Over 400 of the World’s Most Popular Websites Record Your Every Keystroke, Princeton Researchers Find

Most people who’ve spent time on the internet have some understanding that many websites log their visits and keep record of what pages they’ve looked at. When you search for a pair of shoes on a retailer’s site for example, it records that you were interested in them. The next day, you see an advertisement for the same pair on Instagram or another social media site.

The idea of websites tracking users isn’t new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled “No Boundaries,” three researchers from Princeton’s Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world’s most popular websites track your every keystroke and then send that information to a third-party server.

Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers’ findings. If you accidentally paste something into a form that was copied to your clipboard, it’s also recorded. Facebook users were outraged in 2013 when it was discovered that the social network was doing something similar with status updates—it recorded what users they typed, even if they never ended up posting it.

These scripts, or bits of code that websites run, are called “session replay” scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don’t just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don’t run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions.

It’s difficult for the user to understand what’s happening “unless you dug deep into the privacy policy,” Steve Englehardt, one of the researchers behind the study, told me over the phone. “I’m just happy that users will be made aware of it.”

In the video below, you can see what a session replay script from the company FullStory can record:


What you won't find on this site: Facebook, Twitter, Google+, Linkedin, Google Analytics, Google Adsense, Amazon, Disqus Comments, MailChimp, Pop-Ups and intrusive ads. If you have the means, please consider making a small donation to fund our work. Your support is much appreciated.


$1,293 of $10,000 raised
$
Personal Info

Donation Total: $5.00

Leave a Reply