A popular technique used by website operators to observe the keystrokes, mouse movements and scrolling behavior of visitors on web pages is fraught with risk, according to researchers at Princeton’s Center for Information Technology Policy.
The technique offered by a number of service providers uses scripts to capture the activity of a visitor on a web page, store it on the provider’s servers, and play it back on demand for a website’s operators, Tech News World reported.
The idea behind the practice is to give operators insight into how users are interacting with their websites and to identify broken and confusing pages.
“You use session replay scripts to find out where all the dead zones are on your website,” said Tod Beardsley, director of research at Rapid 7.
“If you have a space for a ‘click here for 10% percent off’ and no one clicks there, there may be a problem with that page,” he added.
The scripts also can be used for support and to troubleshoot user problems, Beardsley added.
However, according to researchers the extent of data collected by the scripts far exceeds user expectations.
Text typed into forms is collected before a user submits the form, and precise mouse movements are saved -- all without any visual indication to the user. Furthermore, the data cannot be reasonably expected to be kept anonymous.
“In fact, some companies allow publishers to explicitly link recordings to a user’s real identity,” wrote the team. “Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.”
That means that whether a visitor completes a form and submits it to the website or not, any information keyed in at the website can be seen by the operator.
Add new comment
Read our comment policy before posting your viewpoints