Hacker News new | comments | ask | show | jobs | submit login
Customer Service Agents Can See What You're Typing in Real Time (gizmodo.com)
222 points by curtis 23 days ago | hide | past | web | favorite | 164 comments



Another thing people don't realize is that if your browser/extension prefills/autofills certain fields (say, name, email, address, etc), those things can be easily sent to the website even if you don't press the submit button.

https://www.theguardian.com/technology/2017/jan/10/browser-a...


Had this happen about 2 weeks ago when I was booking a hotel. This was not a chat window, like the article, but a hotel booking form. I had a few tabs open and filled in the booking information but found something a little more convenient. So, I did not submit the form and closed the tab. About 2-3 minutes later my phone started to ring. It was a customer service agent from that incomplete booking website asking if I needed a better deal!? This was extremely creepy! I guess they are grabbing the form data via xhr requests or something (pre-submit). Not only that they do this, but the speed at which they can action it, makes me think we're in a whole new ball game.


I had a workmate mock order some stickers and put in their boss's email, but did not submit. That evening, the boss got an email with the order, and the boss bought them (they were previously informed of the idea), thinking the employee had sent the order over.


This is old news. It's fairly easy to implement and most often done with simple google sheets.


Think you can give a short example code?


document.getElementById('myInput').addEventListener('change', event => fetch('https://myapi/textBoxData', {method: 'POST', body: event.target.value})


It's amazing this still works in Chrome.

Open https://anttiviljami.github.io/browser-autofill-phishing/ , enter some auto-fill info, click "Submit" and monitor your "Network" tab requests. You'll find your browser leaked way more info than those 2 information...


We had to deal with this in reverse: we had a form that depending on what you fill in and the settings doesn't show some options.

The browser was submitting the form with auto-fill details that failed the validation checks for those fields. Hard to show an error message for fields the user can't see.

Yes, it is more robust to have code on the server side discard input that isn't expected rather than validate it, but it annoying extra work when those fields have no security impact.

The alternative is to tell the browser not to auto-fill those fields, but doing that feels broken too.


scary... is there any valid scenario where user expects browser to auto-fill the hidden fields?


Just pretty difficult to ensure a field really is visible to the user, the problem is it'll always have some weaknesses and those who would abuse it will find those weaknesses


Yeah, that’s why Safari no longer autofills until you tell it to.


Firefox does it for passwords if you pick to save your password but other fields I just have to double click the field and it drops down with a list of things I have put in it before.


Is there a way to change Firefox's behavior for passwords so that I need to click to fill them in? I couldn't find anything in a quick Google search.


Password should be saved per-site. Like, I think they actually are.


You're right, that mitigates most of the risk.

Firefox seems to save passwords per domain name. This may not be specific enough in certain cases. E.g., if I have a password on domain.com, but domain.com offers web hosting at domain.com/username, then my understanding is it would be relatively easy to obtain my credentials for domain.com with the right phishing site at domain.com/username. Correct me if I'm wrong.


The entire web security model breaks down in this case. No web hosting except the most hacked together system does this. They all provide sub domains or sanitize the content so it can't run any code. Like the sibling comment pointed out, you could just use JS to grab your login cookie from the other site.


Good points. Unfortunately there are a lot of "hacked together" services out there.

I can think of one site I had to use recently for event registration which suffered from the flaw I mentioned. (Note that I have no choice over which service to use here, as I don't run the event.) The site puts each event under different directories, not subdomains as it should. Firefox saved my login details for one past event and wanted to use them for another event. I don't know the extent by which the event pages can be customized, but if you could put the right JS on one event page then it seems there are multiple approaches to getting credentials and potentially obtaining sensitive information. Fortunately in this case an attacker wouldn't obtain much of value best I can tell.


In that case, cookies would be completely insecure as well


Does the browser actually enter the CC before you pick it? I don't think it does...


I wish that it was more prevalent for people to just assume and know that any website, regardless of whether or not it has a chat function, has the ability to record what you're saying (read: typing). Everyone out there should act like everything they type into their web browser has the potential to be seen by, at the very least, the website they're typing it on and, at worst, by everyone online.

If you really need the kind of security or peace of mind that this situation is not suitable for, type everything into a text editor and paste it into the website when you're ready to send it. Otherwise, you can't ever have any expectation of privacy on the web.


I don't think anyone is surprised, but it is still good to call out bad actors from time to time.

