Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
The Courts Privacy Technology

Papa John's Sued For 'Wiretap' Spying on Website Mouse Clicks, Keystrokes (theregister.com) 60

Papa John's is being sued by a customer -- not for its pizza but for allegedly breaking the US Wiretap Act by snooping on the way he browsed the pie-slinger's website. From a report: The titan of greasy wheels is accused of falling foul of wiretapping rules by using so-called session replay software on its website. This software records and phones home everything a user does on the site, beyond what fetching pages and placing an order would submit, we're told. For instance, it tells Papa John's where the mouse is moved and clicked, and what's typed into the page, it's claimed [PDF]. This info can be used to figure out where users get stuck, bail out of a sale, get lost, and so on. Session replay tools have been a privacy concern due to their indiscriminate capturing of data, sometimes poor security, and failures to get user consent to track and store this data, not to mention having analysts going over your every move to see how they can optimize their webpages and boost sales. On the other hand, you may not see it as that much of a concern given all the other material data a website might have on you -- such as name, email and home address, date of birth, orders placed, payment details, etc etc.
This discussion has been archived. No new comments can be posted.

Papa John's Sued For 'Wiretap' Spying on Website Mouse Clicks, Keystrokes

Comments Filter:
  • by BlacKSacrificE ( 1089327 ) on Friday October 07, 2022 @04:43PM (#62947915)

    I'm as pro privacy as anyone, but to me this is no different to watching someone walk around your shop on the CCTV display in the back office. And while it makes no specific mention of tracking keystrokes, their privacy policy [papajohns.com] makes it pretty clear what they are up to. I'd be more concerned about the third party stuff than anything.

    • by quall ( 1441799 )

      True, but also includes zooming in on your debit card number and making note of the pin that you typed when you paid.

      To be fair though, I don't know who Papa's payment vendor is or how it's configured, so logging your payment details, email and account password (which people often re-use) may not be a thing. I assume it's all plain text.

      • Alarmingly, I can't find anything about session replay software ignoring payment screens, so that may be a valid concern I had not considered. It's fucking infuriating being the guy who gives benefit of doubt in $current_year. I would be less worried about CCTV cameras capturing my card than some dude behind me with his mobile phone though. Most CCTV cameras seem to be a special flavour of foggy mess.

        • When you implement session replay you are given specifications for marking various fields to be suppressed from the recording. I believe most default to also mask fields of type="password" by default.

        • by jythie ( 914043 )
          So while I have no idea how their replay software works, years ago I worked on a product that had such a feature and we were VERY neurotic about payment information not getting into the log. Big hairy 'we don't anything bad to happen' deal.
        • When adding session-reply to your site, you can choose to limit the pages it is loaded into, so you could exclude your payment pages. That said, I know that, at least in Europe, you can't handle payment details yourself unless you have several certifications that allow to to capture and store card information (PCI DSS, PA-DSS, and probably more), and so what many webshops do is offload payment by redirecting the users to a payment provider's domain, that then redirects back to the site owner when payment co
        • It depends on how the website is set up. If you're taking Customer details on your own platform then yes, that data is recorded. But that data would also be sorted regardless because you're buying something. If the platform is designed to redirect the user to a third party payment gateway I e ayden or PayPal, then no, your data is only recorded up to the point of leaving . Regardless of this all session recordig providers offer an option to grey out sensitive data. There isn't a single one that doesn't bec
    • by Osgeld ( 1900440 )

      your shop is not my personal property

    • I think there's a difference. You walk in a store knowing fully well you're in somebody else's territory/property. At home, you have the presumption of privacy. It's as if somebody's attached electronic bugs to your window and then decides to listen in to your intimate conversations and whatnot. It's not the same as your neighbors just sitting by their window and catching random words as you argue with your partner. In the end it's the level of detail that differentiates the snoop from the person who merely
      • What a load of irrelevant dross. You must be one of these muppets who thinks you are free to do as you wish on a forum with no ramifications. You are in someone elses property, albeit virtual, when you are accessing a website. You agree to the house rules, including monitoring to make sure you are not being a racist asshat or trying break the website with input fuzzing or other methods, or you close the tab.

