
Hundreds of web firms record 'every keystroke' - mhb
http://www.bbc.com/news/technology-42065650
======
SCdF
Not to bang on about it, but this kind of thing is why I use an ad-blocker.

It's barely even about ads in the traditional sense anymore, it's about being
able to read a fucking article without having half the internet downloaded in
the background while every nano of my being available is processed and
analysed by 30 different tracking companies simultaneously.

~~~
jasonkostempski
Its not as sexy a name, but I think ad blockers should be primarily described
as tracking blockers. Its sounds as important as "anti-virus" and i think it
could drive a few more people towards using them.

~~~
clouddrover
Firefox and Brave have tracking protection built-in. Not sure if any other
browsers offer this out of the box.

~~~
jasonkostempski
Firefox doesn't really have tracking protection built-in. There's "Do not
track", but that's worse than worthless and off by default, and you can turn
on blocking thrid-party cookies but, again, off by default and only covers a
small area of concern. I don't even know what to say about Brave other than
the business model feels very wrong.

Firefox + uBlock Origin is the right level of protection and you can get it on
desktop and mobile (Android at least).

I've come across a few sites that were still using affiliate links and uO
didn't block them. I'm not sure if uO has a policy of not blocking them but,
to me, those are the only type of "acceptable ad" and CPU cycles shouldn't be
wasted trying to detect and eliminate them.

~~~
dhimes
I use noscript and am pretty happy with it. I also use Adblock Plus because
I'm ok with the _idea_ of allowing certain types of ads through the
adblockers. I was kind of thinking that we could get sites to stop doing the
tracking bullshit if we put out a list of what is acceptable and blocked the
rest. I guess it wasn't well executed?

~~~
libertyEQ
I see people mention noscript and uMatix a lot, but you should also consider
RequestPolicy for added protection:
[https://requestpolicycontinued.github.io/](https://requestpolicycontinued.github.io/)

~~~
thisacctforreal
As far as I can tell uMatrix covers this (XHRs).

------
KozmoNau7
This is why it is absolutely mandatory that any browser I use has Privacy
Badger and uBlock Origin in dynamic mode with all 3rd party scripts and 3rd
party frames blocked by default, in addition to the static block lists.

Dynamic mode is the somewhat hidden feature that makes uBlock Origin as
powerful as NoScript, and more flexible when it comes to differentiating
between whether to allow content from a domain globally, or only on specific
sites.

[https://github.com/gorhill/uBlock/wiki/Dynamic-
filtering:-qu...](https://github.com/gorhill/uBlock/wiki/Dynamic-
filtering:-quick-guide)

 _Highly_ recommended.

~~~
tombrossman
Long time NoScript user here, and I had to remove it today as it is completely
broken and unusable. I cannot even get the preferences to open so I can export
my whitelisted domains to uMatrix, which I'm testing as a replacement.

I would like to combine uBlock and uMatrix, but I'm not sure I can replicate
the functionality I want. Your mention of dynamic filtering is interesting and
I wonder if others are using it and can make a recommendation?

I need all JavaScript off by default (including first-party) and the ability
to block both ad-serving domains and filters such as _/ ads/_ that work across
all domains. Is this possible to do entirely within uBlock Origin?

~~~
dhimes
Did you change browsers or something? Noscript seems to still work fine for
me. Linux Firefox 56.0 (64-bit)

~~~
Daycrawler
Firefox 57 was release a couple weeks ago and breaks most extension by
dropping the legacy add-on system.

~~~
tombrossman
For the avoidance of doubt, NoScript version 10 shipped a few days after FF57
was released, and it is an update to that combination which is not working for
me. I uninstalled & reinstalled the extension, and clicking on the settings
icon instantly crashes the browser. It is totally unusable for me.

------
mattkevan
Bit hypocritical of the publisher to be decrying intrusive analytics when
their site is running Comscore and Chartbeat tracking.

Not to bash the BBC – _all_ web publishers are using this stuff and loads
more. The BBC are unusually good actually, as their sites don't run adverts
and all the adtech crap that comes with them.

As someone who designs and builds websites, the data provided by platforms
like Hotjar etc. are very useful. And the advertising stuff is required if you
want to keep the lights on (unless you have another source of funding like the
BBC).

