Wednesday, March 28, 2018

Over 400 Popular Sites Record Every Keystroke, Claims Princeton Study

https://gadgets.ndtv.com/internet/news/over-400-popular-sites-record-every-keystroke-claims-princeton-study-1778117

Researchers at Princeton's Center for Information Technology Policy (CITP) claim that over 400 of the world's top 50,000 websites use 'session replay scripts' to track user behaviour. While this in itself may not be that disconcerting, the researchers add that these sites often do not strip personally identifiable user information from the behaviour data they glean, potentially giving hackers access to a trove of personal data sometimes even including passwords, should this data be exposed.

Detailing their findings last week in the first of several posts about online privacy, CITP researchers Steve Englehart, Gunes Acar, and Arvind Narayan said they looked at seven of the top session replay companies, which provide session replay scripts and frameworks to websites. These were, namely, Clicktale, FullStory, Hotjar, SessionCam, Smartlook, UserReplay, and Yandex. To scrutinise what data was collected and how the collection took place, the researchers set up test pages with session replay scripts from six of the above-mentioned companies. They were also able to estimate the number of popular sites that use such scripts.

The researchers claim that at least 482 of the world's top 50,000 websites use session replay scripts, and that this number may be on the lower side as the scripts don't record the actions of every user that visits, throwing off the researchers' detection rate. Researchers have compiled a full list of the script-using websites they found. Getting to the bit about why this business practice can backfire on users, researchers say a host of information usually ends up being collected during each session, some of which can be linked to personally identifiable data.

"Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details, and other personal information displayed on a page to leak to the third-party as part of the recording. This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes," the CITP researchers explain.

Some session replay script providers - like SessionCam and UserReplay - don't collect user data at all, instead tracking clicks, and almost all provide a dashboard with automatic and manual redaction tools to remove user data. However, there remain a few problems with this approach, as some user data still usually ends up being collected due to the sheer volume making manual scrubbing infeasible, while content displayed on screen is always collected. This last is especially worrying, as oftentimes even sites with other user data redaction methods in place will end up collecting all displayed content - which in the case of Walgreens contained user names, medical conditions, and prescriptions.

Finally, while websites hosting session replay scripts may themselves be protected by the encrypted HTTPS protocol, the session replay dashboards may use the vulnerable HTTP, like those provided by Hotjar, Smartlook, and Yandex, the CITP researchers noted. HTTP would allow attackers to use man-in-the-middle attacks to get access to the user data as it is transmitted to third-party servers. Yandex in a statement to Motherboard responded to the claims, and said, "HTTP is used intentionally, as session recordings load websites using iframe. Unfortunately, loading HTTP content from HTTPS websites is prohibited on the browser level so HTTP player is required to support HTTP websites for this feature."

Among the sites that use session replay scripts, major names include Bonobos and Fidelity, apart from the already named Walgreens. After the publication of the CITP study last week, Bonobos told Wired it has ended data sharing with FullStory and was reviewing its protocols to better protect user data. A Fidelity spokesperson told Motherboard that the protection of customer data was its highest priority, but didn't clarify if it would stop using such scripts. Walgreens took the same tack as Bonobos, and said it had in an "abundance of caution" stopped sharing data with FullStory while it investigated the claims.

The study notes that ad-blocking lists and tracking protection services like EasyList and EasyPrivacy do provide some measure of safety, but do not block everything. Motherboard reports that Adblock Plus has been updated post the publication of the CITP study to block all named scripts

No comments:

INFORMATION & STATISTICS

Your browser will also display a padlock icon to let you know a site is secure.

Your account was recently logged into from an unrecognized browser or device. Was this you?

is-your-smart-device-spying-on-you ?

TOP 500 WEBSITES--POPULARITY

ONLINE ACTIVITIES FOR DIFFERENT AGE-GROUPS

WHO IS SPYING ON ME ? FACEBOOK AND GOOGLE ???

do not track

tracking

carbon foot prints

visitors

where do my visitors come from

spying--PRIVACY IS RIGHT

spy wares

phishing

ad targeting browsing behaviors

browsing behavioral or history

web master

hackers --taking control of your computer

Over 400 Popular Sites Record Every Keystroke, Claims Princeton Study

We noticed a recent login for your account.

If this wasn’t you:

Your account may have been compromised and you should take a few steps to make sure your account is secure. To start, reset your password now.

By continuing to use the website,

you agree to our Use of Cookies.

THE INTERNET HAS TRUST ISSUES !

PRIVACY POLICY

For each visitor to our Web page, our Web server automatically recognizes only the consumer's IP address, but not the e-mail address.

We collect e-mail address of those who purchase from us and from those who opt-in to our e-mail list. The information we collect is used by us to contact consumers for marketing purposes. If you do not want to receive e-mail from us in the future, please let us know by sending an e-mail to peter@protectionbay.com.

With respect to cookies: We use cookies to record session information, such as items that consumers add to their shopping cart.

If you supply us with your telephone number we will only contact you if we have questions regarding an order you have placed on-line.

We do not share your information with anyone. This includes your e-mail address.

With respect to security: We always use industry-standard encryption technologies when transferring and receiving consumer data exchanged with our site.

We have appropriate security measures in place in our physical facilities to protect against the loss, misuse or alteration of information that we have collected from you at our site.

If you feel that this site is not following its stated information policy, you may contact us at the above addresses or phone number.

Computer Purchasing

Our Recommended Computer Specifications

Currently, ITS recommends that faculty, staff and students request the following specifications when buying new personal computers:

When ordering from the HP store ITS recommends purchasing from the EliteBook series for Laptops and from the EliteDesk series for Desktops. When purchasing from the Apple store ITS recommends purchasing from the MacBook Pro series for Laptops and from the Mac mini for Desktops.

Processor - dual core 2.4 GHz+ (i5 or i7 series Intel processor or equivalent AMD)
RAM - 16 GB
Hard Drive - 256 GB or larger solid state hard drive
Graphics Card - any with DisplayPort/HDMI or DVI support - desktop only
Wireless (for laptops) - 802.11ac (WPA2 support required)
Monitor - 23" widescreen LCD with DisplayPort/HDMI or DVI support - desktop only
Operating System - Windows 10 Home or Professional editions, or Apple OS X 10.12.3
Warranty - 3 year warranty - desktop only
Warranty - 4 year warranty with accidental damage protection - laptop only
Backup Device - External hard drive and/or USB Flash Drive
Please note: The extended warranties listed above must be added at the enhancement page when selecting your hardware for purchase.

Minimum Specifications

The current minimum computer specifications to ensure the ability to run the basic software most end users operate is:

Processor - dual core @ 2.4 GHz (i5 or i7 Intel processor or equivalent AMD)
RAM - 8 GB
Hard Drive - 320 GB 5400 RPM hard drive
Wireless (for laptops) - 802.11g/n (WPA2 support required)
Monitor - 19" LCD - desktop only
Operating System - Windows 7 with Service Pack 1 or Apple OS X 10.11
Backup Device - External hard drive and/or USB Flash Drive

Other Specifications

The majority of Clark's computing resources and backend systems are built on the Windows platform. Support is available for Apple's OS X operating system, but we currently do not provide support for the Windows operating system on an Apple computer. Since the choice between an Apple and a Windows system is usually a personal preference, we recommend that you come to campus with which ever operating system you are most comfortable with. If you have no preference, ITS recommends you contact the ITS Help Desk (helpdesk@clarku.edu) for purchasing advise. If you are coming to Clark with a particular program of study in mind, you may want to check with your academic department to see if they have a preferred computing platform.

flight

Wednesday, March 28, 2018