Whenever there's a story like this every hn response is "always assume you are being watched at all times!" - but nobody can maintain that kind of hyper vigilance forever, and it isn't a healthy way to live.


>I don't think anyone is surprised

I do. Nobody who goes on HN will be. But the layman who spends 80 hours a week working a minimum wage job who has no time for computers and just wants a Disney vacation for his kids, absolutely would be floored by this. It seems very reasonable to apply conventional logic to computers. You can write all you want on a piece of paper and then throw it away and nobody would see it. The same doesn't apply on the internet, but it's not a big leap for people who barely know how to log in.


> Nobody who goes on HN will be

I go on HN, and although I'm not surprised that this is possible, nor shocked that it's done, it is the kind of thing I could easily fail to think about, or assume is probably not actually being done by anyone I deal with.


I guess the analogy is that there is someone later on snooping through the trash. Yeah, it's creepy. No two ways about it.


It's healthy to not use autofill, and to not have your password manager integrate with your browser, and to use an ad blocker that blocks analytics stuff including intercom, segment, etc.


Having your password manager integrate with your browser is one of the best defenses against phishing, though. It will only fill the password if the origin matches.


... or if there's a bug, or if the bridge from the extension to the page content has a mistake that lets javascript on the page control it.

That's actually happened to all the major vendors like LastPass and OnePass, and to some of them it's happened the exact same way multiple times - a UI re-design re-introduces the same JS interop mistake.

some linky links: https://twitter.com/taviso/status/941711305668411393 https://twitter.com/taviso/status/769378052254015488

I've promoted password managers for a long time! Just not fancy convenient commercial ones, those are a huge mistake.


To my knowledge, 1Password (which is what I use) has never had one of these bugs. There is one flaw reported in the P0 bugtracker against 1Password, that another user on the same local machine running native code can trick the 1Password agent into believing that it's your browser extension https://crbug.com/project-zero/888 . All the machines where I run 1Password are single-user machines, so local processes running as other users aren't within my threat model anyway. (And I think this is 95%+ of people's threat models too on the machines where they run 1Password, although I understand why 1Password attempted to defend against this risk.)

1Password wrote an extended post in response to that vulnerability talking about defenses and threat models https://discussions.agilebits.com/discussion/70301/backgroun... and I don't see evidence that the vulnerability ever recurred.

And it was not a threat that allowed one website to get passwords for another website. It's true that other password managers have had such vulnerabilities - multiple times - but that's a reason to comparison-shop the various password managers and pick a secure one, not to write off the product category entirely.


Blocking intercom? Intercom doesn’t do creepy stuff.


Yes. Do all that stuff. You're still being watched at all times.


I don't think that the company "exposed" in the article is a bad actor. Seems like a helpful and reasonable thing to do.


If the site is using SSL, there is a reasonable expectation that only the server will see that data, not the entire world.


Depends if that server is storing every conversation in a non password protected mongo database. I'm going to stick with expecting the entire world is going to see it until security and privacy is valued much greater then currently.


I disagree, assuming there are no other security holes (browser extensions, whatnot) then the server will initially receive it, but they can then forward that data to any third party they wish.


TLS has very little to do with it. Some intermediary parties may be able to read the plaintext, but that's different from putting it on pastebin for everyone to see. I've never heard of ISPs or transit providers publishing privacy-sensitive data or otherwise snooping on it. (Assuming non-business / non-VPN / non-proxy connections. Just an ordinary internet connection.)

The author probably meant if the site gets/is hacked, or if they are later bought by another company, or if a new employee joins and you can see chat history... etc.


Many high-profile commercial carriers will do deep packet inspection of the traffic from their end users, so that they can do insertion of their own ads into whatever content you may be surfing. Including on your webmail pages.

And their ad networks might well be infected with malware. But because of deep packet inspection and editing, you can't tell that the malvertising in question actually came from AT&T or Spectrum instead of Gmail.


I heard of one USA mobile carrier doing that at some point, but is it actually common anywhere on the planet? Even in the USA it seems to have been a one-off.


How are they able to do ad insertion into a https page?

I'm sure Google would not be happy with content injection into gmail.


Yeah,that doesn't make any sense, unless they're doing an MITM attack just to insert ads?


Although you're technically right, my point is more along the lines of people just being in the default state of skepticism. Be as secure as you, personally, can possibly be and just assume that everyone else isn't following standard security protocols, that their SSLs are invalid, and that they're monitoring what you're typing.

