers and making marketing more effective and efficient. As consumers, we could be forgiven for having cause for concern, and with things like ad-blockers only capable of filtering out only some replay scripts, we remain somewhat vulnerable to the risks that they may pose.