Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Privacy The Internet Communications Security Software

Over 400 of the World's Most Popular Websites Record Your Every Keystroke (vice.com) 263

An anonymous reader quotes a report from Motherboard: The idea of websites tracking users isn't new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled "No Boundaries," three researchers from Princeton's Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world's most popular websites track your every keystroke and then send that information to a third-party server. Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers' findings. If you accidentally paste something into a form that was copied to your clipboard, it's also recorded. These scripts, or bits of code that websites run, are called "session replay" scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don't just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don't run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions. Most troubling is that the information session replay scripts collect can't "reasonably be expected to be kept anonymous," according to the researchers.
This discussion has been archived. No new comments can be posted.

Over 400 of the World's Most Popular Websites Record Your Every Keystroke

Comments Filter:
  • by Frosty Piss ( 770223 ) * on Monday November 20, 2017 @10:36PM (#55592427)

    Quite often, these scripts are part of jQuery or some other JS framework that "needs" to know your keystrokes as a part of the web site interface, "application" if you will. Sure, this info can be used nefariously, but most likely the purpose is the web site interface mechanics itself.

  • Google.com (Score:3, Interesting)

    by Anonymous Coward on Monday November 20, 2017 @10:36PM (#55592429)

    Yandex searches as you type, so its hardly surprising it captures and sends the keystrokes in realtime....

    But then again, so does Google, so why isn't Google on that list?

    • Searching as you type in a search field while displaying that obviously to the user, and recording key strokes with no searching or other useful function for the end user are two very different things.

      Adding Google to every tiny bit of outrage just dilutes the value of the complaints against them.

  • Not good... (Score:3, Funny)

    by Anonymous Coward on Monday November 20, 2017 @10:42PM (#55592443)

    I started typing:

    "I fucking hate you, Microsoft. I'm going to bomb your Azure datacenters and slit your throats. Eat shit and die, you incompetent fucks."

    Then I deleted it and actually submitted:

    "Dear Microsoft. I hereby request that you close my Azure account as I found the service unsuitable to my specific needs at this time. Thank you very much in advance. Sincerely yours, X."

    So now you're telling me that they have seen the first version?

  • 400 ? (Score:5, Interesting)

    by rtb61 ( 674572 ) on Monday November 20, 2017 @10:48PM (#55592463) Homepage

    How about a list please, a useful list, name of company, data stolen, scripts and cookies to be killed upon a slow smouldering flame. How can you say 400 without having a list of the 400. That 400 players to add to noscript and cookiemonster.

    • Re:400 ? (Score:5, Informative)

      by dfm3 ( 830843 ) on Monday November 20, 2017 @10:59PM (#55592495) Journal
      The page at the first link was updated with a link to their data [princeton.edu], complete with a list of all the offending sites that are ranked in the top 10,000 by Alexa.
    • Re:400 ? (Score:5, Informative)

      by Arzaboa ( 2804779 ) on Monday November 20, 2017 @11:04PM (#55592523)

      Here is the list, linked to from the actual article. List of 400 [princeton.edu]

      --
      "Ribbit" - Unknown frog

    • by AmiMoJo ( 196126 )

      Privacy Badger fixes most of this automatically. It's a good option for less technical people.

      uBlock Matrix with "medium mode" (https://github.com/gorhill/uBlock/wiki/Blocking-mode:-medium-mode) kills it completely. Without medium mode it also kills it, but you are reliant on the block list authors keeping up with whatever changes are made. Since this threat is so well known, they are probably on top of it.

    • How about a list please, a useful list, name of company, data stolen, scripts and cookies to be killed upon a slow smouldering flame. How can you say 400 without having a list of the 400. That 400 players to add to noscript and cookiemonster.

      ...and how bad is this flaw? Can they read everything I type in the browser tab where this website is loaded, everything I type in the browser regardless of the tab I'm using or can they literally key-log everything typed on the computer as long as the browser is running in the background?

    • How about a list please, a useful list, name of company, data stolen, scripts and cookies to be killed upon a slow smouldering flame. How can you say 400 without having a list of the 400. That 400 players to add to noscript and cookiemonster.

      They provide a zipped csv [princeton.edu] right on their site. Good to see I have even more reason to hate wordpress.

    • Probably safer to just assume all of them
  • by dfm3 ( 830843 ) on Monday November 20, 2017 @10:53PM (#55592481) Journal
    As one of the links even mentions, Facebook was caught doing the same with status updates (recording everything you type, even if you delete it before posting) back in 2013. What's news here is the extent to which websites are doing this these days.