It's similar to the old adage about driving: "Drive like everyone else is an idiot out to kill you. Don't be right, be predictable."


Not really, because the site probably stores the data and the site could be breached, or they could sell (access to) the data.

Edit: In the worst-case, as per the GP's point.


Well you aren't wrong. I mean technically speaking if there is an SSL certificate, than in fact you are directly connected to the server and no one is in between.

The difference is that if I own the server, I can see your information even though it was a direct server connection. You directly fed the information to me. That is what is happening in these scenerios.


Nah, there are hundreds of CAs out there. People could get their SSL certs from any one of them and MITM all your supposedly secure web traffic.

And plenty of ISPs will do exactly that, if you give them half a chance.


Even in that case, what server? The server belonging to the url in the address bar? Or the one hosting that facebook icon? Or the one collecting the client-side metrics/analytics for the developers? Or the many serving you ads on that page?


If they log keystrokes (for security, UX research or whatever) there's a good chance that they send enough packets to allow an attacker to infer a lot just from observing frequency and length of packets.


Depends on what analytics and ad tracking are also running on that site


I'm confused why this is news or surprising? At least for the audience here.

I remember plugins for various IM clients would do the same thing in a chat window some decades ago. And I remember my days as a sysop in the good old single line dial up BBS days. You could watch users browse and type all the way back in the mid-80's and I'm sure this has existed about as long as multi-user computers have.

If you're typing into an application which is any part of a networked or multi-user system, assume someone can see what you do while you're doing it (and can log same for later review).

...maybe I'm just old and don't understand the kids these days... or maybe it's a slow news day...


I think a lot of it has to do with consumer expectations. We can all sit here and laugh and act unsurprised, but technology has conditioned users that the response isn't sent until you press "Send". Its bad (and I'd argue harmful) UX.

Imagine this scenario: Copying and pasting a debug log, realizing it contains personal or important information (such as password, SSN, or anything else) and it is sent to the agent before you have a chance to redact that info. Or it could be accidentally pasting the wrong thing. I know that I've accidentally pasted Twitter links into my code before.

EDIT: Just to clarify my point. If you're going to break deeply entrenched user expectations, especially in ways that are often used maliciously: explicitly say you are subverting those expectations.

The same reason there are "This call may be recorded" messages when calling in, it shouldn't hurt much to add a "For quality assurance purposes, your keypresses may be logged in the chat window".

And if it does hurt, then you should realize your subversion is malicious.


I think you're right. I also think the browser, as your agent, should enforce expectations. "This website wants to upload data. Allow? [Once] [Always] [No] [Click here to see the data.]"


Unfortunately, you'd have to prohibit downloads as well, as the request sent to the server could contain information.


Of course it's malicious. But it's so profitable!


We all know in the back of our head that it's possible. But seeing confirmation that it is happening definitely changes how I feel about textboxes.


I am old, and I've been online since 1984, and I still make beginner mistakes because like anyone else, I've been trained to click through and forget the risks, when I am acting like a consumer of service.

Maybe you have more discipline, more sense of control and focus all the time. I don't and I know I am prone to making simplifying assumptions about things, because thats .. well .. human.

So.. I think either you are in denial about when you too make these kinds of mistakes "oh no: that only happens to other people, never happens to me" or .. you are a cyborg from the future.

I FOR ONE WELCOME OUR NON-FOOLABLE ROBOT OVERLORDS


The older IM clients (AIM, MSN, Yahoo, et al.) could tell you if someone was typing or entered unsent text, but it never previewed what had been typed. At least that wasn't a default option back then.


ICQ had a character-by-character mode they experimented with for a while. It was kinda fun. BBSs too.


Character by character IS fun. I've always wondered why newer messaging platforms haven't implemented it yet.


The history of real-time text probably goes back to at least the 1960's on the Compatible Time-Sharing System (CTSS).

https://en.wikipedia.org/wiki/Talk_(software) if you're on macOS, you have this command installed

http://mailman.postel.org/pipermail/internet-history/2002-De... (click on "Previous message" a few times too)

https://en.wikipedia.org/wiki/Real-time_text


It wasn't the default option for sure and I remember having some extra add-on/plugin for it...

...but I recall that it was great fun (for about 5 minutes) answering questions before they had been fully typed and sent since I was the faster typist.


Modern IM clients do the same. I noticed WhatsApp saying "+44... is typing..." earlier.


You meant Pidgin's modes? It has methods to guess when a user was typing, but not the content.


