How Websites Secretly Record Your Activity With Session Replay Scripts

James Frew 12-01-2018

The internet is the world’s greatest surveillance tool Avoiding Internet Surveillance: The Complete Guide Internet surveillance continues to be a hot topic so we've produced this comprehensive resource on why it's such a big deal, who's behind it, whether you can completely avoid it, and more. Read More .


Or at least that’s how it often feels. We’ve always known that we’re being watched online, but many of us thought it was just to sell us more How Advertisers Use Web Beacons to Track You on the Web and in Emails Have you ever wondered how advertisers track you around the web? There are many methods, but the use of web beacons is one of the more common and effective. Read More . Post-Snowden it became clear that governments and companies around the world use every last drop of data they can find in order to surveil and profile us.

The NSA wants to know every digital move we make What Is PRISM? Everything You Need to Know The National Security Agency in the US has access to whatever data you're storing with US service providers like Google Microsoft, Yahoo, and Facebook. They're also likely monitoring most of the traffic flowing across the... Read More . Amazon and Google are installing surveillance devices 5 Reasons to Avoid Smart Assistants If You Value Your Privacy So, you've bought a new speaker-based smart assistant and it's proudly sitting in the center of your coffee table. But what security risks and privacy problems are you now exposing yourself to? Read More in our homes. Facebook wants to profile and commodify our lives What Does Facebook Know About You? Why You Should Delete Facebook What does Facebook really know about you? One thing's for sure: if you want online privacy, Facebook is best avoided. Read More . Now there is another thing to add to the ever-expanding list. Hundreds of websites want to know everything we type, even if we don’t submit it to them.

Somebody’s Watching Me

Amazon, Facebook, and Google have all trained us to expect that if we search for something, it’ll be magically recommended to us in an ad Why Am I Seeing This Ad? How Social Media Ads Target You Every social media site out there shows us ads. But sometimes, those ads can get very specific towards you, often showing you ads that seem creepy and stalkerish. How do they do that? Read More . Web tracking is often used in order to build up a profile of the sites we visit, what our interests are, and most importantly, how they can manipulate us into spending more. We are often distrustful of this type of tracking — especially since the companies that build profiles of us can’t be trusted Equihax: One of the Most Calamitous Breaches of All Time The Equifax breach is the most dangerous, and embarrassing, security breach of all time. But do you know all the facts? Have you been affected? What can you do about it? Find out here. Read More with that information.

Though tracking is often done for a more mundane reason: analytics. The website developer’s want to offer a useful, error free site to you. To do that they need data to show what works and what doesn’t.

UX questions Want to Be a UX Designer? Here's How to Get Started It’s the UX Designer’s job to make sure that the software user’s needs are taken care of, and that they are delighted in the process. Read More like “When do users click that button?” and “How long do readers spend on our site?” can be answered through analytics. Analytics firms angling for business are keen to prove their worth by how much data they can capture. In a quest to improve their data capturing prowess, the industry created Session Replay Scripts.


Session Replay Scripts

Traditional analytics works with aggregates so website owners can see how many clicks there were on a specific area of the site, for instance. However, it doesn’t show how that click was made, how long it took, or what the user’s behavior was before the click. Session replay scripts allow the analytics firms to dive into individual browsing sessions. Purportedly this is to improve the customer experience, but the data collected often exceeds reasonable expectations.

Session replay scripts are similar to screen recordings. The website can see everything you do from mouse movements, to the words that you type. Unfortunately, this also includes what you type but choose not to submit. Consider how often you’ve typed something into a search box, thought twice about it, and promptly deleted the text. Session replay scripts mean that the website would have already captured your now-deleted and never submitted text.

So, What’s the Problem?

You may be wondering how you’ve never heard of this invasive tracking before. That would be because the firms that deploy session replays have chosen not to inform you. It’s an attitude that suggests that they realize that people may not be comfortable with the level of data captured.

There is no obvious sign that a given website is using session replays — so how do you know which are? Researchers from Princeton’s Center for Information Technology Policy (CITP) analyzed the Alexa Top 1 Million websites for evidence of session recordings.


how websites record activity with session replay scripts

They found that nearly 100,000 websites (or 10 percent of the Alexa Top 1 Million) contained scripts which enable session recordings. That’s not to say that every single one of those sites performs the tracking — each site has the ability to disable the session recordings. However, the process of disabling the service is fairly complex with most analytics providers, and so it is quite possible that session replays are being recorded.

From those that had capable analytics scripts, the researchers were able to produce evidence that close to 10,000 were actively engaging in session replay recordings. Counted in that list were some big names including Microsoft, Walgreens, Intel, and the Australian government.