    For years now I've been operating under the assumption that websites collect as much data on user interaction as possible, even including things like what links you mouse over (not necessarily click on), how long you spend reading content before moving on, and how long the cursor remains on different parts of the page. This is yet one more reason why I never browse without NoScript and uBlock Origin. Fortunately, as reported in the first link:

    Does tracking protection help?

    Two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts. EasyPrivacy has filter rules that block Yandex, Hotjar, ClickTale and SessionCam.


    Now that this practice is getting a little more attention, here's hoping that more of these sites will be added to popular blocklists.

    I have a nervous habit of idly swirling the mouse around while I read, and I've long suspected that sites were logging these movements. So, it's a habit that I've never tried to break, but rather I've been hoping that by passing the cursor over all sorts of page elements hundreds of times in the course of a few minutes, I'm screwing with their data collection somehow.
    • by theweatherelectric ( 2007596 ) on Monday November 20, 2017 @11:13PM (#55592579)

      This is yet one more reason why I never browse without NoScript and uBlock Origin.

      In Firefox 57 there's now also the option to turn on its built-in tracking protection all the time [mozilla.org], as opposed to only in private browsing mode.

      • And even in earlier versions, such as the Firefox 52 that people are using in order to give Mozilla a few more months to make necessary APIs available to WebExtensions, the user can turn on Tracking Protection system-wide by entering about:config and turning on privacy.trackingprotection.enabled. The drawback is that several sites, such as TV Tropes, intentionally conflate tracking protection with an ad blocker and block page views until the user activates the "Disable protection for this site" control.

      • In Firefox 57 there's now also the option to turn on its built-in tracking protection all the time [mozilla.org], as opposed to only in private browsing mode.

        You should do that anyway if for no other reason than to actually speed up the internet. http://www.ieee-security.org/T... [ieee-security.org]

      • Well well look who's here to yet again remind us how great FF 57 is. You got a script to help you do your job that flags keywords needing your response? Your affiliation is so blatantly obvious no amount of calling me a lunatic is going to help.
    • by AReilly ( 9339 )

      The issue isn't that web sites are doing real-time analytics. It's that they've all out-sourced the process to a handful of third party companies. No one cares that the information they've provided to the company they are interacting with over SSL gets seen by that company: of course it does. What they care about is that this stream of data is parceled up and sent (not necessarily securely, according to the article) to some company you've never heard of, and have no business relationship with.

    • I have the nervous habit of swirling a cat around while I read. The cat sees everything. There is no privacy. Every thing is viewed and or saved.
    • Personally, I think people are making a mountain of a molehill and thinking there is some nefarious reason behind this. The company I work for uses a product from IBM called Tealeaf which does exactly this, it records user sessions which can then be played back. The reason why we introduced this to our product was to understand our customer better to help us improve our product. For example marketing wanted to know what caused a customer to start a purchase and then stop halfway. They wanted to understand f
  • List of Websites (Score:5, Informative)

    by Anonymous Coward on Monday November 20, 2017 @11:03PM (#55592517)

    The list of websites:

    https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html

  • Slimy (Score:2, Funny)

    by Arzaboa ( 2804779 )

    I guess they do really know what I'm thinking when I leave feedback but can never send the form.

    --
    "Ribbit" - Unknown frog

  • Obviously any autocomplete funcitonality, or the like, is going to require keystrokes sent to the server. A post will not suffice. Google, for example, would need to save what the user typed and what the user chose, to optimize future results.

    On the other hand, much of the web is run on advertising dollars, and we are in an arms race between intrusive tracking and privacy. It is therefore anyones guess how this will be used moving forward.

    • Obviously any autocomplete funcitonality, or the like, is going to require keystrokes sent to the server. A post will not suffice.

      Cue the anti-script militants who prefer to download, compile, and install a native app when things like autocomplete are necessary.

  • Does disabling javascript help? I disabled it recently and the internet looks the way it used to. No fancy shit moving around with auto scrolling pages, very refreshing.

    • by tepples ( 727027 )

      Without script, you're limited to the checkbox hack, navigation to other documents, and form submission as the only means of interaction, and every action other than the checkbox hack results in a full page reload. Some web applications aren't very usable under these constraints. On these apps, disabling JavaScript is good for showing "please download our native app or enable JavaScript" notices.