        When a website starts actively recording external actions (reads, activating your webcam/mic to see i

  • While I am no fan of privacy violations, I wonder, from a legal standpoint, is it different than restaurants putting cameras inside the their estabilishments.
    I guess the difference is that this type of online wiretapping is not disclosed to the user.

    • by jythie ( 914043 )
      It is also executing on the user's computer. Web software is always in a bit of a grey area because of that.
    • by Osgeld ( 1900440 )

      your shop is not my personal property!

  • by Arethan ( 223197 ) on Friday October 07, 2022 @04:46PM (#62947927) Journal

    This "wiretapping software", that records mouse movements and clicks performed on the website, has been around for many many years. And as others have pointed out, it is analogous to a CCTV camera within a storefront.

    Best of luck, I hope he wins all of the monies from the big corporation, but this feels like a big uphill battle to me.

    • by cstacy ( 534252 )

      This "wiretapping software", that records mouse movements and clicks performed on the website, has been around for many many years..

      Am I to understand that this tracking is not done on Google, Facebook, Amazon, and more or less every consumer web site? I thought this was totally standard all these years!

      Maybe this is why so many sites (like all the pizza places I order from) suck so much. They don't hire anyone to do this usage analysis.

      Good for Papa Johns!

      Obviously, I don't think it's a big deal. It was shocking for about 10 seconds when I first heard about it, which was about 10 seconds after web sites started using Javascript...

      Howev

    • Lots of websites do this. For instance when they see your cursor heading for the window/page/tab close button but they pop up a notification saying "Hey, don't leave yet, we may or may not offer you something to stay!"

      Yes, it is creepy, but in case nobody had noticed the whole internet is creepy now. Has been for a long time.
    • It's like they've never heard of NoScript. Most commerce sites only need around 3 to 5 out of at least a dozen JavaScript assets that they try to load.
  • by Murdoch5 ( 1563847 ) on Friday October 07, 2022 @04:57PM (#62947947) Homepage
    Providing the capture is done purely on the site which you're using, I don't see a problem with it, because most commercial sites preform this kind of analysis.

    Creating a simple mouse tracker is easy, you need a couple dozen lines of JavaScript, PHP, GO, or another language, a DB, the user agent, and the resolution of the site. Once you have that information you just generate a heat map, and you're done. This kind of analysis can be programmed from scratch in a couple hours, and I know that because I've literally written a tool that does it for a graphic designer who claimed it was critical information. That GD ended up discarding the program because it didn't tell him what he needed or wanted, which shocks no one.

    Tracking user interaction is critical for understanding how someone uses your site, or even if they can use your site, and it's not an overreaction to say you're doing your company / organization a disservice if you don't collect it.

    You willingly give your IP, User Agent and interaction data to any site you visit, and since you readily give it up, then you can't complain when it's collected. That being said if you really want to be careful, use a VPN, use a User Agent Switcher / Randomize, and use scripts which bleep with the interaction metrics, that's your right, and no site should stop you from using it if you do.
    • by Entrope ( 68843 )

      Can you provide, or link to, the "couple dozen lines of" Go that you claim are sufficient to do this?

      • Sure, let me pull out the old program and get it running, I'll do that tomorrow :)
        • Re: (Score:1, Flamebait)

          by Osgeld ( 1900440 )

          you pull a claim out of your ass then get pissy when asked to back it up, go fuck yourself

          • What? No, I said I'd pull the project so I can take a look, under no circumstance I'm I pissy about it, I just need time to go and do it ...
            • by Osgeld ( 1900440 )

              no you were a smartass, and congrats fucktard its tomorrow

              bullllllllshtit fuck off

              • Okay and your point? I don't owe you anything, and I certainly don't tailor my time to make you happy, You can be as course and unprofessional as you see fit, but that does nothing to double down on my claim that you only need couple dozen lines of JS code, however to prove this is EASY, any way, here's is mouse movement capture done in Angular: https://github.com/amurdoch22/... [github.com].
      • In case you're not following the course idiot, this is a github repo with working mouse movement code in Angular: https://github.com/amurdoch22/... [github.com].

