It’s got a stuffy kind of title: “No boundaries: Exfiltration of personal data by session-replay scripts.”  That’s the title of a paper written by researchers at Princeton University.  What underlies that title is a potential invasion of privacy and gathering of data without permission on some 480 popular websites.

The paper says sites including places like Home Depot, Fidelity, Walgreen, CBS News, Reuters, and Samsung, are literally tracking every single keystroke you make when you visit.  A technique called “Session Replay” keeps track of everything you do while on site.

“These scripts record your keystrokes, mouse movements, and scrolling behaviour, along with the entire contents of the pages you visit, and send them to third-party servers,” posted Steven Englehardt, one of the authors.  “Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.”

It’s not just aggregating the data either.  The study shows that some companies allow site publisher to link data to individual user identities.

Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third-party as part of the recording. This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes.

Experts quoted by the BBC questioned the legality of using the technique without user consent.

In addition to privacy concerns, the study points to potential security issues since, in some cases, passwords, credit card numbers, and other sensitive data can be collected by third-parties without permission.

“The account page of the clothing store Bonobos leaks full credit card details to FullStory. The screenshot of Chrome’s network inspector shows the leaked data being sent letter-by-letter as it is typed. The user’s full credit card number, expiration, CVV number, name, and billing address are leaked on this page. Email address and gift card numbers are among the other types of data leaked on Bonobos site.” – No boundaries: Exfiltration of personal data by session-replay scripts

Read the full details here, including how medical data, prescriptions, and security questions and answers can be compromised.

H/T Gadgets 260
“During account signup, Walgreens requires a user to verify their identity by asking a standard set of identity verification questions. The selection options for these questions, which may reveal the user’s personal information, are displayed on the page and are transferred to FullStory. Additionally, the mouse tracking feature of FullStory will likely reveal the user’s selection, even though the radio button selection is redacted. The inclusion of this data in recordings directly contradicts the statement at the top of the page: “Walgreens does not retain this data and cannot access or view your answers”” – No boundaries: Exfiltration of personal data by session-replay scripts