As a user I block it all with extreme prejudice.

~~~
flukus
> Not to bash the BBC – all web publishers are using this stuff and loads
> more. The BBC are unusually good actually, as their sites don't run adverts
> and all the adtech crap that comes with them.

Recently I was surprised to discover that the Australian equivalent that also
has no advertising has half a dozen trackers on there main page. Plus twitter
integration and CDN material.

------
mattzito
I agree that this can be used for ill, but there's a number of very valid
reasons to use these tools:

\- Heatmap views of where people hover and start to type

\- capture of individual sessions to research support cases

\- Better understanding of user flows through a site or web app

And all of these tools, at least the reputable ones cited in the article,
allow you to mask fields or parts of the screens so that PII isn't captured,
and reputable companies do that.

The other part of this is that I don't think the article captures well is that
these tools aren't used for targeting of ads or personalization or "spying" in
the sense of malice, but to try to better understand users, what they're
trying to find on a site, and clarify pain when using applications. I also
think the people that use these tools, generally speaking, are perfectly fine
with blocking them, since it's meant as a diagnostic and analytic tool.

~~~
erikbern
I've found these tools extremely useful to understand user behavior. We rely
on Fullstory all the time to improve the user experience, to identify bugs,
and to debug user issues.

The result of these tools is a far better user experience on our site and many
other sites.

"recording every keystroke" makes it sound like there's malicious intent, but
it's misleading. It should be added that all these tools have a lot of options
to avoid tracking sensitive data (like password fields) and we always rely on
that (in fact anything else would be a compliance violation for us).

~~~
titzer
> "recording every keystroke" makes it sound like there's malicious intent

Thinking from a security perspective, I'm not sure "intent" is an important
consideration. The question is: should third parties have the technical
capability to do this?

IMO there are enough bad actors out there to answer this with a resounding
_no_, at least by default.

If you want to record user browsing sessions, you should ask permission.

~~~
zerocrates
I suppose the issue here is that these aren't really "third" parties doing the
recording, even if they're using third-party scripts.

~~~
arkh
Yeah the owner of the website which include the script has only their website
data.

The third party follows users over all the websites they're deployed on. Best
example is google analytics and all beacons scripts (G+, FB like, share on
twitter etc.) which track you almost everywhere.

------
toomanybeersies
And this is why we need the GDPR. The potential for the sheer amount of
sensitive personal information that this can hoover up is extraordinary.

~~~
rwmj
An EU regulation for data protection
([https://en.wikipedia.org/wiki/General_Data_Protection_Regula...](https://en.wikipedia.org/wiki/General_Data_Protection_Regulation))
for anyone else who was wondering.

~~~
jerf
If you are a tech-type company doing business in the EU and this is news to
you, hie thee hence to a lawyer forthwith. The GDPR has teeth. You are not
going to want to discover you're in violation the hard way.

~~~
jacquesm
2018 will likely not see active enforcement, a couple of stern warnings and
maybe a single case to court to show they mean business. But I fully expect
the hammer to come down in 2019 and frankly I can't wait.

I look at a lot of companies professionally and the range goes from: "GDPR?
What is that?" to "Sure, we're ready, here is what we did and we are already
compliant.".

Most companies are somewhere in the middle between those two, they are aware
that something is changing but they are still trying to figure out the impact
on their business. Lawyers are - unless their specialty is privacy law and
they have boned up on this - pretty useless and generally tend to know even
less.

------
thrillgore
Many a year ago, an ad firm used to track the words you highlighted with your
cursor. I wrote a userscript that highlights every letter repeatedly to spell
out "FUCKYOU" when it loaded that company's JS.

I mean why do advertisers think its impressive to do this? I swear they
increase their intrusion and in return more and more people tune into ad
blocking. And don't even ask what I do about sites that insist I turn it off
-- I blacklist them.

------
tzahola
Is there a browser or extension which doesn't enable mouse and keyboard events
by default? I would like to see permission alerts for mouse and keyboard
listeners similar to location permission requests.

------
hpaavola
About 6 months ago I got tired of all the tracking and fingerprinting that is
going on and installed NoScript. Surprisingly few web pages require
Javascript. Give it a try, you might be pleasantly surprised.

~~~
ekianjo
That's not the case at all if you go to a site that uses React. For those, you
are welcome by a blank page with NoScript.

~~~
lucideer
This is somewhat moot as (a) I think most React devs don't do this, and (b) if
they do, the resulting page may still not be very useful.

