Hundreds of top websites record everything you do as if they’re ‘looking over your shoulder’

Your support helps us to tell the story

Support Now

Find out moreClose

As your White House correspondent, I ask the tough questions and seek the answers that matter.

Your support enables me to be in the room, pressing for transparency and accountability. Without your contributions, we wouldn't have the resources to challenge those in power.

Your donation makes it possible for us to keep doing this important work, keeping you informed every step of the way to the November election

Andrew Feinberg

White House Correspondent

Hundreds of the world’s top websites are recording everything you do, including your keystrokes, mouse movements and scrolling behaviour, a new report has found.

It’s as if they’re “looking over your shoulder”, and it isn’t always clear that they’re collecting your data.

What’s more, they’re sending this information to third-party “session replay” companies, and their methods can expose you to identity theft and online scams.

Princeton University researchers have found that 482 of the Alexa top 50,000 sites are doing this, and that the practice can cause sensitive personal information to leak.

This can include things like addresses, medical conditions and credit card details, which can also be linked to your name, and could in turn expose you to online scams or even identity theft.

“What can go wrong? In short, a lot,” wrote Steven Englehardt, one of the researchers, in a blog post.

“The stated purpose of this data collection includes gathering insights into how users interact with websites and discovering broken or confusing pages. However the extent of data collected by these services far exceeds user expectations ... This data can’t reasonably be expected to be kept anonymous.”

The researchers analysed seven popular session replay firms, and found that some websites that use their services send users’ private information to them despite being required to first redact sensitive information from recordings, and having the tools to do so.

This is because the process is difficult and time-consuming.

“To effectively deploy these mitigations a publisher will need to actively audit every input element to determine if it contains personal data,” says Mr Englehardt. “This is complicated, error prone and costly, especially as a site or the underlying web application code changes over time.”

As a result, the recordings include a lot more data than they should, such as users’ names, their full credit card number, expiration date, CVV number and billing address, the length of their passwords and even their doctor’s name and the medication they’re on.

“Improving user experience is a critical task for publishers,” said Mr Englehardt. “However it shouldn’t come at the expense of user privacy.”

A list of websites that use third-party session replay scripts is available here.