Posted by: Christian J Nov 21 2017, 09:08 AM
You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.
I've assumed this has been going on for years, but it's good to see the abuse confirmed. No mentioning of Google or Facebook though, but they likely keep their gathered data to themselves.
The replay services offer a combination of manual and automatic redaction tools that allow publishers to exclude sensitive information from recordings.
A thorough redaction process is actually a requirement for several of the recording services, which explicitly forbid the collection of user data.
(The study then shows how the redaction requirement can be ignored by site owners due to incompetence or indifference, even for credit card data and passwords.)