|Photo By Monoar Rahman via PEXELS|
Session replay scripts are a commonly used website tool that records just about every move you do while browsing a website, from the words that you type to the movement of your mouse, among many other things. While these are supposed to help web developers analyze how their people use their sites, the tools are able to record way too much personal information.
Princeton's Center of Information Technology Policy's Steven Englehardt, Gunes Acar, and Arvind Narayanan have been looking into this tool, and describe it to work "as if someone is looking over your shoulder."
Providers of session replay scripts try to assure the public that website owners may opt to hide their users' information. However, the trio of researchers has found that many scripts are still able to capture too much data in spite of this.
Unlike aggregated and anonymous general analytics tracking, session replay scripts could record highly personal information such as credit card numbers, addresses, and other information entered by a user. Moreover, these could be traced to his or her identity.
Service providers usually include tools that enable web developers to redact such information from their servers. However, the researchers have found that these redaction tools aren't as effective as they claim to be. Not all information is guaranteed to be redacted. Some companies that redact your password might still record your address or date of birth.
Thus, it is up to website developers to manually ensure that any personal information which may identify or be linked to their users are carefully redacted, as the Princeton researchers point out. Such a process could prove costly and painstaking, as a website's code is modified over time.
Session replay scripts are making highly sensitive information available to identity thieves and scammers. For now, the best thing to do is use browser extensions such as Ghostery and NoScript, which prevent these sneaky scripts from running.