How websites watch your every move and ignore privacy settings

November 27, 2017 by Yijun Yu, The Conversation
Credit: Shutterstock

Hundreds of the world's top websites routinely track a user's every keystroke, mouse movement and input into a web form – even before it's submitted or later abandoned, according to the results of a study from researchers at Princeton University.

And there's a nasty side-effect: personal identifiable data, such as medical information, passwords and credit card details, could be revealed when users surf the web – without them knowing that companies are monitoring their browsing behaviour. It's a situation that should alarm anyone who cares about their privacy.

The Princeton researchers found it was difficult to redact personally identifiable information from browsing behaviour records – even, in some instances, when users have switched on privacy settings such as Do Not Track.

The research found that third party tracking services are used by hundreds of businesses to monitor how users navigate their websites. This is proving to be increasingly challenging as more and more companies beef-up security and shift their sites over to encrypted HTTPS pages.

To work around this, session-replay scripts are deployed to monitor user interface behaviour on websites as a sequence of time-stamped events, such as keyboard and mouse movements. Each of these events record additional parameters – indicating the keystrokes (for keyboard events) and screen coordinates (for mouse movement events) – at the time of interaction. When associated with the content of a and web address, this recorded sequence of events can be exactly replayed by another browser that triggers the functions defined by the website.

What this means is that a third person is able to see, for example, a user entering a password into an online form – which is a clear privacy breach. Websites that employ third party analytics firms to record and replay such behaviour is, they argue, in the name of "enhancing ". The more they know what their users are after, the easier it is to provide them with targeted information.

While it's not news that companies are monitoring our behaviour as we surf the web, the fact that scripts are quietly being deployed to record individual browser sessions in this way has concerned the study's co-author, Steven Englehardt, who is a PhD candidate at Princeton.

A website user replay demo in action.

"Collection of page content by third-party replay scripts may cause sensitive information, such as medical conditions, , and other personal information displayed on a page, to leak to the third-party as part of the recording," he wrote. "This may expose users to identity theft, online scams and other unwanted behaviour. The same is true for the collection of user inputs during checkout and registration processes."

Websites logging keystrokes has been an issue known for a while to cybersecurity experts. And Princeton's empirical study raises valid concerns about users having little or no control over their surfing being recorded in this way.

So it's important to help users control how their information is shared online. But there are increasing signs of usability trumping security measures that are designed to keep our data safe online.

Usability vs security

Password managers are used by millions of people to help them easily keep a record of different passwords for different sites. The user of such a service only needs to memorise one key password.

Recently, a group of researchers at the University of Derby and the Open University discovered that the offline clients of password manager services were at risk of exposing the main key password when stored as plain text in memory that could be sniffed or dumped by whole system attacks.

User experience is not an excuse for tolerating security flaws.

Explore further: Princeton researchers spot website visits being watched

Related Stories

Digital services collect unnecessary personal information

October 10, 2017

Digital services that require users to log in with a personal account often collect more information about users than is needed. At an international conference about digital identities at Karlstad University, researchers ...

Password breach spreads beyond LinkedIn

June 7, 2012

More websites admitted security breaches Thursday after LinkedIn said some of its members' passwords were stolen, and experts warned of email scams targeting users of the social network.

Recommended for you

What do you get when you cross an airplane with a submarine?

February 15, 2018

Researchers from North Carolina State University have developed the first unmanned, fixed-wing aircraft that is capable of traveling both through the air and under the water – transitioning repeatedly between sky and sea. ...

0 comments

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.