User experience test tools: A privacy accident waiting to happen

Researchers watch publishers watching you, ignore privacy settings, run over mere HTTP

By Richard Chirgwin

Posted in Security, 20th November 2017 03:58 GMT

Researchers working on browser fingerprinting found themselves distracted by a much more serious privacy breach: analytical scripts siphoning off masses of user interactions.

Steven Englehardt (a PhD student at Princeton), Arvind Narayanan (a Princeton assistant professor) and Gunes Acar (postdoctoral researcher at Princeton), published their study at Freedom to Tinker last week. Their key finding is that session replay scripts are indiscriminate in what they scoop, user permission is absent, and there's evidence that the data isn't always handled securely.

Session replay is a popular user experience tool: it lets a publisher watch users navigating their site to work out why users leave a site and what needs improving.

As the authors wrote in their analysis: “These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.”

Speaking to Vulture South, Englehardt said the trio decided to analyse fingerprinting by injecting a unique value into Web pages to see where personal information was being sent.

“We didn't really expect to find” the session replay companies, he said.

The next surprise, he said, is how deep the session replay scripts dig.

Anonymity? They've heard of it

“You might think these recordings are anonymous, but some of the companies we studied are offering the option to identify the user -- so you know that Richard viewed your site, along with his e-mail address”, Acar told The Register.

One reason this happens, they explained, is that as publishers increasingly put content behind secured paywalls, user activity becomes hard to follow.

Englehardt said the page the user is viewing “might only exist behind the login”, meaning that to capture a session for replay to the publisher, the third-party company has to “scrape the whole page”.

As the researchers wrote in their study, scripts from companies like Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam “record your keystrokes, mouse movements, and scrolling behaviour, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.”

They also found replay scripts capturing checkout and registration processes.

The extent of that data collection meant “sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third-party as part of the recording”, they wrote.

There is also the potential for data to leak to the outside world, when the customer views the replay, because some of the session recording companies offer their playback over unsecured HTTP.

“Even when a Website is HTTPS, and the information is sent [to the session replay company] over HTTPS, when the publisher logs in to watch the video, they watch on HTTP”, Englehardt said.

That meant network-based third parties could snoop on the replay.

Publishes who used unsecured publisher dashboards included Yandex, Hotjar, and Smartlook.

The study also found the session replay scripts commonly ignore user privacy settings.

The EasyList and EasyPrivacy ad-blockers don't block FullStory, Smartlook, or UserReplay scripts, although “EasyPrivacy has filter rules that block Yandex, Hotjar, ClickTale and SessionCam.”

“At least one of the five companies we studied (UserReplay) allows publishers to disable data collection from users who have Do Not Track (DNT) set in their browsers,” the study said. ®

Sign up to our NewsletterGet IT in your inbox daily

44 Comments

More from The Register

Cambridge Analytica seeks data protection assistant

Jobseeker? You may have heard of it...

UK Data Protection Bill tweaked to protect security researchers

Re-identification of data will not be a crime, as long as you warn the authorities

Hop to it, bunnies: TaskRabbit breach means new passwords

Repeat after The Vultures: don't re-use passwords

UK regulator moots data protection sandbox for organisations to play in

ICO strategy outlines plans to slurp up academic expertise

Bombshell discovery: When it comes to passwords, the smarter students have it figured

If by 'smart' you mean one who 'gets good grades'

Illinois StingRay crackdown

UK.gov's Brexiteers warned not to push for divergence on data protection laws

As PM lacks specifics on UK’s desired ‘adequacy-plus’ deal

Dell EMC patches 3 zero-days in Data Protection Suite

Could combine to 'fully compromise' virtual appliance, researchers warn

UK.gov: Snoop laws not 'significant' obstacle to EU data protection talks

Digi minister confident of adequacy decision post-Brexit

Irish eyes are sighing: Data protection office notes olagoanin'* up 79%

Annual report reveals boost in complaints, breach notifications