żěè¶ĚĘÓƵ

Nothing you can do stops this code from watching you online

Code originally written to optimise websites bypasses https and incognito browsing to harvest and share everything you type online, from passwords to sensitive medical data
person typing mysterious things
Just stop using the internet
Kathleen Finlay/plainpicture

Have you ever typed something into a search box on a website and then thought better of it? New research shows that 482 sites may be passing on that information anyway.

We have long known that information we provide online can be tracked. A website you visit might have hundreds of scripts running in the background; some deposit cookies, others track you to other websites. The variety of tracking tools mean it is almost impossible to know what happens to your data when you visit a site.

But all of these seem tame compared with what and his colleagues at Princeton University found after combing through hundreds of websites to examine the scripts they were running: the widespread use of a type of script, called a session replay, that logs everything you do on a website, including what you type before you hit “enter”. The script then sends this information to the third-party company that has placed it there. This can bypass traditional privacy measures like https and incognito tabs, because while your connection to the site may be secure, the third parties have been pre-authorised by the site to watch you there, and how they send the information they glean isn’t guaranteed to be private.

The scripts themselves aren’t new: they have long been used to help developers understand whether their customers are reacting well to websites’ constant updates. As companies come under increasing pressure to monetise their websites, the third parties offering such services have flourished. They have grown in number, says Lukasz Olejnik, an independent cyber security and privacy consultant based in London, being used by more sites and becoming more powerful in what data they can gather.

Their ability to take any information no matter how private concerns Alan Woodward, a security researcher at the University of Surrey, UK. “Take something as simple as passwords,” he says. “These can be scooped up in the session scripts and sent to third parties.” The same goes for any personal data like medical records and bank card numbers.

Privacy notices

Englehardt’s team found session replay scripts running on 482 websites including Yandex, Russia’s largest search engine, and US online pharmacy Walgreens, which until recently used the third-party company FullStory. “We take the protection of our customers’ data very seriously and are investigating the claims made last week. As we look into the concerns that were raised, and out of an abundance of caution, we have stopped sharing data with FullStory,” a Walgreens spokesperson told żěè¶ĚĘÓƵ.

żěè¶ĚĘÓƵ has contacted FullStory and Yandex for statements, but has not yet received a response.

“The public should be surprised, and they should be concerned,” says Olejnik. While FullStory is explicit on its website that it doesn’t sell data gathered in this way, others don’t make such a clear guarantee. This kind of data has huge potential for targeted advertising and marketing, for example. “I think that optimising websites is a good idea,” says Olejnik. “But so is optimising your security standards.”

There are ways to protect yourself from sharing this kind of information, for example only using sites you trust, and knowing their privacy policies inside out. “It is one of the reasons why you need to understand the privacy policy of any site you trust with your data,” says Woodward. However, previous research has shown that reading all privacy notices on every site you interact with .

Ultimately, the only way to control these kinds of companies is by regulation, says Olejnik. Third-party data-collection sites might need to change their practices after May 2018, when the EU General Data Protection Regulation enters into force and begins to clamp down on “disproportionate misuse of data without user consent”. “The people who deploy these scripts would need to carefully audit them,” says Olejnik.

The study was published on Princeton University’s website, .

Read more: Data protection is complex and costly

Topics: Computing / Privacy