As if Internet advertising was not already in deep enough trouble, companies continue to research and use new invasive tracking capabilities on a regular basis.
Session Replay is one of the most recent that came to light. This is an advanced type of analytics software which doesn't only track basic parameters such as the time spend on sites or site visits, but records any keystroke, mouse movement and other activity on pages the scripts are loaded on.
Basically, these scripts record anything that the user does, as well as other parameters that regular analytics scripts track, and you can compare them to someone looking over your shoulder while you use your computer.
Turns out, there is a whole new industry around Session Replay scripts, with multiple companies offering scripts and solutions, and lots of sites making use of them.
A recent study analyzed the functionality and implementation of six Session Replay scripts. The researchers found that almost 1% of the top 50k Alexa sites implemented these type of scripts, among them popular destinations such as WordPress.com, Yandex.ru, Microsoft.com, Adobe.com, Godaddy.com, or Softonic.com.
All scripts attempt to exclude sensitive user data such as passwords from being recorded, but this is far from a perfect system as the researchers discovered during tests. In short: personal information may, and probably will, leak when these scripts run on sites the user visits.
The researchers have released the list of sites that make use of Session Replay scripts, or at least use the analytics script.
How to protect yourself from Session Replay tracking
You have two core options to protect yourself from Session Replay scripts:
- Block all scripts on sites, and only allow scripts to run on sites that you trust.
- Block the Session Replay scripts directly, so that they are not loaded.
You can use a browser extension like NoScript, uBlock Origin or uMatrix to block these scripts from being loaded on sites you visit. This protection works only if you don't allow the scripts to run on sites you visit though, so keep that in mind.
The second option automates the process, especially if you use a content blocker and a list that blocks these scripts.
The popular Easy Privacy list blocks several of the Session Replay tracking scripts for instance. The following commits were added to Easy Privacy recently to block Session Replay scripts:
Some content blockers, uBlock Origin for instance, may subscribe you automatically to EasyPrivacy. Others may not; this is the case for Adblock Plus for instance.
You can add it to Adblock Plus and other content blockers from this page on the official Easy website.