How to protect yourself from Session Replay tracking - gHacks Tech News

How to protect yourself from Session Replay tracking

As if Internet advertising was not already in deep enough trouble, companies continue to research and use new invasive tracking capabilities on a regular basis.

Session Replay is one of the most recent that came to light. This is an advanced type of analytics software which doesn't only track basic parameters such as the time spend on sites or site visits, but records any keystroke, mouse movement and other activity on pages the scripts are loaded on.

Basically, these scripts record anything that the user does, as well as other parameters that regular analytics scripts track, and you can compare them to someone looking over your shoulder while you use your computer.

session replay
via Freedom to Tinker: https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/

Turns out, there is a whole new industry around Session Replay scripts, with multiple companies offering scripts and solutions, and lots of sites making use of them.

A recent study analyzed the functionality and implementation of six Session Replay scripts. The researchers found that almost 1% of the top 50k Alexa sites implemented these type of scripts, among them popular destinations such as WordPress.com, Yandex.ru, Microsoft.com, Adobe.com, Godaddy.com, or Softonic.com.

All scripts attempt to exclude sensitive user data such as passwords from being recorded, but this is far from a perfect system as the researchers discovered during tests. In short: personal information may, and probably will, leak when these scripts run on sites the user visits.

The researchers have released the list of sites that make use of Session Replay scripts, or at least use the analytics script.

How to protect yourself from Session Replay tracking

session replay script

You have two core options to protect yourself from Session Replay scripts:

  1. Block all scripts on sites, and only allow scripts to run on sites that you trust.
  2. Block the Session Replay scripts directly, so that they are not loaded.

You can use a browser extension like NoScript, uBlock Origin or uMatrix to block these scripts from being loaded on sites you visit. This protection works only if you don't allow the scripts to run on sites you visit though, so keep that in mind.

The second option automates the process, especially if you use a content blocker and a list that blocks these scripts.

The popular Easy Privacy list blocks several of the Session Replay tracking scripts for instance. The following commits were added to Easy Privacy recently to block Session Replay scripts:

  • ||ftbpro.com^$third-party
  • ||fueldeck.com^$third-party
  • ||fugetech.com^$third-party
  • +||fullstory.com^$third-party
  • ||funneld.com^$third-party
  • ||funstage.com^$third-party
  • ||fuse-data.com^$third-party
  • |smartctr.com^$third-party
  • ||smarterhq.io^$third-party
  • ||smarterremarketer.net^$third-party
  • +||smartlook.com^$third-party
  • ||smartology.co^$third-party
  • ||smartracker.net^$third-party
  • ||smartzonessva.com^$third-party
  • ||userlook.com^$third-party
  • ||userneeds.dk^$third-party
  • ||useronlinecounter.com^$third-party
  • +||userreplay.net^$third-party
  • ||userreport.com^$third-party
  • ||users-api.com^$third-party
  • ||userzoom.com^$third-party

Some content blockers, uBlock Origin for instance, may subscribe you automatically to EasyPrivacy. Others may not; this is the case for Adblock Plus for instance.

easyprivacy

You can add it to Adblock Plus and other content blockers from this page on the official Easy website.

 

 

Summary
How to protect yourself from Session Replay tracking
Article Name
How to protect yourself from Session Replay tracking
Description
Find out how to protect your data from so-called Session Replay scripts that track every keystroke, mouse movement and other activity.
Author
Publisher
Ghacks Technology News
Logo

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. SCBright said on November 24, 2017 at 12:30 pm
    Reply

    You’ll find EasyList and many other content filters on this truly handy page: https://filterlists.com/

    This is just a suggestion, I installed many useful filters on uBlock Origin from this project owned by Collin M. Barret.

    1. TelV said on November 24, 2017 at 2:16 pm
      Reply

      Thanks for the tip SC. I’d bookmarked the site a while back, but had forgotten all about it and your post jolted my memory. :)

    2. guest said on November 24, 2017 at 3:14 pm
      Reply

      use adblock opera presto? (not adblock +)

  2. Anonymous said on November 24, 2017 at 12:35 pm
    Reply

    Very funny how author of original article didn’t respond anything about accusation of it being sponsored by google (because there was no mention about google analytics at all).

    Sane people using white-listing rather than black-listing (i.e. deny all that not allowed).

    1. MdN said on November 24, 2017 at 1:27 pm
      Reply

      If Google or Facebook did that, there would be much noise and lawsuits and they don’t want to take that chance. They know what pages you visit (if you don’t block their scripts) but probably not what you’re doing on those pages.

      1. Anonymous said on November 24, 2017 at 2:54 pm
        Reply

        >but probably not what you’re doing on those pages.

        Sure thing, buddy.
        https://blog.sessioncam.com/how-to-easily-combine-google-analytics-with-session-replay-a76a85637dca

        And you can integrate it with many many more session replay tools, and as long as you have any external scripts on your site you can’t guarantee what they really do with data on their end, they may told you that they won’t store anything, anonymizе\generalize data – but it doesn’t mean it’s true, just look at recent news about google location being on, even if interface says otherwise, that’s because google play services can do whatever they wan’t and you won’t know it, because there is no transparency at all.