However, any React developer worth their salt (probably still a minority, as
mentioned above) should be using ReactDOMServer which will render the page
fine without browser JS being enabled.

~~~
plif
I thought this was mainly used to improve first load speed. The site won't be
very useful if you can't interact with it beyond that.

~~~
lucideer
While it does depend on the purpose of your site, even in the purest examples
in the "web app" category, I can think of very few sites that are guaranteed
to be absolutely 100% useless without interactivity. Certainly not as useless
as a white screen.

In most cases though, you should be able to present a pretty useful static
page by default without too much effort.

------
edwhitesell
Once again, this is why I've blocked javascript for years. Browsers really
need to start offering this without add-ons or extensions.

~~~
notzorbo3
Whenever someone complains about a website not working without javascript
enabled, someone inevitably responds "it's 2017, you can expect javascript to
be enabled". I think that piece of knowledge is outdated:

\- Late 1990's: static html documents + forms \- early 2000's: shitty DHTML
scripts that added nothing \- early 2010's: javascript + gracefully
downgrading sites \- 2015/16: required useful javascript everywhere \- early
2017: trackers everywhere, html5 popups, trackers, spywhere, trackers, bitcoin
miners, trackers, etc, etc.

2017 is the year where you NEED a javascript blocker. What's the use of having
any security at all if you're going to leave the biggest attack vector in
modern times _completely_ unprotected?

Plus, the web has become completely unusable without a script blocker.

~~~
umanwizard
> the web has become completely unusable without a script blocker.

When you exaggerate like that, it diminishes your point. I use the web all
day, every day and I have never installed a script blocker.

~~~
KozmoNau7
Maybe not outright unusable, but certainly really fucking annoying.

Not to mention hazardous.

------
ordinaryperson
We use HotJar at work, and it's super useful to see heatmaps of what people
click on and what they ignore.

This article is a little clickbaity- it implies your passwords and other
private info are being stolen, instead of just webpage clicks.

Maybe people can hack those tools for ill but that's true of almost any web
software platform.

~~~
noxToken
I don't want to be alarmist, but just because it's not stolen doesn't mean
that it isn't logged. I've worked with Dynatrace. I've used it piece together
bugs that QA had found but couldn't reproduce a second time around. It's truly
powerful software.

After a set of test data refresh, we lost some of the new test passwords
associated with some of the new data. Then it clicked: Dynatrace has
keylogging. I searched for login events of those users, and sure enough, there
were the keystrokes for the passwords of each of those users.

Yes, this kind of software is a godsend for debugging, but improper usage,
storage or transmission of data is a real concern.

------
gnu8
It's our fault for turning the web into the monstrosity it has become. Web
browsers are for displaying hypertext documents. DOCUMENTS. Why on earth are
we executing code at all?

~~~
oblio
For the same reason all major document formats execute code.

PDFs execute code, DOC(X)s execute code.

Users want features: interactivity, automation of various bits, etc. Features
= users = money. Money > anything (security, privacy, etc.).

~~~
jacquesm
Plenty of that could have been achieved by slower but more consistent and
secure development of extensions to HTML.

That wouldn't give you Google maps, docs or gmail, but the vast majorit of
SAAS products could have probably been created in one way or another with the
restriction that no code could execute client side.

More and more pages that could have worked just fine now render as totally
blank because client side frameworks are now being pushed from every angle. As
an end user there is no clear advantage to this.

~~~
umanwizard
> That wouldn't give you Google maps, docs or gmail

So, it wouldn't have given you three of the most important and useful
applications in the modern world, used every day by millions of people.

~~~
jacquesm
No, it would not have given you those _on the web_. You could have simply made
applications that do the same thing.

Gmail could have been made to work (on the web) by the way, just not with such
a spiffy interface, and maps _probably_ as well.

~~~
oblio
> just not with such a spiffy interface

What makes you think that's not the main selling point of those applications?
"Except for that one thing that normal people care about, my sticks-and-stones
are just as good!" :)

~~~
jacquesm
Works in a secure and predictable way without eye candy to me trumps works in
an insecure way but has eye candy.

Software was plenty usable before we had the CPU power to burn on 'pretty'. In
fact, in many ways it was _more_ usable.

To some extent hardware has outpaced our ability to do useful things with the
cycles and transistor budgets available. So we've become super wasteful and
our software is now mostly immature. If instead clock cycles had doubled every
decade or two and ditto with the transistor count we probably would have had a
much more mature software eco system as a result, rather than a bunch of
pretty junk with plenty of that pretty junk as a service rather than as an
application that you control and all the security headaches that come with
that.

