When internet users visit Walgreens.com, a software company may record every keystroke, mouse movement, and scroll, potentially exposing medical conditions such as alcohol dependence, or the names of drugs a user has been prescribed, according to Princeton researchers.
Companies like Walgreens deploy these analytics software providers to see how people use their website or to identify broken or confusing web pages. The analytics companies place “scripts” on their clients’ websites that record individual browsing sessions for later viewing or a “replay session.”
In effect, the researchers say, software companies are “looking over your shoulder” as you navigate certain websites. The extent of the data collected “far exceeds user expectations,” including recording what you type into a text box before you submit it, “all without any visual indication to the user,” according to a study released Wednesday.
In response to questions from WIRED, Walgreens said Wednesday it would stop sharing data with the software company FullStory. “We take the protection of our customers’ data very seriously and are investigating the claims made in the article that was published earlier today,” Walgreens said in a statement. “As we look into the concerns that were raised, and out of an abundance of caution, we have stopped sharing data with FullStory.” A Walgreens spokesperson said FullStory’s software “essentially has an ‘on/off’ switch,” which the retailer has now turned off.
On Thursday a second retailer said that it, too, had stopped working with FullStory in light of the study's findings. Bonobos, a men's clothing retailer owned by Walmart, said in a statement, "We eliminated data sharing with FullStory in order to evaluate our protocols and operations with respect to their service. We are continually assessing and strengthening systems and processes in order to protect our customers’ data." The Princeton researchers had found that FullStory captured credit-card details, including the cardholder’s name and billing address, the card’s number, expiration, and security code on Bonobos' website.
FullStory is among a group of seven “session replay” companies examined by the Princeton researchers. Analytics software that measures mouse movements or keystrokes has been around for years, says Steven Englehardt, one of the authors of the study. But the technology has typically been used to track groups of users, such as the parts of a web page where visitors linger the longest. The researchers found that FullStory and the other companies are now tracking users individually, sometimes by name.
Other customers listed on FullStory’s website include Zocdoc, Shopify, CareerBuilder, SeatGeek, Wix.com, Digital Ocean, DonorsChoose.org, and more. Digital Ocean said in a tweet that it blocks FullStory from viewing any form fields, and anonymizes any data it makes available to FullStory. FullStory did not respond to a request for comment.
The replay companies offer tools to help clients redact sensitive information both manually and automatically, but the researchers found that that process was often inadequate. The study found that Walgreens performed “extensive use of manual redaction” but FullStory still gained access to some personal information.
To gather data, Englehardt said researchers signed up for accounts on Walgreens and other sites. At Walgreens, they added prescription and health information, recording all the network traffic. They later analyzed the network traffic to see if the information they entered appeared in the session recording.
The researchers examined the 50,000 most-visited websites, according to Alexa. They found 482 sites that were sharing information about individuals with one or more of the seven replay companies. Englehardt said the percentage of sites leaking information to the software companies was likely higher, because the software companies track only a sample of visits to a given website.
While “keylogging” software has been around for a while, the practices highlighted in the new Princeton study are “by far the most pernicious,” examples of capturing user information, says Ashkan Soltani, a security and privacy researcher and former chief technologist for the Federal Trade Commission. “Capturing [the text typed into] every form field is a level of detail that I have not seen historically.”
“I don’t think most users realize that when they interact with a website that their information about that visit is being shared with 40 to 100 third parties,” Soltani says. Those companies typically record only that a user has visited a page, he adds, but in these cases they are capturing “not only that I visited that page, but also what content I submitted.”
One of the software companies identified by the study is Yandex, Russia’s largest search engine. Englehardt said the researchers did not examine whether Yandex’s tracking might have been part of state-sponsored surveillance. But he said that Yandex was most often used on Russian websites.
Englehardt said he and his colleagues plan to release additional studies examining data-collection practices by software companies that track web users.
UPDATE, Nov. 17, 2:20 PM: This article has been updated to include Bonobos' statement that it suspended work with FullStory, and Digital Ocean's statement that it blocks FullStory from viewing any fields.
