Session Replay Scripts: Top Websites Track Every Keystroke, Click

Researchers at Princeton University discovered more than 400 of the most-trafficked websites in the world contain third-party scripts that can track every action—including every keystroke—an individual user performs on the site.

The findings, published by researchers at Princeton’s Center for Information Technology Policy (CITP) as part of its “No Boundaries” series, highlight some of the invasive practices happening behind the scenes on websites and unbeknownst to users.

The tracking behavior stems primarily from scripts, or simple lines of code, that create what are called a “session replay.” Just as the name suggests, the code records everything a user does while visiting a particular page with the script running and allows a third-party to replay that user’s session in full.

Such scripts aren’t entirely uncommon and can be used for legitimate purposes, such as identifying confusing or non-functioning parts of a web page or to provide insight into how users are interacting with a site.

However, the scripts don’t discern between information that would be helpful for improving the user interface of the site and information that is personal in nature and shouldn’t be shared—they simply collect every part of a user’s session, potentially exposing information to third parties that was never intended to be shared.

Typing information into a form, for example, could be recorded by the script—even if the information is never submitted to the website. Even accidentally pasting copied text into the box could be sent to a third-party server. Each keystroke and click is recorded

The possibility of a user’s information being recorded is made especially troubling by the fact that the scripts are often placed on pages where users are required to interact. That includes pages that ask a person to enter their password or answer a security question or enter any number of other sensitive bits of information.

The researchers said that information gathered by the session replay scripts can’t “reasonably be expected to be kept anonymous,” meaning once it is collected by the script and sent to a third-party server, it can be viewed and used any way that the company behind the script so chooses.

Some of the most popular session replay scripts are FullStory, SessionCam, Clicktale, Smartlook, UserReplay, Hotjar and Yandex—a script from Russia’s most popular search engine. The scripts were found on 482 of the world’s top 50,000 websites, according to the researchers.

Websites like men’s retailer Bonobos; general store and pharmacy Walgreens; financial investment firm Fidelity, telecommunications providers Xfinity, Comcast and T-Mobile; clothing retailer Gap; tech firms Intel and Lenovo were all found to have at least one of the session replay scripts. The researchers published a full list of all sites found to have such scripts.

The best way for users to prevent session replay scripts from tracking their activity and collecting their information is to use an ad blocker. AdBlock Plus, which is available for most popular web browsers, blocks all seven of the session replay scripts tested for by the researchers at Princeton.