It’s got a stuffy kind of title: “No boundaries: Exfiltration of personal data by session-replay scripts.” That’s the title of a paper written by researchers at Princeton University. What underlies that title is a potential invasion of privacy and gathering of data without permission on some 480 popular websites.
The paper says sites including places like Home Depot, Fidelity, Walgreen, CBS News, Reuters, and Samsung, are literally tracking every single keystroke you make when you visit. A technique called “Session Replay” keeps track of everything you do while on site.
“These scripts record your keystrokes, mouse movements, and scrolling behaviour, along with the entire contents of the pages you visit, and send them to third-party servers,” posted Steven Englehardt, one of the authors. “Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.”
It’s not just aggregating the data either. The study shows that some companies allow site publisher to link data to individual user identities.
Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third-party as part of the recording. This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes.
Experts quoted by the BBC questioned the legality of using the technique without user consent.
In addition to privacy concerns, the study points to potential security issues since, in some cases, passwords, credit card numbers, and other sensitive data can be collected by third-parties without permission.
Read the full details here, including how medical data, prescriptions, and security questions and answers can be compromised.