
No, you’re not being paranoid. Sites really are watching your every move - gregcrv
https://arstechnica.com/tech-policy/2017/11/an-alarming-number-of-sites-employ-privacy-invading-session-replay-scripts/
======
everybodyknows
"umatrix" is terrific at exposing this kind of mischief, immediately upon your
loading a new page -- as long as the logger has not been integrated into the
main site's scripting.

------
flukus
Who'd have thought running arbitrary code from random websites was a bad idea?

Blocking all scripts (at least by default) is the only solution.

~~~
wisebit
True. The problem is that websites like Walgreen, which simply break with no
JS, are only getting more common. I'd like to make a point of simply closing
the tab in such cases, but it's not always possible.

------
lykr0n
uBlock Origin and Ghostery deal with these kinds of trackers. Makes the
internet a lot quieter.

------
piratebroadcast
Whats a js library that would do this? Would love to put a demo up on my
website to show the user.

~~~
throwawayjava
I did this in like 2005. I don't recall it taking more than an hour. For
simple sites, probably faster to just implement it than find a library and
read the docs.

Collection is easy. Just capture every key even and read the location of the
the mouse in a sufficiently tight loop. Timestamp everything, bunch it and
send it to the server on a regular interval. You can do it in 10ish lines of
JavaScript.

Playback is the hard part, depending on your infrastructure. But if your site
is simple enough you don't even need a library; just load up the page the user
was on and play back the data.

I'd be surprised if there isn't already a Dropbox company out there going the
final 20% on this "just rsync it" comment though.

~~~
mbb70
FullStory, LogRocket, HotJar and Mouseflow all fit the bill, the search term
of choice appears to be "session replay".

~~~
throwawayjava
Funny, now "session replay" refers to both a privacy vulnerability and a
security vulnerability.

