How to protect yourself from Session Replay tracking
As if Internet advertising was not already in deep enough trouble, companies continue to research and use new invasive tracking capabilities on a regular basis.
Session Replay is one of the most recent that came to light. This is an advanced type of analytics software which doesn't only track basic parameters such as the time spend on sites or site visits, but records any keystroke, mouse movement and other activity on pages the scripts are loaded on.
Basically, these scripts record anything that the user does, as well as other parameters that regular analytics scripts track, and you can compare them to someone looking over your shoulder while you use your computer.
Turns out, there is a whole new industry around Session Replay scripts, with multiple companies offering scripts and solutions, and lots of sites making use of them.
A recent study analyzed the functionality and implementation of six Session Replay scripts. The researchers found that almost 1% of the top 50k Alexa sites implemented these type of scripts, among them popular destinations such as WordPress.com, Yandex.ru, Microsoft.com, Adobe.com, Godaddy.com, or Softonic.com.
All scripts attempt to exclude sensitive user data such as passwords from being recorded, but this is far from a perfect system as the researchers discovered during tests. In short: personal information may, and probably will, leak when these scripts run on sites the user visits.
The researchers have released the list of sites that make use of Session Replay scripts, or at least use the analytics script.
How to protect yourself from Session Replay tracking
You have two core options to protect yourself from Session Replay scripts:
- Block all scripts on sites, and only allow scripts to run on sites that you trust.
- Block the Session Replay scripts directly, so that they are not loaded.
You can use a browser extension like NoScript, uBlock Origin or uMatrix to block these scripts from being loaded on sites you visit. This protection works only if you don't allow the scripts to run on sites you visit though, so keep that in mind.
The second option automates the process, especially if you use a content blocker and a list that blocks these scripts.
The popular Easy Privacy list blocks several of the Session Replay tracking scripts for instance. The following commits were added to Easy Privacy recently to block Session Replay scripts:
- ||ftbpro.com^$third-party
- ||fueldeck.com^$third-party
- ||fugetech.com^$third-party
- +||fullstory.com^$third-party
- ||funneld.com^$third-party
- ||funstage.com^$third-party
- ||fuse-data.com^$third-party
- |smartctr.com^$third-party
- ||smarterhq.io^$third-party
- ||smarterremarketer.net^$third-party
- +||smartlook.com^$third-party
- ||smartology.co^$third-party
- ||smartracker.net^$third-party
- ||smartzonessva.com^$third-party
- ||userlook.com^$third-party
- ||userneeds.dk^$third-party
- ||useronlinecounter.com^$third-party
- +||userreplay.net^$third-party
- ||userreport.com^$third-party
- ||users-api.com^$third-party
- ||userzoom.com^$third-party
Some content blockers, uBlock Origin for instance, may subscribe you automatically to EasyPrivacy. Others may not; this is the case for Adblock Plus for instance.
You can add it to Adblock Plus and other content blockers from this page on the official Easy website.
I’ve always walked into your shop, had a look around, maybe even bought something. I would then walk out and walk down the street. You were always able to see me and I knew that. You weren’t able to see me after I turned into the next road down, or the road after that, or the road after that. Now you can. Now you watch my every move. Are you stalking me? I’ve not done anything wrong yet you still follow me. Why?
STALKING IS ILLEGAL
I work for a well known company and have personally installed software that records user sessions across our domains. We’ve been using the data for the past two years to help troubleshoot technical issues and gather information about how people interact with our sites to create better user experiences. This article is a one-sided disgrace and behind the times. Quite frankly blocking tracking like this is nearly as stupid as disabling all JavaScript. If you want to get riled up why not focus your energy on something that actually matters like your ISP being able to sell your browsing data without your consent or Net Neutrality? Focusing your energy on this is pointless as we already had all this data before … we just now have a better visualization of it.
Since the interaction between the browser and the server for the most part is now via javascript, and all those interactions are events, all one has had to do for years is just record those events and play them back. You won’t even know you’re being recorded as it’s happening either via an api or on the server side asynchronously.
@ anonymous and Scott, thank you for your help and knowledge. It’s helpful to learn who the trackers are and be able to scroll the list to see what sites may be tracking with session replay scripts.
Google trusted ? Facebook trusted ? Doubleclick trusted ? Bing trusted ? Is it April the 1st ?
