According to the study from Princeton University, more than 480 websites use technique of session replay to gain an understanding of how customers use websites.
Study says that Hundreds of web firms are tracking every single keystroke made by visitors. Experts questioned the legality of using such software without user’s consent.”These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and may be send them to third-party servers.
The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations. Text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user. This data can’t reasonably be expected to be kept anonymous.
As per record by researchers in website : jagat Analysis of seven of the top session replay companies (based on their relative popularity in our measurements ). The services studied are Yandex, FullStory, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam. They found these services in use on 482 of the Alexa top 50,000 sites.Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third-party as part of the recording.
This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes.
Following are the red lines :
1. Passwords are included in session recordings.
2. Sensitive user inputs are redacted in a partial and imperfect way.
3. Manual redaction of personally identifying information displayed on a page is a fundamentally insecure model.
4. Recording services may fail to protect user data.
Firms using the software included the UK’s news website the Telegraph, Samsung, Reuters, US retail giant Home Depot and CBS News.Paul Edon, director at security firm Tripwire said: “The first area of concerns here is the legality of recording people’s keystrokes without first informing them of the fact.If this is so reliability of users on to the websites bleaks to the point of negativity.