Web analytics companies offer "replay sessions" that let corporations watch every click and keystroke for individual users

The "replay sessions" captured by surveillance-oriented "analytics" companies like Fullstory allow their customers -- "Walgreens, Zocdoc, Shopify, CareerBuilder, SeatGeek, Wix.com, Digital Ocean, DonorsChoose.org, and more" -- to watch everything you do when you're on their webpages -- every move of the mouse, every keystroke (even keystrokes you delete before submitting), and more, all attached to your real name, stored indefinitely, and shared widely with many, many "partners."

Analytics companies have long tracked this kind of data in aggregate, offering web publishers insight into which parts of their pages attract users' attention and where users went wrong. But now companies are going granular, capturing and sharing sensitive data like the medications you search for and your credit card, social security and other data.

Some adblockers and anti-tracking plugins block these scripts, which is another vote in favor of their use.

While “keylogging” software has been around for a while, the practices highlighted in the new Princeton study are “by far the most pernicious,” examples of capturing user information, says Ashkan Soltani, a security and privacy researcher and former chief technologist for the Federal Trade Commission. “Capturing [the text typed into] every form field is a level of detail that I have not seen historically.”

“I don’t think most users realize that when they interact with a website that their information about that visit is being shared with 40 to 100 third parties,” Soltani says. Those companies typically record only that a user has visited a page, he adds, but in these cases they are capturing “not only that I visited that page, but also what content I submitted.”

One of the software companies identified by the study is Yandex, Russia’s largest search engine. Englehardt said the researchers did not examine whether Yandex’s tracking might have been part of state-sponsored surveillance. But he said that Yandex was most often used on Russian websites.

No boundaries: Exfiltration of personal data by session-replay scripts [Steven Englehardt, Gunes Acar, and Arvind Narayanan/Freedom to Tinker]