Thought it was Pidgin, but might have been ICQ... it was a long, long time ago that I used any of these... can't remember specifically; maybe even MSN via Pidgin. Seems like it would have been more a function of the protocol that you were using than the client/plugin specifically (naturally that had to support it, too, but the more fundamental would have been the protocol.)


Definitely at the very least ICQ had it - remember freaking out friends by replying to their questions before they even clicked send. This was late 90s...


I'm a bit older and also remember this as well. I would watch in real time when my friends would type something out, or call out their mistakes in typing. I believe you're right about it being ICQ.


I remember this being a feature of ICQ in 1998.


Yeah exactly, this isn't anything new. This has been around for many years and is offered by a majority of live chat solutions out there.

As you mentioned, I am shocked that the HN audience is shocked by this. I could see my parent's being surprised to discover this, but most HN readers should have figured this out a long time ago.


At work, the assumption is that every non-corp web site has a key logger built in. A corp extension monitors (key logs) all input on non-corp sites, checking if any credentials are accidentally typed. If they are, you're notified immediately on the last key press and have to change your credentials within 7 days of the incident. I think this is a reasonable idea for security, and helps prevent some phishing schemes.


> At work, the assumption is that every non-corp web site has a key logger built in. A corp extension monitors (key logs) all input on non-corp sites

Sounds like that assumption is well-founded!



> checking if any credentials are accidentally typed.

Doesn't that require maintaining a database of all credentials?


This shouldn't be a surprise to anyone who allows their browser to run all the Javascript that companies want it to (of course, assuming they have a decent understanding of the web to begin with, which is a huge limiting factor). Reading what you type in real time isn't even as invasive as most companies go, when they commonly track your cursor movements, the size of your window, what extensions you have, make attempts at getting browser history, and so on. And that's with just JS enabled, not counting access to devices like microphones and webcams. If you care about this you should be using an addon to (at the very least) limit js execution.


Even with JS disabled you can still get a lot of these via CSS. Sadly none of these technologies were designed with privacy in mind.


No? There are a couple of CSS privacy leaks, but the vast majority of privacy leaks are through JS.


Not sure what you are saying no to. I did not say anything that contradicts your statement.


> Even with JS disabled you can still get a lot of these via CSS.


Yes? I don't understand what the issue is.


Browsers are designed for websites to control the user experience, so it's little wonder when there are privacy or security issues


CSS can send HTTP requests without JavaScript? How does that work?



Thanks!

That page does say this:

The problem with this kind of CSS UI tracking is that we get only the first occurrence of the event. For example, take the :active pseudo class example. The request for the background image is fired only once. If we need to capture every click then, we have to change the URL, which is not possible without JavaScript.

It's also not clear to me how you could capture any keystrokes with this technique. Still, I did find it interesting.


Actually, it appears CSS is getting a new `attr` function, it looks like with that you might be able to just completely break security, consider...

    input[value] {
      background-image: attr(value url, 'no-input');
    }
On a page with some inputs, depending on how the standard evolves that might just start dispatching server requests.


In 2005 during the birth of "ajax" I got paid ($100 or something: it was great when I was a youngster!) to write an article warning of the spooky dangers of xmlhttprequest - keylogging everything you type. http://www.devx.com/webdev/Article/28861

There was a demo (dead now - I'll fix it) that was a text adventure, that keylogged. And it was interesting to see typos and changes of wording. It did provide some insight that wasn't always apparent in the final submitted text commands.

Even though in 2005 it was known you could do this (long before ajax), still today I'm a little taken-aback about being keylogged on a random website: despite having written a bloody article about it 15 years ago!


It's like rehearsing in front of a mirror, then finding out it's a one-way mirror and there were other people behind the mirror watching you the entire time.


I always suspected this. Particularly when you're typing something long-winded, and the agent's response is a bit too quick for having to read it all.

Although, this will certainly depend on the Chat software used. Back when we used Olark at our company, there was no preview available, although we could "co-browse" and redirect the user's webpage, which was helpful in some cases.


We (Olark) specifically decided not to implement the "read-ahead" or "sneak-peak" feature because we thought it was creepy and broke customer expectations.

When you are typing a message to customer service as a customer you should have a chance to compose your thoughts, and should have an expectation of privacy in whatever you are writing before hitting enter.


I greatly appreciate that. I'm disappointed that I probably can't incentivize other companies to follow your lead. There's little visibility or choice to the end-user as to which chat system they want to use, and I suspect most of your customers don't care that much either way, so it isn't a differentiating factor.