  • by PPH ( 736903 )

    My cat was walking on the keyboard again.

  • from the browser. It's the only way to be sure.

    Can anyone suggest an extension to totally block this illegal 3rd party key logging? Ty.
    • by dcw3 ( 649211 )

      I'm not at all happy about it either, but what are you claiming is illegal?

  • Noscript (Score:4, Interesting)

    by Orgasmatron ( 8103 ) on Tuesday November 21, 2017 @12:04AM (#55592731)

    Tell me again why Noscript [noscript.net] isn't the default mode of every browser?

    Why does, for example, slashdot think that I want to run software provided by truste.com, janrain.com or pro-market.net? I don't know any of those sites, and while I appreciate that slashdot trusts those sites not to harvest my data or harm my computer, they aren't exactly the party with skin in the game.

    If you want to see how fucked up the web is, how fucked up we've allowed it to become, install noscript and set your browser to treat OCSP failures as hard errors. We have the technology to fix this. We just don't care enough to use it.

    • Comment removed based on user account deletion
    • Tell me again why Noscript [noscript.net] isn't the default mode of every browser?

      Because by default it breaks most of the internet and all but the most dedicated put up with manually having to manage whitelists.

    • Tell me again why Noscript [noscript.net] isn't the default mode of every browser?

      Because by default it breaks most of the internet and only the most dedicated of geeks are happy to battle with the frustration of managing whitelists to make basic browsing work.

    • The problem is the 99.9999% don't understand what you just wrote, or why it's important to them. They probably do know that one of the times they let a tech-minded friend help them, certain web pages stopped working. So we're back to the same reason that fucks up pretty much everything, eventually: once you let "normal people" use it, well, anything, shit will get broken. And once you let for-profit companies use it, its original intent will be perverted. That's why we have a crippled, adware-laden crap
  • by techdolphin ( 1263510 ) on Tuesday November 21, 2017 @12:13AM (#55592767)
    It seems like these websites are going to a lot of trouble to discover that I can't type and can't spell.
  • by redelm ( 54142 ) on Tuesday November 21, 2017 @12:22AM (#55592785) Homepage
    You know how Goggle and others do autocomplete on your search entries? Or spell check in text boxen? Or mouse zooming? How could they do this if every mouse/keystroke was not sent to them? Of course some loaded script does, and whatever else it does is probably described as "trojan".

    I do not much like this mis-behaviour and mostly browse using `links2`, a lynx-like text browser. Missing images is a feature :)

    • You know how Goggle and others do autocomplete on your search entries?

      Yeah I do. They don't typically do so on username or password fields. Maybe read the entire summary or article and actually understand the topic at hand before posting. Your UID is too low to be spouting something so silly.

    • Here's a fun party trick: go to Google.com, type in "Hillary Clinton", and try to get autocomplete to say something bad about her. Then, try it with "Donald Trump" (impeachment was the first auto-complete result I got, it may vary with your location).

      During the James Damore scandal, I couldn't get Google to suggest anything at all about his name. It just suggested variations on "d'amore", the French word for love. Weird, eh?

    • You know how Goggle and others do autocomplete on your search entries? Or spell check in text boxen? Or mouse zooming? How could they do this if every mouse/keystroke was not sent to them?

      You know you can turn off autocomplete in your browser search field, right?

      • by redelm ( 54142 )
        Yes, at least some browsers have this setting. And as another poster mentioned, scripts do not autocomplete all fields (uid/pwd). But this does not necessarily stop the scripts from running and sending running data, even if the browser does not show any useful return. Websites can adjust their behaviour per user, and might appear less intrusive to some users. Cookies & per-user scripts. That does not mean that they do not track and capture data, just that they are more subtle in displaying the resu
  • so if the website steals the errant/orphan/reconsidered keystrokes does that mean windows doesn't capture them maybe this is the lesser of two evils.
    • Windows captures them at a lower level, even before the keyboard event reaches the browser. Don't worry, MS knows even more that those spy web sites.
  • what are they doing with that information? I mean 99.99% of that is completely boresome, and for the rest, they'd need a quite capable AI algo to extract relevant information. Unless there is a 24/7 staff in charge of checking the crap that's been entered then deleted... which I doubt.
  • by hcs_$reboot ( 1536101 ) on Tuesday November 21, 2017 @12:59AM (#55592903)
    That proves (even if we've known that for a while) there is no control of web sites behavior. A concrete analogy is, you're angry after the tax office because you pay too much taxes, and start to write a letter, joking around, "go f..k yourself" etc... then throw that paper away and write the real one. Following this web site behavior, the tax officer is constantly looking over your shoulder - without you being even aware of that. This is totally unacceptable. The user should be at least made aware of that spying policy.
    • Granted, in that case you are technically writing the letter and throwing it away in the tax officer's office. People think they're doing online stuff 'from home', but the internet is the digital equivalent of walking around outside, with all the dangers, 'spying' and caveats that come with that.

