The Dark Side of ‘Replay Sessions’ That Record Your Every Move Online
When internet users visit Walgreens.com, a software company may record every keystroke, mouse movement and scroll, potentially exposing medical conditions such as alcohol dependence, or the names of drugs a user has been prescribed, according to Princeton researchers.
Companies like Walgreens deploy these analytics-software providers to see how people use their website or to identify broken or confusing web pages. The analytics companies place “scripts” on their clients’ websites that record individual browsing sessions for later viewing or a “replay session.”
In effect, the researchers say, software companies are “looking over your shoulder” as you navigate certain websites. The extent of the data collected “far exceeds user expectations,” including recording what you type into a text box before you submit it, “all without any visual indication to the user,” according to a study released Wednesday.
In response to questions from WIRED, Walgreens said Wednesday it would stop sharing data with the software company, FullStory. “We take the protection of our customers’ data very seriously and are investigating the claims made in the article that was published earlier today,” Walgreens said in a statement. “As we look into the concerns that were raised, and out of an abundance of caution, we have stopped sharing data with FullStory.” A Walgreens spokesperson said FullStory’s software “essentially has an ‘on/off’ switch,” which the retailer has now turned off.
FullStory is among a group of seven “session replay” companies examined by the Princeton researchers. Analytics software that measures mouse movements or keystrokes has been around for years, says Steven Englehardt, one of the authors of the study. But the technology has typically been used to track groups of users, such as the parts of a web page where visitors linger the longest. The researchers found that FullStory and the other companies are now tracking users individually, sometimes by name.
The study also found FullStory capturing personal information from Bonobos, a retailer now owned by Wal-Mart. Other customers listed on FullStory’s website include Zocdoc, Shopify, CareerBuilder, SeatGeek, Wix.com, Digital Ocean, DonorsChoose.org, and more. FullStory did not respond to a request for comment.
The replay companies offer tools to help clients redact sensitive information both manually and automatically, but the researchers found that that process was often inadequate. The study found that Walgreens performed “extensive use of manual redaction” but FullStory still gained access to some personal information. On Bonobos’ site, FullStory captured credit-card details, including the cardholder’s name and billing address, the card’s number, expiration, and security code. Bonobos did not respond to a request for comment.
To gather data, Englehardt said researchers signed up for accounts on Walgreens and other sites. At Walgreens, they added prescription and health information, recording all the network traffic. They later analyzed the network traffic to see if the information they entered appeared in the session recording.
The researchers examined the 50,000 most-visited websites, according to Alexa. They found 482 sites that were sharing information about individuals with one or more of the seven replay companies. Englehardt said the percentage of sites leaking information to the software companies was likely higher, because the software companies track only a sample of visits to a given website.
While “keylogging” software has been around for a while, the practices highlighted in the new Princeton study are “by far the most pernicious,” examples of capturing user information, says Ashkan Soltani, a security and privacy researcher and former chief technologist for the Federal Trade Commission. “Capturing [the text typed into] every form field is a level of detail that I have not seen historically.”
“I don’t think most users realize that when they interact with a website that their information about that visit is being shared with 40 to 100 third parties,” Soltani says. Those companies typically record only that a user has visited a page, he adds, but in these cases they are capturing “not only that I visited that page, but also what content I submitted.”
One of the software companies identified by the study is Yandex, Russia’s largest search engine. Englehardt said the researchers did not examine whether Yandex’s tracking might have been part of state-sponsored surveillance. But he said that Yandex was most often used on Russian websites.
Englehardt said he and his colleagues plan to release additional studies examining data-collection practices by software companies that track web users.
Powered by WPeMatico