But I appreciate it. Thank you.


I work for Intercom, and we also did not implement these features for the same reasons.


I like that a lot. It is creepy, imho.

There's been more than a few times where I was up late, on a chat support, and quite upset about something or other... and decided to re-write my message before hitting the "Send" button. Composing your thoughts is valuable...


Also when you talk to tech support and copy some data from your system. I would normally paste the original line and replace the sensitive information before sending. I know it's possible to send all updates, but actually doing it is breaking lots of expectations.


I'm actually ok with this. It's a good way of getting more reliable subtext about a persons emotion. You'd gather that from someone stumbling their way through a real time voice conversation on the phone or in person - as well as the nuances in vocal tones and body language - but all that is lost in a text only interface. So this at least gives you an idea. eg are they ranting then delete it for a more composed message? That might signal that the person is really pissed off but actually open to working with the agent for a mutual resolution.

The point another poster made about secrets is a valid one but I'd argue that the kind of secrets you're likely to be pasting are the same ones the support operator would have access to anyway (payment details, address, order details, etc). But if you're really worried, other HN posters said it best when they commented about typing in a desktop text editor then paste your text into the chat window.


It's ok if both parties know what's going on. If visitors are left with the expectation that a message becomes visible on the other end when they send it then it is not ok at all.


Agree. Both parties should be able to see the other typing, or neither should. I feel deceived and foolish that I never knew about this. It's creepy like a one-way mirror.


People give off all kinds of messages they don’t realise; from facial expressions and other forms of body language to the tone and volume of their speech. We are forever communicating far more information then we ever intend to and people who deal with customers are trained how to read those tells so they can better handle customers temperament as well as their spoken requirements.

You lose so much with typed text which makes good customer services a lot harder. Thus as long as any pre-posted text isn’t stored anywhere (I fully expect posted chat logs would) then I don’t see an issue with support operators using real time text as a glimpse into the customers mood.

[edit]

To the people who voted me down: I get that you disagree with me but I have been on courses regarding just this (which is weird because I couldn't be in a less customer facing job....) so what I'm talking about here isn't just some random junk I've invented off the cuff. It's what I was taught how customer services (the good ones anyway) work.


You don't sneakily access other people's draft thoughts without very explicitly asking for permission. The eavesdroppers are not reciprocating and sharing their typing either. They're not only creating an asymmetry: they're actively hiding it!


It's not the sort of environment you want asymmetry. You want the customer services to be infallible - and by "you" I don't just mean company execs but also us customers who want to feel like we've been treated appropriately.

Anyone who's ever done a stint on 1st line tech support will understand just how much of a thankless job it is. If this helps them to serve me better then I welcome it.

I think the real complaint being made is that you didn't realise they were using these visual clues. But that's why I keep coming back to how other forms of customer services are trained to read vocal tones and body language. Would you also feel cheated if you learned your favourite high street store's customer services team had training on reading body language while you hadn't so they have an advantage in gauging your temperament but they didn't let on they had that training?

Don't get me wrong, I do see and understand your point. I'm very privacy minded so this is the kind of thing I'd normally get annoyed by as well. But at least this time the anti-privacy tools are genuinely being used to improve customer experience rather than just to monetise them (yes I know good customer experience can lead to repeat custom - but more often than privacy is sold to the detriment of customer experience)


Thanks for the explanation and perspective. I still don't see how this justifies the deception.


Just to add a counterpoint, I handle a lot of customer service and the service provider I use happens to have this feature by default, and it drastically helps me to respond faster to customers. To date I haven't had anyone consider this an issue (even when I've accidentally sent a response before they even sent their message! - they just end up deleting their text and saying "thank you")


Great. Can they also read what I wrote and submitted before I reached #1 in the queue? So they don’t waste my time asking for my name, how am I, what I want, etc. I already outlined it all in the message!


On a recent customer service call, I bid the agent goodbye but did not hang up (deliberately - I wanted to see if they would terminate the call). The rep held the call open for a good 2-3 minutes even though there was nothing from my end except some typing. I’m fairly sure I heard some small sounds from their end so they didn’t just switch to another line.

I’m not usually paranoid - but moments like this remind me to hit the Mute button whenever I’m not directly conversing with an agent. You just never know what they’ll pick up.


> I’m fairly sure I heard some small sounds from their end so they didn’t just switch to another line.

