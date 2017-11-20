Over 400 of the World's Most Popular Websites Record Your Every Keystroke (vice.com) 36
An anonymous reader quotes a report from Motherboard: The idea of websites tracking users isn't new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled "No Boundaries," three researchers from Princeton's Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world's most popular websites track your every keystroke and then send that information to a third-party server. Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers' findings. If you accidentally paste something into a form that was copied to your clipboard, it's also recorded. These scripts, or bits of code that websites run, are called "session replay" scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don't just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don't run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions. Most troubling is that the information session replay scripts collect can't "reasonably be expected to be kept anonymous," according to the researchers.
Quite often, these scripts are part of jQuery or some other JS framework that "needs" to know your keystrokes as a part of the web site interface, "application" if you will. Sure, this info can be used nefariously, but most likely the purpose is the web site interface mechanics itself.
You use what called a hosts file. Can be found on Windows and Linux. Someone can add their two cents on IOS.
You can always block them through an ad-blocker, noscript or things of that nature in your browser.
https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html
How about a list please, a useful list, name of company, data stolen, scripts and cookies to be killed upon a slow smouldering flame. How can you say 400 without having a list of the 400. That 400 players to add to noscript and cookiemonster.
Here is the list, linked to from the actual article. List of 400 [princeton.edu]
For years now I've been operating under the assumption that websites collect as much data on user interaction as possible, even including things like what links you mouse over (not necessarily click on), how long you spend reading content before moving on, and how long the cursor remains on different parts of the page. This is yet one more reason why I never browse without NoScript and uBlock Origin. Fortunately, as reported in the first link:
Does tracking protection help?
Two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts. EasyPrivacy has filter rules that block Yandex, Hotjar, ClickTale and SessionCam.
Now that this practice is getting a little more attention, here's hoping that more of these sites will be added to popular blocklists.
I have a nervous habit of idly swirling the mouse around while I read, and I've long suspected that sites were logging these movements. So, it's a habit that I've never tried to break, but rather I've been hoping that by passing the cursor over all sorts of page elements hundreds of times in the course of a few minutes, I'm screwing with their data collection somehow.
This is yet one more reason why I never browse without NoScript and uBlock Origin.
In Firefox 57 there's now also the option to turn on its built-in tracking protection all the time [mozilla.org], as opposed to only in private browsing mode.
And even in earlier versions, such as the Firefox 52 that people are using in order to give Mozilla a few more months to make necessary APIs available to WebExtensions, the user can turn on Tracking Protection system-wide by entering about:config and turning on privacy.trackingprotection.enabled. The drawback is that several sites, such as TV Tropes, intentionally conflate tracking protection with an ad blocker and block page views until the user activates the "Disable protection for this site" control.
The list of websites:
https://webtransparency.cs.princeton.edu/no_boundaries/session_replay_sites.html
I guess they do really know what I'm thinking when I leave feedback but can never send the form.
On the other hand, much of the web is run on advertising dollars, and we are in an arms race between intrusive tracking and privacy. It is therefore anyones guess how this will be used moving forward.
Obviously any autocomplete funcitonality, or the like, is going to require keystrokes sent to the server. A post will not suffice.
Cue the anti-script militants who prefer to download, compile, and install a native app when things like autocomplete are necessary.
Does disabling javascript help? I disabled it recently and the internet looks the way it used to. No fancy shit moving around with auto scrolling pages, very refreshing.
Without script, you're limited to the checkbox hack, navigation to other documents, and form submission as the only means of interaction, and every action other than the checkbox hack results in a full page reload. Some web applications aren't very usable under these constraints. On these apps, disabling JavaScript is good for showing "please download our native app or enable JavaScript" notices.