        From here just hook it up to a endpoint, and you're off to the races, if I have some time later I'll do that and get you a working sample of it.
        • by Entrope ( 68843 )

          You claimed a couple of dozen lines of Go would do this, which is what I asked for. Why did you link to a project containing several dozen files of Typescript?

        • by Entrope ( 68843 )

          To elaborate, you originally wrote:

          you need a couple dozen lines of JavaScript, PHP, GO, or another language

          When challenged on that, you provide an inefficient, partial implementation of half the functionality described, using a language and framework that you didn't even mention in your first comment involving a 20,000-line configuration file. (Inefficient because it reports every mouse movement without any kind of compression; partial because you admittedly only have the client side, with no server-side functionality; half the functionality because it records mouse movement b

          • Creating a simple mouse tracker is easy, you need a couple dozen lines you need a couple dozen lines of JavaScript, PHP, GO, or another language

            To which I provided an Angular component that tracked mouse movement, compiled it, and then could send that information to a backend, which is exactly what that statement says! To quote the rest:

            a DB, the user agent, and the resolution of the site. Once you have that information you just generate a heat map, and you're done

            I gave you the first part, the relevant section of TypeScript / Angular code that tracks mouse movement, which is exactly what I said you needed a couple dozen of lines of code for, the rest is up to you, if you want to compress the data set, add more tracking to it, including user details, etc..., under no circums

  • by Anonymous Coward

    If this goes through then sites like Reddit are in big trouble.

    People say it's like being on CCTV but a business can't put CCTV in their bathroom/dressing-room or your private house. So there ARE legal limits for spying.

  • by drinkypoo ( 153816 ) <drink@hyperlogos.org> on Friday October 07, 2022 @05:11PM (#62947967) Homepage Journal

    If the data is being collected by a third party, and it's capable of collecting CC payment info (which it probably is) then it could conceivably be doing something illegal even if it's on behalf of the site owner.

    • Not to mention recording the CVV on the back of the card in a key logger would be a contract violation with your payment provider.

    • If you think about how payment processing works (especially those which implement 3rd party processors) that can't be illegal. As a user you are entering data to papa john's website. But that data often by necessity gets sent to a 3rd party for processing anyway.

  • Didn't read the article (click inertia) but if their website is recording all keystrokes, then it is also possibly recording credit card numbers as they are being typed in. If so, that would be a major PCI compliance violation. Never cared much for Papa John's, so I wouldn't miss them if they suddenly couldn't process credit cards. The local pizza joints in my area are vastly superior to any of the major pizza chains.

    • The real "PCI compliance" issue is that credit card companies themselves are in on the deluge of spam because they get to collect fees off of every product pushed with it.

      They also act as a cartel and have a monopoly on the economy of the entire world, which means no politician would dare try to outlaw spam beyond that required to make them less afraid of the public than they are of the banking sector

    • you can use google pay on their website to bypass typing cc numbers.

    • by cstacy ( 534252 )

      t if their website is recording all keystrokes, then it is also possibly recording credit card numbers as they are being typed in. If so, that would be a major PCI compliance violation.

      It doesn't need to record the keystrokes, just the timestamp of when you started typing into the form, and when you hit DELETE to entirely clear the form, maybe.

      If it actually captures the credit card numbers, you are right: that sounds like a Problem.

      Since the tracking program is running in your browser, why doesn't someone just download all the source code and see what in fact is actually happening.