How to Protect Yourself

Analytics in itself isn’t inherently bad. Arguably it is thanks to analytics that we have fast, responsive modern websites that work seamlessly across multiple devices. One of the major concerns with session replay scripts is that you have no awareness that you are being tracked. Imagine how unsettled you’d feel to wake up one day to discover security cameras dotted around your home. Failing to disclose their presence implies that the scripts, and the data they record, may be used for nefarious purposes.


how websites record activity with session replay scripts
Image Credit: Steven Englehardt via Freedom-To-Tinker

This is particularly troubling for websites where you have to enter confidential information like credit card numbers and passwords, which are captured in plain text by the session replays. This further complicates matters as your confidential information is now handled by multiple companies, who may not secure it as they would other sensitive information. The companies behind the tracking would likely claim that the use of this data is covered in their privacy policy.

However, it is unreasonable and unrealistic to expect a visitor to read the website’s privacy policy, find the site’s analytics firm, and read their privacy policy too. Of course, being unreasonable doesn’t prevent these firms from operating in a morally ambiguous manner.

So, how do you protect yourself? Sadly, in most instances you won’t be able to.


Session replay scripts come in two forms: client-side and server-side. The client-side scripts can be blocked by ad-blockers and tracking prevention add-ins. Server-side scripts cannot be blocked, but are unable to perform full recordings. The most common approach is a hybrid between the two, where even blocking client-side scripts won’t prevent the recordings.

Ultimately, the best protection is to be aware that session replay exists, and to be wary of what you type anywhere on the internet.

Peak Surveillance

Session replay scripts expose what we previously believed to be private information held only in our browsers. Unfortunately, it’s far from the only information our browsers leak about us Is Your Browser Leaking Your Online Secrets? Is your browser leaking your online secrets? Could it be letting your train spotting obsession out of the bag, without even an inkling of remorse? And if it is, how on earth would you know? Read More . The currency of the digital economy is data You Are The Product, Not The Client: The Personal Data Economy Explained As Andrew Lewis once said "If you're not paying for something, you're not the customer; you're the product being sold". Think about the implications of that quote for a moment – how many free services... Read More , providing an incentive for every company to vacuum up as much information as they can about you. Remain cautious with your data, and be sure to read the privacy policy — as tedious as that may be. Taking precautions The Complete Guide to Improving Your Online Security and Defending Your Privacy Everyone wants your data, reputable companies and criminals alike. If you want to build up your defenses and protect yourself online, let us guide you through how to improve your security and safeguard your privacy. Read More and maintaining good cyber hygiene Improve Your Cyber Hygiene in 5 Easy Steps In the digital world, "cyber hygiene" is as important as real-world personal hygiene. Regular system checks are needed, along with new, safer online habits. But how can you make these changes? Read More are your best defences against abuse of your data.

While the prevalence of session replays is troubling, it should be put into perspective. There is currently no evidence that data has been compromised by this practice. Equally, there are legitimate reasons for using session replays that will allow website owner’s to continue to make the internet easier to use — even if their end goal is to just make you spend more money Shopping vs. Privacy: What Does Amazon Know About You? Did you think Amazon was too noble to breach your privacy? You'd be surprised. Here's what the company knows about you, where that knowledge comes from, and how you can control it. Read More .

How do you feel about the companies that spy on your typing? Do you think the internet is a huge surveillance tool? Or do you think the fear is overblown? Let us know in the comments!

Related topics: Online Privacy, Surveillance.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. isse
    January 23, 2018 at 5:01 pm

    Do these recorded session apply only to the site I visit, or would it also record anything I did on another tab, such as searching a competitor or responding to an email?

    • James Frew
      January 23, 2018 at 9:58 pm

      AFAIK it should only be the websites that have deployed the scripts. So it shouldn't affect other tabs.

  2. VS
    January 16, 2018 at 7:20 pm

    Excellent article - Tx.
    So, if I were to paste information into a field on a web page would that information show up in their replay? Or would the Ctrl-V show up?

    • James Frew
      January 17, 2018 at 1:31 am

      It would be the content you pasted. I liken it to someone standing behind you, watching your screen. Anything they could see on your browser, the session replay can capture.

  3. JG
    January 15, 2018 at 2:43 am

    Analytics are a fact of use of the internet, and I agree, help with development. Even with additions to privacy policies, the idea of website owners and companies implementing and using these scripts is in my opinion, unethical. There are enough tools already for data collection on individuals. At the least, the information of possible session recording should be included in the pop-ups/banners of cookie notices. Users should be allowed to opt-out of session recording.

    • James Frew
      January 17, 2018 at 1:32 am

      Couldn't agree more.

  4. dragonmouth
    January 12, 2018 at 7:56 pm

    What is the difference between session replay scripts and Keyloggers?!

    • James Frew
      January 12, 2018 at 9:21 pm

      A keylogger is usually installed locally on your computer and can monitor everything you type across multiple applications. The script replays are only available in the browser and are more like screen recordings that happen to capture what you type.

      • dragonmouth
        January 12, 2018 at 9:40 pm

        However, essentially they perform the same task - they record your activity. It may only be a matter of degree. :-)