Ever heard a concept of comfort noise [0]? Maybe some call center software can add something analogous when necessary. Like noises you'd expect in a call center.

[0]: https://en.wikipedia.org/wiki/Comfort_noise


Or maybe the agent didn't want to take the next call in his queue and wanted to relax a bit.


> during those calls where you are reassured of “being recorded for quality assurance purposes,” your conversation while on hold is recorded.

I worked at a call center for a month or two one summer and when you'd put someone on hold you'd still hear them. I was only talking to network mechanics (ISP internal call center), but I am sure that the customer call center worked in the same way. I, after this experience, always assume someone can hear me.

Update: "I, after this experience, always assume someone can hear me." when I am on the phone with customer services, not in general. Although in today's technological world it would not be that much of a stretch.


Has anyone had any chat-based experience that anything more than a complete waste of time recently? (Amazon being the usual, consistent exception.)

I contact support when something is broken. There is a critical bug, or there is something down, or there is a physical defect. Every single time, it's just me getting jerked around, often times for an hour or more.

Just in the last week: an hour with Google Support with them insisting that I factory reset my phone for a hardware failure (hours of work to re-setup), or my ISP insisting that the "limits are set in the lines" and that a technician would have to come out to inspect their own modem so that they can determine why I'm being throttled to 10% of my paid speed, rather than 90% which is what I'm apparently entitled to. I hate that I have to get pushy/mean and insist that, Google, either send me a replacement or start processing a refund. I have no idea what to do with my ISP, they seem incompetent at every layer that I have any way to contact and they have a non-compete negotiated with their competition so I have no other options; their technician based had nothing to suggest and agreed with my conclusions.

I have also never had a chat experience where I didn't feel like I had to very carefully word my sentences to make myself understood, or where I wasn't waiting an exorbinant amount of time for the other side to read/reply. I can't fathom how peek-ahead would help any of these custom service experiences.


This is nothing new. When i worked for a shady video game repair company in the early 2000's, the (male) boss would play 3 (female) customer service roles and know exactly what they were typing even back in the early days before facebook.


I think customer support people who have foreign names get their names changed to more local sounding names while doing support because it makes customers feel better.


This employer was in the US talking to people in the US. He found that men are more likely to spend money/easier to work with when the customer service rep has a female name.


Before rolling out this exact feature in our own chat product we resisted doing so because of the concerns being echoed here. However, it was becoming obvious from the demands from our users that this was make-or-break feature in a modern chat system.

After rolling it out and enjoying this for ourselves as we handle our own customer support using our own software, it's become a "why didn't we do this earlier?" type of thing.

Overall, there's already a ton of asymmetry of information when a customer contacts a support team (e.g. our product pulls in order history, subscription details, stripe transactions, etc) that streaming a text preview is really just a drop in the bucket, and it's actually a win-win for both sides since it leads to faster answers.

Also keep in mind that any questions you ask may be used to feed machine-learning systems, like chatbots, which is true for our product as well. Just something to be aware of, that I think is a fair tradeoff for better customer experiences long-term.

Disclaimer: I'm the founder of https://reamaze.com


> "why didn't we do this earlier?"

Because it's invasive.

The user consents to sending you information when they hit Send(explicit). They can remove any incorrect or unrelated information from the text box before they do so.

Especially if they paste in to the text box and inadvertently paste the wrong thing(be that sensitive info or similar).


I use a chat service that has this feature on by default (for real-time chat customer support, not for general messaging), and never in the history of its usage has a person complained about it. For every 10,000 people that may not have an issue with it, 1 may have an issue about it, and with these numbers it's really up to that 1 person to guard their privacy better (disable JS, never step outside their house, etc) than to inconvenience 9,999 other people from the benefits.

The experience is all in the context, and since this is only general behavior for customer service chats (where you're expected to send everything you type and the other end is simply trying to help resolve an issue), it's not really a realistic issue in terms of privacy. I agree that if facebook messenger started doing this and showed the other person what you are typing, this would be unexpected and potentially unwanted behavior, but the likelihood of unwanted behavior in a customer support context is extremely rare.


> I use a chat service that has this feature on by default (for real-time chat customer support, not for general messaging), and never in the history of its usage has a person complained about it.

How would most people know to complain about something they don't know is happening?


> For every 10,000 people that may not have an issue with it, 1 may have an issue about it,

How many of those 10k people even know this is happening? I suspect, given the other comments here and the fact that this article exists, that it's a very small number. Try informing all 10k people first, then count how many 'may not have an issue' with it.


