Posted by: Christian J Nov 21 2017, 09:08 AM
https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/
QUOTE
You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.
I've assumed this has been going on for years, but it's good to see the abuse confirmed. No mentioning of Google or Facebook though, but they likely keep their gathered data to themselves.
QUOTE
The replay services offer a combination of manual and automatic redaction tools that allow publishers to exclude sensitive information from recordings.
[...]
A thorough redaction process is actually a requirement for several of the recording services, which explicitly forbid the collection of user data.
(The study then shows how the redaction requirement can be ignored by site owners due to incompetence or indifference, even for credit card data and passwords.)
All of this will only get worse, of course. One way to protect yourself is by disabling javascript. On pages that only work with javascript you might still block unnecessary third party scripts (the RequestPolicy addon for Firefox works very well, but isn't yet upgraded for Firefox 57/Quantum), or you might use a blacklist. Unfortunately it's sometimes hard to tell if a page works or not unless you enable everything on it, especially when Ajax scripts are involved, since you may not notice if background server connections fail.