
Have you ever typed something into a search box on a website and then thought better of it? New research shows that 482 sites may be passing on that information anyway.
We have long known that information we provide online can be tracked. A website you visit might have hundreds of scripts running in the background; some deposit cookies, others track you to other websites. The variety of tracking tools mean it is almost impossible to know what happens to your data when you visit a site.
But all of these seem tame compared with what and his colleagues at Princeton University found after combing through hundreds of websites to examine the scripts they were running: the widespread use of a type of script, called a session replay, that logs everything you do on a website, including what you type before you hit 鈥渆nter鈥. The script then sends this information to the third-party company that has placed it there. This can bypass traditional privacy measures like https and incognito tabs, because while your connection to the site may be secure, the third parties have been pre-authorised by the site to watch you there, and how they send the information they glean isn鈥檛 guaranteed to be private.
Advertisement
The scripts themselves aren鈥檛 new: they have long been used to help developers understand whether their customers are reacting well to websites鈥 constant updates. As companies come under increasing pressure to monetise their websites, the third parties offering such services have flourished. They have grown in number, says Lukasz Olejnik, an independent cyber security and privacy consultant based in London, being used by more sites and becoming more powerful in what data they can gather.
Their ability to take any information no matter how private concerns Alan Woodward, a security researcher at the University of Surrey, UK. 鈥淭ake something as simple as passwords,鈥 he says. 鈥淭hese can be scooped up in the session scripts and sent to third parties.鈥 The same goes for any personal data like medical records and bank card numbers.
Privacy notices
Englehardt鈥檚 team found session replay scripts running on 482 websites including Yandex, Russia鈥檚 largest search engine, and US online pharmacy Walgreens, which until recently used the third-party company FullStory. 鈥淲e take the protection of our customers鈥 data very seriously and are investigating the claims made last week. As we look into the concerns that were raised, and out of an abundance of caution, we have stopped sharing data with FullStory,鈥 a Walgreens spokesperson told New 杏吧原创.
New 杏吧原创 has contacted FullStory and Yandex for statements, but has not yet received a response.
鈥淭he public should be surprised, and they should be concerned,鈥 says Olejnik. While FullStory is explicit on its website that it doesn鈥檛 sell data gathered in this way, others don鈥檛 make such a clear guarantee. This kind of data has huge potential for targeted advertising and marketing, for example. 鈥淚 think that optimising websites is a good idea,鈥 says Olejnik. 鈥淏ut so is optimising your security standards.鈥
There are ways to protect yourself from sharing this kind of information, for example only using sites you trust, and knowing their privacy policies inside out. 鈥淚t is one of the reasons why you need to understand the privacy policy of any site you trust with your data,鈥 says Woodward. However, previous research has shown that reading all privacy notices on every site you interact with .
Ultimately, the only way to control these kinds of companies is by regulation, says Olejnik. Third-party data-collection sites might need to change their practices after May 2018, when the EU General Data Protection Regulation enters into force and begins to clamp down on 鈥渄isproportionate misuse of data without user consent鈥. 鈥淭he people who deploy these scripts would need to carefully audit them,鈥 says Olejnik.
The study was published on Princeton University鈥檚 website, .
Read more: Data protection is complex and costly