Technology

Your favorite websites are tracking your keystrokes and sending the info to others, study finds

By Joshua Tehee
Hundreds of popular websites record (and shared) everything users type and click, according to a new study from Princeton.
Hundreds of popular websites record (and shared) everything users type and click, according to a new study from Princeton. Scott Berson McClatchy News

Hundreds of the world’s most popular websites capture user information via keylogging software, and that information – everything mouse click; every word typed – is being shared, according to research from Princeton’s Center for Information Technology Policy.

The fact that websites use so-called analytics scripts is nothing new (remember Facebook a la 2013). It’s the reason for those targeted ads that seem to be reading your mind. But the study found that more sites now use “session replay” scripts. These bits of code record keystrokes, mouse movements and scrolling, along with the entire contents of the pages you visit – as if someone is looking over your shoulder, according to Motherboard.

That info is then sent to third-party servers, often without the users’ knowledge, “unless you dug deep into the privacy policy,” Steve Englehardt told Motherboard.

“I’m just happy that users will be made aware of it,”said Englehardt, one of the researchers behind the study.

Session replay scripts can give companies insight into how their customers are using the sites. It can be a good way to identify and fix confusing web pages, according to Motherboard. The problem is, they can also record and play back individual browsing sessions and are often placed on pages where users input sensitive information like passwords and medical conditions. One company, FullStory, has scripts that can link the information to a user’s real identity, according to Motherboard.

According to the study, 482 of the world’s top 50,000 websites are involved in some form of this kind of data collection and sharing. That includes Spotify.com, Rottentomatoes.com, Walgreens.com and the men’s clothing site Bonobos.com, which researchers said captured and shared credit-card details, including the cardholder’s name and billing address, the card’s number, expiration and security code, according to Wired.

Both Walgreens and Bonobos have since stopped the practice, according to the story.

“I don’t think most users realize that when they interact with a website that their information about that visit is being shared with 40 to 100 third parties,” security and privacy researcher Shkan Soltani told Wired.

“Capturing [the text typed into] every form field is a level of detail that I have not seen historically,” he said.

This story was originally published November 21, 2017 at 1:38 PM with the headline "Your favorite websites are tracking your keystrokes and sending the info to others, study finds."

Get unlimited digital access
#ReadLocal

Try 1 month for $1

CLAIM OFFER