      2. Skynet said on November 25, 2017 at 2:30 am
        Reply

        Google is involved in so much spying that the average person considers it a conspiracy theory. But it’s true. Google is the #1 spy on the internet. It’s not it’s advertising that is so invasive, it is that it tracks through multiple vectors; web, software, hardware (phones, tablets, etc.), email & services. Why are people so gullible? I guess they simply cannot face the fact of how ruthless tech companies are. They’ve created this image of being innocent nerds and scientists, but they’re no different than the oil companies and defense contractors. They are pretty much the same “military-industrial complex”. Like I said, people are gullible, they still think it’s just a conspiracy theory.

  3. Earl said on November 24, 2017 at 1:35 pm
    Reply

    “…records keystrokes…” — sounds illegal.

    1. Jason said on November 24, 2017 at 7:02 pm
      Reply

      I imagine that if this ever goes to court, the counter-argument will be that a website “must” record keystrokes and mouse movements if it is to function. (For example, how do you log into a site if the site doesn’t pick up your data?) It then becomes a question of whether recording is legal under some circumstances and illegal under others. What a freaking mess…

      1. chesscanoe said on November 24, 2017 at 7:31 pm
        Reply

        It seems at least in the US, government and the law remain maybe 50 years behind technological “progress”. However lighting with candles to read real books doesn’t seem a likely solution either….

      2. Jason said on November 24, 2017 at 8:04 pm
        Reply

        @chesscanoe:

        It’s not just the law that is trailing behind technology. Ethics, those pesky things upon which the law is based, are trailing even further behind. (That puts the world wars into a whole new light, doesn’t it? When you create dangerous things that you can’t intellectually deal with, you’re asking for trouble.)

      3. Doc said on November 25, 2017 at 4:05 am
        Reply

        Not really. There’s a distinction between interacting with the site for the site’s functionality, and recording the interaction with the site for nefarious purposes (stealing passwords and credit card information) or aggregation (selling the input, or its analytical aggregate, for profit).

  4. TelV said on November 24, 2017 at 2:13 pm
    Reply

    It would appear that EasyPrivacy is only intended for the WebExtension version of ABP. When I tried to add it via the “Add Filter Subscription” in the extension, it doesn’t show up. I subsequently tried it via filterlists.com, but get the prompt that EasyList is necessary for it to run. However, I already had that installed. So after adding EasyPrivacy, I now have EasyList listed twice.

    I tried upgrading to ABP 3.01 last week, but didn’t like the new menu so I went back to using the legacy version 2.9.1

    Thanks for the tip though Martin.

    1. aaabbbccc said on November 24, 2017 at 5:19 pm
      Reply

      @ TeIV

      Go to adblockplus.org/subscriptions to add just the EasyPrivacy list to ABP 2.9.1.

  5. basicuser said on November 24, 2017 at 2:22 pm
    Reply

    Very interesting. Thanks for the heads up. I downloaded the .csv file and it opens in notepad, but is there a way to sort the list alphabetically by company/entity name? It’s not very useful with 10,000 entries listed by ranking.

    1. Anonymous said on November 24, 2017 at 3:00 pm
      Reply

      You can do that (sort by name and website name) on their site without downloading csv and parsing it localy, if you need all 1239 to be shown just edit ‘option value’ in dropdown list to 1300.

      If you need to do this localy, load csv file inside any spreadsheet application (excel, libreoffice calc, etc) and work with tables, cause that what it really is. Just select “tab” as “separator option” when opening.

    2. Scott said on November 25, 2017 at 2:37 am
      Reply
  6. guest said on November 24, 2017 at 3:17 pm
    Reply
  7. Jeff said on November 24, 2017 at 4:54 pm
    Reply

    Use the ScriptBlock extension for Chrome and whitelist sites you trust.

  8. basicuser said on November 25, 2017 at 8:21 pm
    Reply

    @ anonymous and Scott, thank you for your help and knowledge. It’s helpful to learn who the trackers are and be able to scroll the list for sites I use that may be tracking this way.

  9. Stefan said on November 25, 2017 at 8:33 pm
    Reply

    Google trusted ? Facebook trusted ? Doubleclick trusted ? Bing trusted ? Is it April the 1st ?

  10. basicuser said on November 25, 2017 at 10:50 pm
    Reply

    @ anonymous and Scott, thank you for your help and knowledge. It’s helpful to learn who the trackers are and be able to scroll the list to see what sites may be tracking with session replay scripts.

  11. Gernok said on November 25, 2017 at 11:21 pm
    Reply

    Since the interaction between the browser and the server for the most part is now via javascript, and all those interactions are events, all one has had to do for years is just record those events and play them back. You won’t even know you’re being recorded as it’s happening either via an api or on the server side asynchronously.

  12. Jay said on November 28, 2017 at 9:42 am
    Reply

    I work for a well known company and have personally installed software that records user sessions across our domains. We’ve been using the data for the past two years to help troubleshoot technical issues and gather information about how people interact with our sites to create better user experiences. This article is a one-sided disgrace and behind the times. Quite frankly blocking tracking like this is nearly as stupid as disabling all JavaScript. If you want to get riled up why not focus your energy on something that actually matters like your ISP being able to sell your browsing data without your consent or Net Neutrality? Focusing your energy on this is pointless as we already had all this data before … we just now have a better visualization of it.

  13. Ganges said on December 7, 2017 at 2:06 pm
    Reply

    I’ve always walked into your shop, had a look around, maybe even bought something. I would then walk out and walk down the street. You were always able to see me and I knew that. You weren’t able to see me after I turned into the next road down, or the road after that, or the road after that. Now you can. Now you watch my every move. Are you stalking me? I’ve not done anything wrong yet you still follow me. Why?

    STALKING IS ILLEGAL

Leave a Reply