Scary But True: Hundreds of the Most Popular Sites Log Everything You Type

Ever feel like your every move is being watched when you're online? Well, you're not just being paranoid. Nearly 500 of the top 50,000 Web sites on Alexa use so-called "session replay" scripts from third-party companies to record practically everything users do while visiting their sites, according to new research from a team at Princeton University.

Among the activities being tracked and recorded are keystrokes, mouse movements, scrolling behavior, and content viewed from all the pages users visit. The researchers said it's as if "someone is looking over your shoulder" during the entire time you visit each of those sites. They found a total of 482 sites with signs indicating that data about user activity was being recorded and sent to third parties.

That level of tracking is enabled by scripts provided by third-party session replay companies that include Russia's Yandex, U.S.-based FullStory, Malta's Hotjar, U.K.-based UserReplay and SessionCam, the Czech Republic's Smartlook, and Israel-headquartered Clicktale. Among the Web sites using such scripts: WordPress, Microsoft, Adobe, Outbrain, Spotify,, Rotten Tomatoes, Sears, Costco,, The Gap,, GoFundMe, CodeAcademy, FitBit,, and the U.S. Embassy.

Users See No Indication of Recording

Session replay companies tout their scripts as a way for Web sites to improve usability, identify new business and marketing opportunities, and better understand their audiences by viewing visits, "through your customer's eyes," according to Smartlook. However, some companies enable their users to view not just anonymized data about site visits, but identifying information about individual visitors.

"[T]he extent of data collected by these services far exceeds user expectations; text typed into forms is collected before the user submits the form, and precise mouse movements are saved, all without any visual indication to the user," Princeton researchers Steven Englehardt, Gunes Acar, and Arvind Narayanan wrote last week in a blog post...

Comments are closed.