I use this to send messages to the agent that won't be recorded in the transcript because I delete it after typing it. Not sure if it has gotten me better results from the agents but it's fun to do.


Because I'm a fast typist, I sometimes swear at people and then delete what I have typed as a cathartic exercise if they're being annoying. I've done it since I was a teenager. It's like second nature, probably because I do it in my head too.

It's unsettling to know that a customer service agent would see that and think I'm being impolite.


Perhaps it's time for more granular Javascript blocking. Since forever it's been 'Enable Javascript yes / no'. This makes no real world sense to me anymore (if it ever did). Could there be an end-user friendly way to tell a browser to block Javascript that transmits your 'pre-submit' activity on a web site without breaking the site?


No (imo). It'll be impossible to tell that apart from legitimate usage. JS can access the input fields, garble them, and send to the server. How would you tell that apart from say, a ticker request to update real-time prices?


I agree, with current technology it seems pretty impossible to differentiate. But I do think there is hope in the field of whitelisting, things that people commonly use JS for should be slowly added to the list of native features, as long as this process has oversight we could start having more responsive sites with less JS requirements.


As I post this, every comment is "Derp if you're surprised, I mean this is how every site is. GOSH." However, you sure don't see this in the e.g. Munchery shutdown story. "90% (or whatever) of all startups fail, big whoop. Everybody with a decent understanding of business knows this."


It's not even true. This behaviour is not obvious at all. No consumer messaging application allows you to see what the other person is typing before they have sent it.


This is quite different from a consumer messaging application. It's a website's customer support chat.


But the people using it would be consumers, and they would be familiar with the way consumer messaging applications work. So it would not be obvious to most people that the person on the other end can see what they're writing.


ICQ does.


I sometimes assume this is true and use it to my advantage by typing up a scathing rebuke venting frustration, only to delete and type a respectful query. I don't know for sure, but sometimes I get goodies in the form of gift cards and such and I don't know if this is an effort to placate me or not.


You could also paste in an ebook and then delete it a few seconds later...


For privacy minded people, is there an extension that detects textarea's and input boxes and overlays them with new ones and once you hit send that's when it inserts them into the real html inputs preventing this sneak peak?

Or perhaps simply the xhr requests could be blocked.


I wonder if they can see if I've gone off to some other tab to wait while they take their time getting me an answer.


Websites have access to that inforation (document.visibilityState). So I wouldn't be surpirsed.


I can finally think of a practical reason to tell people to install Vim Anywhere! https://github.com/cknadler/vim-anywhere

I don't actually use that plugin but I have gotten the Vim keystrokes so ingrained in my brain that I've gotten in the habit of having a terminal open whenever I need to type into web forms...Now I finally have an excuse to not feel silly doing it.


How does this avoid the problem in the first place?


Because you write the message in Vim and it adds to the paste buffer, so you paste it in. Since the agents on the other end are only seeing what's in the text box they don't see the preview.


Another thing to add to my list of things that creep me out right after typing notifications I can't opt out of and Facebook supposedly storing unsent posts.

Maybe a simple blocker for this could be the next must-have extension/browser functionality. Something that doesn't send your input events until you press shift+enter.


What an amazing opportunity for trolling support staff :)


It is. But... you're actually going to want help from them, so trolling them might not be in your best interest.

A related maxim: "Never be rude to an airline gate agent."


A related related maxim: "Someone who is nice to you but rude to the waiter is not a nice person."


Or any support person for that matter. What baffles me is people who think having a terrible attitude can get them what they want. The support person either has lee-way or not, and if they do, they probably will be less likely to help you if you're an asshole.


This has been the case since at least 2003... The agents also see you page history, search terms, can cobrowse with you to show you things. Anything to make them quicker and more effective is implemented.


I've stood behind a support guy and watched it, it can be hilarious when you see someone type out a horrible rant, then delete it and send thanks.


Depends on what live chat software they're using. Zendesk (one of the most commonly used live chat tools) doesn't show what users are typing in real time.


It's very rare for a live chat employee to handle only one request. Look at how popular chat apps present multiple requests within the same UI and imagine dealing with these without live streamed text:

HappyFox: https://zapier.cachefly.net/storage/photos/3fe2e4f896499b131...

Olark: https://zapier.cachefly.net/storage/photos/d53ec47e6affe26a5...

LiveChat: https://zapier.cachefly.net/storage/photos/26c01334ea7335635...

