Many VPNs promise to protect your privacy and security – but what if their websites were recording your every move and sending the data to third-party servers?
Recently news broke that some of the world’s most popular websites are recording:
- all your keystrokes;
- mouse movements;
- scrolling behavior;
- any content you type into forms (credit cards, passwords, addresses, etc.), even if the form is not submitted;
- and the content of the page itself, with this information being automatically transmitted to third-party servers.
Essentially, these tracking scripts are acting like a surveillance camera – literally recording every move you make as you browse the website.
Before we disclose the VPN offenders, let’s put this into perspective.
Many websites use Google Analytics, or other tracking software, which helps to optimize the content of the site. This is standard practice, even though it is not ideal. However, when a team of researchers from Princeton examined these session recording scripts, they uncovered a whole new level of tracking and corporate surveillance.
With just a few “session replay” scripts added to the code, websites can easily record your every move. Here is a session reply script (FullStory) in action:
Session recording in action.
Now let’s examine the problems this creates…
What could possibly go wrong?
This obviously creates privacy and security risks for the end-user, who is unknowingly transmitting personal data – potentially sensitive data – to third-party servers.
The research report summarized the following risks:
Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third-party as part of the recording. This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes.
With your private data sitting on third-party servers, this creates further long-term problems, as discussed in the report:
Finally, the study’s authors are worried that session script companies could be vulnerable to targeted hacks, especially because they’re likely high-value targets. For example, many of these companies have dashboards where clients can playback the recordings they collect. But Yandex, Hotjar, and Smartlook’s dashboards run non-encrypted HTTP pages, rather than much more secure, encrypted HTTPS pages.
It’s also important to note that some of these companies do provide redaction tools. In theory, these tools would exclude sensitive data from being recorded and stored on third-party servers. However, the researchers found that this is often not the case.
As discussed in the report:
Passwords are often accidentally included in recordings, despite that the scripts are designed to exclude them. The researchers found that other personal information was also often not redacted, or only redacted partially, at least with some of the scripts.
Cause for alarm – So not only are the tracking scripts recording your every move, the redaction tools that are supposed to protect sensitive data do not always work properly.
Do you want to have your data erased from these third-party servers?
There’s no opt out – but you can block these scripts, which we will cover further below.
The researchers have released the data here, which includes about 97,000 websites that “embed scripts from analytics providers that offer session recording services”. They examined only seven of the most popular session recording scripts. Therefore, the study is by no means exhaustive, especially when considering the broad expansion in the field of online tracking.
When you examine the CSV file, you will find the following VPN providers and the session recording scripts that were found on their websites.
Note: since the report was first published earlier this month, most of the VPNs have removed the session recording scripts from their websites. However, with some providers, the scripts are still in use:
Still in use?
VPNs are promising to protect users’ privacy, while at the same time utilizing session recording scripts, which violates that privacy.
Third-party data sharing – Another obvious contradiction here is that many of these VPNs also claim to not share data with third parties. Yet, by default these scripts are designed to record everything and send the data to third-party servers.
No Warning – This is also problematic because users often need to access the VPN website and members area, such as when downloading software, getting support, or renewing a subscription. Unfortunately, it does not appear that these sites are issuing any kind of warning, such as:
“WARNING – Everything you do is being recorded and sent to third-party servers. There is no way to opt out.”
Tracking and data collection is a very large and growing business. Given that there are thousands of websites hosting these scripts, and no effective way to opt out, the only solution left is to block them.
The original article claimed that Adblock Plus will block all of the session recording scripts identified in the study. Another browser add-on that should effectively block these scripts from running is NoScript. And finally, uBlock Origin should work as well.
Another solution is to utilize a VPN ad-blocker that filters these scripts and domains at the VPN server level. I tested the TrackStop feature from Perfect Privacy and found it to effectively block the “hotjar” and “inspectlet” scripts cited above.
Update December 4, 2017 – SaferVPN has removed the “inspectlet” script from their website.