-
-
Notifications
You must be signed in to change notification settings - Fork 381
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent keystroke and mouse movement tracking (detect and learn to block session replay scripts like Hotjar) #715
Comments
One of the core principals of Privacy Badger is that we do not maintain a blacklist and we do not block anything by default. That said, it certainly seems like the case that Hotjar is a particularly egregious example of tracking. I would like Privacy Badger to be able to detect and block tracking of this sort. If someone was able to come up with a heuristic for detecting this I would happily add it to privacy badger. |
I've noticed that http://www.avg.com/ uses HotJar. |
Great! Now we just need to figure out how they are tracking and come up with a heuristic for it. |
Here is a recently-released privacy study that looks into session-replay scripts: No boundaries: Exfiltration of personal data by session-replay scripts Edit: 2020 update/paper Edit: 2022 paper |
Hotjar scripts need to bind their logging to the hooks/events the browser provides, uh? This is quite a deal, even some adblockers have those kind of sites in the blacklist, user privacy should have been never violated. |
More examples that use HotJar: https://docs.google.com/spreadsheets/d/1AgXrFNTleQosFAczyqlM04vP89VOned8930UW2xgUWc/edit#gid=0 |
It looks like HotJar in particular uses third-party cookies, so it will be blocked if the user visits enough sites that use it. That doesn't mean we shouldn't try to implement heuristics for these techniques too, but it might be lower-priority unless we find another culprit that won't get blocked anyway. |
Probably this issue should be renamed to "Prevent fingerprinting using keystrokes timing" as stated on this articke (from FSF). Already exist a Chrome extension that do this: Keyboard Privacy. |
Another culprit is luckyorange (https://luckyorange.com). Clickstream data is sent via websocket to wss://visitors.live. Examples: https://www.foxbrim.com/, https://www.percona.com/ |
have been looking at other similar services, and it looks like Lucky Orange is the exception in terms of not being blocked. For example, here are some other services:
Smartlook WTM
Contentsquare / Clicktale WTM DDG / WTM DDG most of them are already blocked because they use third-party cookies as well. None of them that I could find use websockets besides lucky orange. This list isn't exhaustive, there are other potential trackers here, but these were the ones I could find and confirm they are actually doing session-replay stuff. Blocking lucky orange will be particularly difficult because WebRequest doesn't give us insight into the data sent over a websocket. (https://developer.chrome.com/extensions/webRequest). It looks like there are first-party cookies being shared over the websocket, but in order to see them, we'd need to instrument the actual websocket interface using a content script (like https://github.com/gorhill/chromium-websocket-wrapper/blob/master/chromium-websocket-wrapper.js). The other thing we could do is, like #715 (comment) says, to instrument the onKeyDown and onMouseMove listeners and try to figure out which domains are listening to them. I have not thought this through very much but imagine it would lead to a lot of false positives and be fairly hard to maintain. All this is to say: Privacy Badger already blocks most session replay scripts, and I don't see an easy way to catch Lucky Orange with heuristics right now. More session replay candidates for review: Ezoic DDG |
FWIW, I found that on at least one site Fullstory was not blocked or even detected by privacy badger with Firefox 83 or 85.0b2 on macOS |
Services like Hotjar should be blocked by default, at the moment Privacy Badger does not do this.
With hotjar it is possible to record what users does on the website, not just mouse movements but keystrokes as well.
So what users type inside the site will be recorded, even though they don't submit that information. These per user recordings can be played back on hotjar.
Hotjar doesn't give information like IP addresses for those recordings, but if a user enter their personal details on that site, it will be recorded on those sessions. Hotjar claims that they mask out Credit Card and password fields. (Hotjar might still collect those information and just mask out on the presentation side.)
I think recording of these per user recordings are violation of the privacy and privacy badger should be able to detect them and block them.
References:
The text was updated successfully, but these errors were encountered: