A recent study carried out at Princeton University suggested that hundreds of websites are tracking your every keystroke. Popular sites such as Reuters, The Guardian, WordPress.com, AlJazeera, and Samsung are among those websites.
The report sheds light on how deceptive those tracking can be, while we know that our page views, searches, even scrolls are documented. While navigating a page, every keystroke and movement you make is recorded using something called “session replays.” The study also pays attention to some companies, which offer session replays services, such as UserReplay, Clicktale, Hotjar, SessionCam, Smartlook, Yandex, and FullStory.
“All of the companies studied offer some mitigation through automated redaction, but the coverage offered varies greatly by provider. UserReplay and SessionCam replace all user input with an equivalent length masking text, while FullStory, Hotjar, and Smartlook exclude specific input fields by type,” the report explains.
This is actually dangerous. As the report suggests, apart from straight-up attacking your privacy these services may reveal your sensitive information outside. Although your password input fields are directly excluded by most of these services, mobile-friendly forms are not redacted on the recordings a lot of the time, hence they end up disclosing your passwords, credit card numbers, and even the security codes of your credit cards.
“The first area of concerns here is the legality of recording people’s keystrokes without first informing them of the fact,” said Paul Edon, director at security firm Tripwire while speaking with BBC News. “If these websites do not alert the user to the fact that they are recording keystrokes, then I would class this under ‘nefarious activity’ as it is being less than honest, and the information is being collected without the user’s knowledge.”
What is most terrifying is that a user only shares this kind of information when he/she is making a payment, or signing up for a service, where the provided information is supposed to be confidential.