  • Comment removed based on user account deletion
  • by geekymachoman ( 1261484 ) on Tuesday November 21, 2017 @04:18AM (#55593435)
    So, this is completely overblown out of proportion. I'm a web dev, and more. Basically I've been deciding and implementing all sort of web things, including this "tracking" everybody is hung up about. Everywhere I worked at, the "tracking" is used for the good of a consumer as in ... analyzing data to provide better user experience, to make it easier for the users to find what they need ( granted: in effort to increase sales ), when they need it, and overall just increase user experience.

    After 15 years of being in the business, I never seen tracking for malicious purposes (or purposes other than attempting to make it easier for YOU to use the website ).

    I understand the concerns people are having, but jesus christ you people talk about it like we're filming you while in a shower, just because websites track where people click and what they insert into a web form ( on their own sites ) does not mean they CARE about you. No business cares about the individual.. but about statistics, percentages, numbers.

    It's even said so in the article summary:
    "Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages."

    What on earth is so wrong about this ?
    For people doing it, this is you "a3727fd0a20d5eef697d3c2f41bf0e4d". This is what they see and track, and care about.

    Get over yourself, for god sake.
    • by afgam28 ( 48611 ) on Tuesday November 21, 2017 @06:02AM (#55593671)

      Let's suppose that there are no malicious uses of web tracking, that it is solely used to improve the user experience. There's still a big problem, which is that a lot of software developers are just incompetent when it comes to security. And sorry to break it to you, but your post proves that you're one of them.

      If you don't see the problem with a key logger on a site that contains a password field, and then sending those logged keys to a third-party, and through unencrypted channels, then you need to be fired from your job as a web dev asap.

    • by AmiMoJo ( 196126 ) on Tuesday November 21, 2017 @07:47AM (#55593879) Homepage Journal

      Looking at the number of sites that use anti-patterns (malicious UIs designed to trick the user) I'd say you have lived a very sheltered life.

      Getting you to buy more stuff IS abuse in many cases. Jacking up prices because your page view times and mouse hover positions suggest that you will pay 10% more is also abuse, and spying. It's creepy AF.

    • "He also forced everyone, small and great, rich and poor, free and slave, to receive a mark on his right hand or on his forehead, so that no one could buy or sell unless he had the mark, which is the name of the beast or the number of his name. This calls for wisdom. If anyone has insight, let him calculate the number of the beast, for it is man's number. His number is a3727fd0a20d5eef697d3c2f41bf0e4d."

    • by bluegutang ( 2814641 ) on Tuesday November 21, 2017 @09:37AM (#55594379)

      For people doing it, this is you "a3727fd0a20d5eef697d3c2f41bf0e4d".

      No, this is you: ID "a3727fd0a20d5eef697d3c2f41bf0e4d", username bob123, email address bobsmith123@gmail.com.

      And email address bobsmith123@gmail.com can be correlated with a Facebook account, medical history, credit rating, and much more.

    • I think I understand your point, there ARE valid uses for this.
      It's frustrating to develop software and not have full understanding about how your clients use it. There is a desire and a need to have that information in raw data that can be used to make the product better. It could even be used by client support and to help prevent bugs. I'm not talking about shopping carts or blogs, but enterprise-level systems that are very complex.

      But let's not kid ourselves... that isn't what this story is about.

  • It's almost as though the web were some sort of client-server technology!
  • Use uMatrix
  • Anyone ever come up with software to just pile shitloads of fake data into all these sniffers? I'd like every web page to think I hovered over every fucking link and wrote a bunch of random shit. All day every day.

    Would like to see something that requests pages off completely random websites every few seconds. Sure would make GCHQ style pricks work for their dinners.

    If you can't stop the trickle, make them drink from the fucking firehose.

  • jail time for somebody for illegally snooping without consent. Oh, we are in the USA, sorry for bringing that up.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...