@ anonymous and Scott, thank you for your help and knowledge. It’s helpful to learn who the trackers are and be able to scroll the list for sites I use that may be tracking this way.
Use the ScriptBlock extension for Chrome and whitelist sites you trust.
use adblock https://addons.opera.com/ru/extensions/details/adblockforopera/?display=en not working on chropera?
Very interesting. Thanks for the heads up. I downloaded the .csv file and it opens in notepad, but is there a way to sort the list alphabetically by company/entity name? It’s not very useful with 10,000 entries listed by ranking.
Ive edited it a copy to show a-z. Download here
https://drive.google.com/open?id=12BE5Dc0ZAQIkHsZ4MRHbn-xMMm8Qd6U-Yy_Qkkdn_Io
You can do that (sort by name and website name) on their site without downloading csv and parsing it localy, if you need all 1239 to be shown just edit ‘option value’ in dropdown list to 1300.
If you need to do this localy, load csv file inside any spreadsheet application (excel, libreoffice calc, etc) and work with tables, cause that what it really is. Just select “tab” as “separator option” when opening.
It would appear that EasyPrivacy is only intended for the WebExtension version of ABP. When I tried to add it via the “Add Filter Subscription” in the extension, it doesn’t show up. I subsequently tried it via filterlists.com, but get the prompt that EasyList is necessary for it to run. However, I already had that installed. So after adding EasyPrivacy, I now have EasyList listed twice.
I tried upgrading to ABP 3.01 last week, but didn’t like the new menu so I went back to using the legacy version 2.9.1
Thanks for the tip though Martin.
@ TeIV
Go to adblockplus.org/subscriptions to add just the EasyPrivacy list to ABP 2.9.1.
“…records keystrokes…” — sounds illegal.
I imagine that if this ever goes to court, the counter-argument will be that a website “must” record keystrokes and mouse movements if it is to function. (For example, how do you log into a site if the site doesn’t pick up your data?) It then becomes a question of whether recording is legal under some circumstances and illegal under others. What a freaking mess…
Not really. There’s a distinction between interacting with the site for the site’s functionality, and recording the interaction with the site for nefarious purposes (stealing passwords and credit card information) or aggregation (selling the input, or its analytical aggregate, for profit).
@chesscanoe:
It’s not just the law that is trailing behind technology. Ethics, those pesky things upon which the law is based, are trailing even further behind. (That puts the world wars into a whole new light, doesn’t it? When you create dangerous things that you can’t intellectually deal with, you’re asking for trouble.)
It seems at least in the US, government and the law remain maybe 50 years behind technological “progress”. However lighting with candles to read real books doesn’t seem a likely solution either….
Very funny how author of original article didn’t respond anything about accusation of it being sponsored by google (because there was no mention about google analytics at all).
Sane people using white-listing rather than black-listing (i.e. deny all that not allowed).
If Google or Facebook did that, there would be much noise and lawsuits and they don’t want to take that chance. They know what pages you visit (if you don’t block their scripts) but probably not what you’re doing on those pages.
Google is involved in so much spying that the average person considers it a conspiracy theory. But it’s true. Google is the #1 spy on the internet. It’s not it’s advertising that is so invasive, it is that it tracks through multiple vectors; web, software, hardware (phones, tablets, etc.), email & services. Why are people so gullible? I guess they simply cannot face the fact of how ruthless tech companies are. They’ve created this image of being innocent nerds and scientists, but they’re no different than the oil companies and defense contractors. They are pretty much the same “military-industrial complex”. Like I said, people are gullible, they still think it’s just a conspiracy theory.
>but probably not what you’re doing on those pages.
Sure thing, buddy.
https://blog.sessioncam.com/how-to-easily-combine-google-analytics-with-session-replay-a76a85637dca
And you can integrate it with many many more session replay tools, and as long as you have any external scripts on your site you can’t guarantee what they really do with data on their end, they may told you that they won’t store anything, anonymizе\generalize data – but it doesn’t mean it’s true, just look at recent news about google location being on, even if interface says otherwise, that’s because google play services can do whatever they wan’t and you won’t know it, because there is no transparency at all.
You’ll find EasyList and many other content filters on this truly handy page: https://filterlists.com/
This is just a suggestion, I installed many useful filters on uBlock Origin from this project owned by Collin M. Barret.
use adblock opera presto? (not adblock +)
Thanks for the tip SC. I’d bookmarked the site a while back, but had forgotten all about it and your post jolted my memory. :)