------
Dowwie
The Princeton study: [https://freedom-to-tinker.com/2017/11/15/no-boundaries-
exfil...](https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-
of-personal-data-by-session-replay-scripts/)

------
ourmandave
Makes me want to search StackOverflow to see who asked how to reverse the
order of a keystroke log file, so they can see if anyone backspaced off "your
site sucks" in the comments box.

------
Exuma
Does uBlock origin block these recorders without having to do all kinds of
crazy advanced config?

Edit: TO anyone else wondering the same thing, the answer is no. However,
Ghostery does block it. I didn't like ghostery before because it broke all
kinds of sites, so this time around I re-added it except I ONLY selected the
"Site Analytics" category and left all the others blank (which can be handled
by uBlock origin)

~~~
KozmoNau7
Ditch Ghostery, they collect and sell your information (how ironic). Use
Privacy Badger instead.

~~~
Exuma
That didn't block the inspectlet demo:
[https://www.inspectlet.com/hello/capturedemo](https://www.inspectlet.com/hello/capturedemo)

Do you have a source for them selling data?

~~~
KozmoNau7
That demo doesn't record anything at all here, or at least it certainly cannot
play anything back. I'm using Privacy Badger and uBlock Origin (with dynamic
mode on).

In all fairness to Ghostery, it seems they've cleaned up their act after being
bought out by Cliqz: [https://adexchanger.com/data-exchanges/ghostery-sheds-
ad-tra...](https://adexchanger.com/data-exchanges/ghostery-sheds-ad-tracker-
sells-off-plug-focus-compliance/)

Specifically, it was the Ghostrank feature that was troublesome:
[https://en.wikipedia.org/wiki/Ghostery#Criticism](https://en.wikipedia.org/wiki/Ghostery#Criticism)

I don't know how the current version of Ghostery behaves.

------
rahimnathwani
It's more than hundreds. I'm guessing that _each_ of Inspectlet, Hotjar,
Mouseflow, Crazy Egg and Full Story has hundreds of customers.

But it's not 'every keystroke', but keystrokes you make whilst interacting
with a page on that particular site.

------
steveeq1
When they "record every keystroke", do they mean: a) every keystroke on that
particular webpage? b) every keystroke of any webpage on any tab of the
browser? c) every keystroke on the laptop itself?

If it's b or c, I have a MAJOR problem with this.

~~~
zanedb
It's referring to scenario A, since the code only runs on that webpage (or any
others with it).

~~~
ams6110
Assuming no bugs in the browser's same-origin implementation.

------
djhworld
This is what worries me a bit about browser extensions like 1 password and
other password managers.

Could a website that has a keylogger in it potentially pick up these
keystrokes when I put my password into an extension?

~~~
plif
No. They only have access to anything inputted within their site's window.

I think this article is a bit sensationalist. These sites already have access
to all of your data (stored in their databases!). There's nothing additional
they are gaining from this aside from how you input that data. That is much
less sensitive information and I can't think of another usage aside from
improving their site's UX.

~~~
djhworld
Is there a risk of information leakage?

Say for example a website asks me for something (e.g. an address, phone
number, bank account number), I type it in (thus registering my keystroke
presses to the keylogger) and then realise oops I didn't mean to type that, I
meant to type something else

Does the website then submit the logged keystrokes for offline analysis?

~~~
plif
Yes, theoretically in the case you mentioned.

All responsible implementations of this won't actually log PII. It's pretty
trivial to withhold certain inputs. All of the services mentioned in the
article have easy ways to flag an input field as private / do not log. I'd
wager a lot of money that these sites are interested in gathering UX data and
not scraping for accidental form input.

I suppose there's a certain level of trust involved, but I don't think that's
any different than when you make an online purchase. /shrug

------
hashkb
This is sensationalized, fear-based reporting. Classic case of someone
publishing a strong opinion about something they don't understand. Unless she
is trying to imply that security issues are inevitable, session replay tools
are used to improve user experience in 95% of cases.

------
Banthum
Not that I agree with the practice or anything, but I have to call out the how
obviously maximally-outrage-inducing the headline is. From the middle of the
story:

>They found that 482 of the world's top 50,000 sites used scripts provided by
one of these firms.

Less than 1% of the sites did this.

God I'm tired of this kind of "journalism".

