400 world's popular sites log everything you type

They spy on you more than you think

There’s no secret that anonymity and absolute privacy are non-existent ideas on the Internet. However, the researchers from Princeton University revealed that websites collect more information about you than you can imagine.^[1]

Websites are no longer interested in user’s clicks, visits, times spent on website or particular pages, clicked ads or purchased goods. They are recording your mouse movements, scrolling behaviors and every single letter you enter in various fields. It doesn’t matter if you changed your mind and deleted everything, they still have your entered information stored before you managed to click “Send” or “Submit” button.

Researchers from Princeton University analyses a bunch of popular websites in order to find out what information they collect and why they need it. Findings are concerning. More than 400 of Alexa’s the most popular 50.000 websites use “session replay” scripts^[2] that track everything you do on the site: clicks, entered letters or numbers and mouse movements.

It seems the privacy on the Internet is officially dead. However, some of the analyzed website owners tell that these activities are necessary to learn about visitors and fix problems on the site. Meanwhile, security experts warn about possible privacy-related issues and data leakage cases.

Extended tracking helps to learn about visitors

Various data tracking technologies have been used for years in order to display targeted ads. Online advertising might be based on user’s search queries or visited websites. Thus, if you have recently browsed through online shops and looked for the jacket, you might soon find an advertisement on various sites or social networks offering to buy a jacket.

Internet users more or less got used to this activity. However, the recent discovery surpasses the expectations of data tracking capabilities. Researchers report about increasing amount of websites that uses “session replay” scripts that allows tracking everything, including how fast you move the mouse and scrolling behavior.

This information helps to learn about visitors, how they use particular websites and identify the problems they might encounter, such as broken links or complicated user interface. Such activities might seem logical. However, ability to record and store written and deleted texts looks shady.

A similar situation was reported in 2013 when Facebook was spotted of collecting information from unpublished posts.^[3] Back then, the social network was storing every keyboard click before users hit “Publish.”^[4]

Security issues and cyber attack possibilities

Some of the analyzed websites ask people to enter sensitive information, such as full name, credit card details or medical information. However, some of them secretly collect even passwords and other personal information that might be not needed for improving user interface or browsing experience.

However, the biggest issues are related that some of these sites do not offer proper data security. Therefore, not only they collect lots of information about users but risk their privacy too. For instance, some sites do not use HTTPS protocol.

Therefore, if you register to the account or enter other personal information, you risk that some unknown third-party stands between you and the website. The absence of the security protocol creates perfect opportunity to launch a man-in-the-middle attack.^[5]

The increase of data breaches also raises concerns that cyber criminals might start soon targeting session script companies. The success of these attack depends on how much they invested in data security. However, discovered flaws do not bring any positive beliefs that criminals won’t manage to steal or use sensitive data soon.