Denying support techs the extra 10-30 seconds that live streaming your typed words buys them for privacy reasons seems strange to me.

Your typed words are no more an indication of your deepest private thoughts than a phone support session full of ums and errs and “oh, actually I meant…”.


I think its perfectly fine for them to see it live but users should be aware of it. The current behavior that everyone knows is the other end doesn't see what you type until you send it.


I think this would only slow chat sessions down.

If you make me feel self-conscious about what I'm typing, I'm going to consider each word rather than type then correct/revise and send.


On the contrary, it won’t change anything for me, because I always form the whole sentence in my mind before writing into a chat or text box (like this comment).

So, it seems there are different types of writers. That’s a small moment of enlightenment for me. :)


Probably doesn't matter that much. I expect the feature is more useful on grandma speed 1 word per minute typing.


“I broke^W^WIt broke on it’s own.”


I didn't know this for sure, but assumed that agents can see me typing for the sake of better response time.

I usually type my questions in a text editor first and then paste it into a service agent chat when I am sure that it is exactly what I want them to see.


Looks like I'll be typing in a text app from now on and copy-paste my replies as I go.


Why? Isn't this a good feature? It means the person can be prepared for your question or comment ahead of time.


Reminds me of a similar debate my friends had when Google Wave first came out.


But Google Wave was up front about it, and both parties can see what each other is typing.


Not only that, but "talk" on Unix had that for 20+years before that.


Unix/Linux talk/ntalk is my favorite method of textual communications. Too bad I can only use it with a few of my friends, and only occasionally at that. We can communicate far more quickly if both can see the other's questions/answers even before they are fully typed out.


Makes sense. I didn't really think about it before, so I imagine that a few of them were surprised at my language.

I have tendency to type if I pissed off then either delete it or amend it before sending/posting.


Is there a browser extension that lets you forbid websites to intercept your keyboard and mouse keystrokes without disabling JavaScript completely?


Wouldn't pausing and resuming JavaScript have the same effect?


Many websites don't work or work quirky without JavaScript. I used to have JavaScript blocked by default and enabled on demand (using NoScript) but this felt fairly annoying. At the same time I'd estimate the number of websites that I want to capture my keystrokes or mouse right clicks as one in a thousand or near that (some games I play for some minutes a couple of times a year perhaps).


When doing support over chat it is nice to see ahead of time what they are saying to allow for a faster response.


Would be cool if one could be informed about it, though.

Imagine if on the phone, you would have to hold down a button to talk. At the end of the recording, you're given the change to edit any mumblings, rephrase things, or start all over. If it later turned out that the other end can hear every word, that is probably surprising to the vast majority of people.


I don't have any problem with this. It highlights a lack of user education, if they expect their typed input to a website to be private.

It reminds me of the "talk" (and ytalk, ntalk) programs, where all parties can see in real-time what the others are typing. It's a cool technology that, unfortunately, is not used on the web.


> It highlights a lack of user education

Education in what? That they shouldn't trust companies because they eavesdrop on them? Please don't blame deceitful practices on the victims.

> if they expect their typed input to a website to be private.

Most chat apps work that way. Others only see what you typed once you send it. Just because the now obscure `talk` worked differently is no excuse.

The deception starts where the agents' responses are not relayed as they type! I don't see how you could explain this asymmetry in innocent terms. It clearly benefits the shop without them being open about it.


> Education in what?

Education in how the web works. That typing something into a text field, or moving the mouse, or any interactions with a website can be read on the other side. Many users expect this behaviour when they use, for example, Google search or Google Translate. If users expect their text to be private in one context, but shared in another, then there is clearly a lack of understanding of how the web works.

> Please don't blame deceitful practices on the victims.

I didn't blame anyone for anything. It's not a priori deceitful. Presumably some of the motivation is to enable faster responses to client queries.


Just because something's technically feasible does not mean we should expect it's being done by a shop we're doing business with!

Apparently we don't have the same standards as to what constitutes deceit. To me it's enough when the chat is asymmetric in that the agent's typing is not visible until they send it but the visitor's is relayed immediately to the agent. If visitors could watch the agents type they would understand that their typing is visible on the other end.

> Presumably some of the motivation is to enable faster responses to client queries.

Sure. Then why not offer the same privilege to the client? If it's so beneficial?


ICQ did that. It changes the experience significatively


This is not a problem


That's not a very insightful comment.


Facebook can see too.


I wonder if this runs afoul of the GDPR in some way?




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: