Third-party cookies that track you as you visit pages on the Web and various analytics scripts have been a mainstay for some time. They’ve become more sophisticated over time, all in order to better deliver targeted advertising.
However, these methods are fraught with issues – the impact on privacy is high, and they significantly bog down the page loading speed. That’s why most users opt to block web tracking with tools such as AdBlock or similar.
New Kid on the Block
But tracking has evolved since then. Nowadays, lots of pages use special ‘session replay’ scripts, as discovered by Princeton’s Center for Information Technology Policy. These scripts literally record your mouse movements, clicks and keystrokes you make while visiting a page. The final result is not unlike a video clip which can be then played in order to analyse your behaviour.
If that sounds like something only sketchy sites would use, you will be disappointed. Plenty of big brands’ websites implement this tracking method – such as HP, Lenovo, Comcast, Intel, Sky, Yandex, etc.
Why Is It Bad?
In short, because it is extremely insecure – and we haven’t even touched upon the privacy issues yet!
See, since these scripts track your input and behaviour at all times, everything you type in a box or later delete or abandon the page gets saved. You don’t have to submit the form at all! And you’re never notified of that – or only in passing, in convoluted language.
This means that your passwords and e-mails are being sent to the server where your inputs can be replayed – and your passwords or credit card numbers seen by anyone with access to this data. The scripts are largely unsuccessful and not reliable enough when it comes to filtering out sensitive information.
Additionally, the data which is stored is often stored and transmitted via HTTP, a notoriously insecure channel compared to HTTPS (marked with a little padlock on the address bar). This means it’s easy for outside attackers to compromise these host systems and gain access to raw passwords and personal data quite easily.
Credit card number in plain view from captured user data. Image © Princeton’s Center for Information Technology Policy.
Excuses, Excuses
Companies and websites using these scripts claim they employ them in order to improve user experience. By analysing the visitors’ movements, they can better understand what the users are seeking and reorganise the content on the website to make it more accessible.
However, due to the aforementioned security risks, these potential use cases hardly outweigh the massive potential for data loss. Besides, the data collected isn’t aggregated or anonymised like it is with other analytics tools, but can be accessed individually. That’s why we believe these methods, in its current state, won’t be legal in the EU once the General Data Protection Regulation rolls out next year.
The potential for malicious use is simply too great. This data, for example, could be used to link data obtained from other sources in order to create a comprehensive profile that is then used for targeted advertising, spam, etc.
For example, Walgreens, a US pharmacy, uses these analytics scripts. Due to imperfect data redaction, it is possible to link the medication ordered with the person’s username. In the EU, using this data would be a serious breach since medical records are classified as sensitive personal data, and generally cannot be processed.
How Can I Protect Myself?
Up until recently, ad-blockers were powerless to stop this. However, with recent updates to the most popular blocking lists, EasyList and EasyPrivacy, most ad-blocker addons are now able to stop these scripts.
Using the Do-Not-Track option in your browser won’t do much. The websites won’t honour your request, so ad-blockers are your best bet. Fortunately, we have the tips on how to enable ad-blockers.
Conclusion
Tracking is the way of life on the Internet, and sadly we often have no say. The best we can do is try to prevent it with ad-blockers, VPNs or similar privacy protection methods. It’s a sad state of affairs that creates tension and rifts between content providers and online merchants on one side and regular users on the other side. The former fund themselves with advertising and sellers rely on these tools to sell more – but at a cost of alienating regular users.
