Princeton Research Reveals that Top Websites are Recording Users' Personal Data

A study conducted by the Center for Information Technology Policy (CITP) at Princeton revealed last week that some of the most popular websites are recording information for their visitors that goes far beyond the known tracking of user behavior for analytic purposes. Now, it turns out a growing number of websites is using so-called "session replay" scripts - another type of third-party analytics scripts which, however, exposes sensitive user data like passwords and other personal details to misuse. These scripts are not intended to provide aggregate statistics; instead, the "session replay" scripts are developed to record and playback individual browsing sessions so that the online behavior of individual Internet users can be tracked down. In some cases, it is even possible to link a recording to a user's real identity. Along with recording keystrokes, page scrolling behavior, and mouse movements, the scripts record the entire content of the pages that a user visits, and then send that information to a third-party server. Experts warn that this data could easily end up exposed in dashboards that are not even HTTPS secured.

Obviously, all the data collection is happening without any notice for the user who typically does not expect to get his usernames, passwords, credit card numbers, medical conditions, and all sorts of other sensitive data, exfiltrated and misused by some highly ranked website. However, the study shows that the questionable "session replay" services are not saved only for dubious Russian forums, but are also found in 482 of the Alexa top 50,000 websites, among these being sites like The Telegraph, Norton, Lenovo, Intel, Xfinity, and many others. What makes things even worse, most of these sites did not even know they were using such type of scripts.

Officially, the "session replay" scripts are supposed to improve the overall user experience by collecting information on how the user interacts with a website, and by discovering broken or confusing websites. Yet, the type of data that is recorded, and the way it is dealt with, suggests that things can go massively wrong at some point, exposing the users to unlimited risks. At the very worst, the recordings could leak out to third parties and lead to identity theft and all other types of cybercrimes that one can think of.

Although the companies offering replay services allow the publishers of websites to redact what type of data is recorded and possibly exclude sensitive information from the recordings, that does not secure the user's data. The CITP report shows this redaction is complicated and requires additional time and effort as the publishers need to check every single page that displays or accepts user information. Overall, the empirical results of the study show that this redaction option is not sufficiently effective in preventing the recording, and therefore, the potential leakage of sensitive data.

After the research was released, some of the publishers on the list declared they would no longer implement these scripts.