Some web sites are now utilizing behavior analysis scripts to track your every move on their sites. While Google Analytics and others provide web site owners a general overview of visitors and their behaviors, this new technology is designed to track every mouse click, keystroke, and scroll you make while visiting their sites.
The “intentional” use is to help store owners better understand the weaknesses in their site design. For instance, if there is a button that says, “Click Here for 20% Off”, and no one is clicking on it, there is likely a design issue with the page. It could also reveal, what part of the page is viewed, and for how long, and if users are starting to fill out forms, but then stopped for some reason.
There are several issues with the technology, much of which involves human interaction with the data, that creates a real security and privacy risk for you. Researchers are finding that password fields for instance, which are supposed to be hidden from the recordings, often fail to be obscured due to varying web technologies such as responsive designs. Other personal information that is also supposed to be hidden from the web site owners, also failed to be obscured consistently.
In addition to personal and sensitive information being show to the subscribers of these services, some of the service providers deliver “playback” of these sessions over http (unsecure web pages) even when the original site was using https (SSL encrypted pages). This opens up the potential for the information to be exploited in transit between the service provider, and the subscriber.
Some of the service providers that offer this technology to business web sites are, Clicktale, Yandex, FullStory, Hotjar, UserReplay, Smartlook, and Session Cam. Out of these providers Clicktale seems to offer the most secure, and privacy respecting options. All of their policies are in fact, ISO 27001 compliant.
For our customers, we recommend that javascript be completely disabled in your web browser. One of the reasons that we recommend Google Chrome is that javascript is disabled by default. However, you can turn it on for individual sites as needed. My only concern is that you do have the option of enabling it for all sites, on pretty much any browser including Chrome, and some may have done that rather than trying to enter only the necessary web site into the exclusion list.
If you are concerned about this technology, or need to know how to disable Javascript in your web browser, give us a call at: 859-200-0428, or submit a support ticket at: http://support.isafecomplete.com/
