New research from Princeton University reveals that website tracking is more prevalent than most people think. In the first release of a series called No Boundaries, the researchers explain how third-party scripts that run on many websites track your keystrokes and send it to third parties.
According to the research, over 400 of the most trafficked websites record every time you click, and all the words you type. Even if you fill out a form and choose to leave the website, the information you entered is still recorded. If you copy and paste something into a form, that is also recorded.
These scripts are called session replay scripts. Not only do they aggregate general statistics of website visitors, they can play back individual browsing sessions. These scripts are typically used by companies to learn how customers use websites and identify confusing webpages. They don’t run on every page, mostly pages where users enter sensitive information, like passwords or medical conditions.
Disturbingly, the researchers say that the information that is collected “can’t reasonably be expected to be kept anonymous.” Some scripts, like those from company FullStory, are designed to let website owners link the recordings back to a person’s real identity.
Can You Do Anything?
The researchers say that ad-blockers can block some, but not all of the scripts. Ad-blocking lists like EasyList and EasyPrivacy don’t block scripts like FullStory, Smartlook, and UserReplay. EasyPrivacy has filter rules that can block Yandex, Hotjar, ClickTale, and SessionCam. A popular browser setting ‘Do Not Track’ has no effect on whether you are tracked or not.
Motherboard reports that the ad-blocking tool AdBlock Plus has recently been updated to block all of the session replay scripts.