      • Everyone needs to be very clear on this, there isn't some threshold that gets passed when a submit button is pressed. Any website can asynchronously send messages back to the server when you do much as mouse over an element on the page, or press a key. This is Web 2.0 stuff, old school already. What these tools do is report back everything your browser allows and that's enough to stream what you're doing on the website in near-real-time and save for later. If you hover over "Buy Now" then click off some

    • Having had some minimal involvement in setting up a call center, I know that the recording and screen capture functions of the operator's workstations are specifically configured to not record/capture any CC info (otherwise all conversations are recorded (for training and quality assurance purposes (cough)). Apart from that managers can eavesdrop at their leisure. This is assuming you care about legalities and PCI compliance of course. I have no idea if Papa John's does or not.
    • Didn't read the article (click inertia) but if their website is recording all keystrokes, then it is also possibly recording credit card numbers as they are being typed in. If so, that would be a major PCI compliance violation. Never cared much for Papa John's, so I wouldn't miss them if they suddenly couldn't process credit cards. The local pizza joints in my area are vastly superior to any of the major pizza chains.

      It's trivial to turn this stuff on/off wherever you need, and what do you mean exactly by record? If you want to read every input with js and throw up a card association logo when enough digits have been entered you can do that - recording? If we wanted to send your form entry to the server digit by digit, nothing says we can't. We would disable session recording, what this article is about, for those pages because we don't want to store a card number anyplace they're not supposed to be - on our own serv

  • The only reason we're hearing about this is only because someone was greedy enough to wait for a good time to sue over it instead of being a good samaratin and warning Papa John's ahead of time

    This is a simple case of incompetence among the tech illiterate being once again being taken advantage of by the rich and powerful to make a quick buck off the backs of the poor.

    • by cstacy ( 534252 )

      The only reason we're hearing about this is only because someone was greedy enough to wait for a good time to sue over it instead of being a good samaratin and warning Papa John's ahead of time

      Um, this is not some malware. Papa John paid extra for their web developers to put this monitor-analyze feature on the site, to guide development and improvement.

      This is a simple case of incompetence among the tech illiterate being once again being taken advantage of by the rich and powerful to make a quick buck off the backs of the poor.

      Not sure what parties you are thinking are doing what to whom???

  • Papa John's is capturing data from their own web site. That users are going to enter anyway. To buy a pizza.

    Isn't that sort of what their web site is for?

  • products like dynatrace, app dynamics, and app-insights do this for MANY web and app based applications. millions of them. Every day.
  • I genuinely hope he looses. I do conversion rate optimization for a living and session recordings provide pivotal data. Yes, keystrokes and mouse movements are recorded but the purpose for recording users is to only further optimise the website. If I see that the users are struggling with a landing page in the recordings, then I a/b test to find an improvment. There's literally hundreds of platforms that provide recordings and majority of the time when this is set up, any key data such as bank account detai
    • I genuinely hope he looses. I do conversion rate optimization for a living and session recordings provide pivotal data. Yes, keystrokes and mouse movements are recorded but the purpose for recording users is to only further optimise the website.

      I think disgusting rather than pivotal is a much better fit. If you can't figure out how to create a website that people care about without resorting to this crap you have no business being in the field.

      There's literally hundreds of platforms that provide recordings and majority of the time when this is set up, any key data such as bank account details are greyed out. This data is only used to further optimise the website, it's never used for remarketing because it's impossible. Microsoft even offers this service for free with ms clarity lol.

      It's ok because everyone else does it too... LOL indeed.

  • Seriously? Please. Every social media website is tracking what you do, when you do it, where you do it, and to whom. I'm convinced that they are listening to you as well. Try talking to friends about some random topic and see if something related to it pops up in your feeds or your predictive typing widgets.

  • Companies have been collecting this sort of telemetry for at least a decade. It's used for A/B testing and just general performance assessment.

    Why single Papa John's out for it? Politics?

Real programmers don't comment their code. It was hard to write, it should be hard to understand.

Working...