In case you thought you were being paranoid, you were not.  Have you ever gone to a web site, wandered around but never clicked on anything and then closed the browser only to see an ad for whatever you were looking at show up on some other web site?

There is a reason for that and no, you are not imagining it.

Some web sites track every single keystroke and mouse click that you make, capture it and store it.  They can tell if you hover over an image (even if you don’t click on it) and how long you do that.

Hundreds of sites including Microsoft, Adobe and Godaddy capture every keystoke and mouse movement.  In many cases, that even includes passwords.  A study of 50,000 popular web sites found 482 of them did this.

Our course, without telling you.

These are called session replay scripts and can be used for many purposes from figuring out what part of their web sites are more trafficked to capturing data to send you spam and ads.

Scripts from FullStory, Hotjar, Yandex, and Smartlook were the most intrusive because they recorded all input including Social Security numbers, and dates of birth.

Here is a demo of the replay technology:

The research, conducted by Princeton’s Center for Information Technology Policy, only tested 50,000 web sites.  No one knows if the percentage (about 1 percent) would stay the same if the sample size increased.  Assuming that the percentage stays flat, that means of the one billion web sites, ten million are capturing your info, whether you want them to or not.

I guess the good news is that it is only one percent and not 70 percent.  But since these tools can capture credit card numbers and passwords and since the web site owners share the data with third parties, it makes me wonder how safe things are.

If you use two factor authentication to log on, that significantly negates the risk from some third party having your password, but since only a tiny percentage of folks do use two factor authentication, that won’t help most people.

Some web sites do “mask” sensitive data, but since they don’t even tell us that they are doing this, they certainly aren’t telling us if they are masking data or not.

Bottom line – assume everything that you are typing or clicking may be captured and shared with a third party.  AND, likely, AGGREGATED.

There are tools that can help you protect yourself but they complicate the world and slow things down.  Still, they may be worthwhile in some cases.

Depends on YOUR level of paranoia.

Information for this post came from Ars Technica.


Leave a Reply

Your email address will not be published.