More Than 400 of the World’s Most Popular Websites Try to Record Your Every Keystroke

This is significant work done by Princeton researchers. It’s honestly a pretty damning indictment of the world’s most visited websites.

Most people who’ve spent time on the internet have some understanding that many websites log their visits and keep record of what pages they’ve looked at. When you search for a pair of shoes on a retailer’s site for example, it records that you were interested in them. The next day, you see an advertisement for the same pair on Instagram or another social media site.

The idea of websites tracking users isn’t new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled “No Boundaries,” three researchers from Princeton’s Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world’s most popular websites track your every keystroke and then send that information to a third-party server.

Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers’ findings. If you accidentally paste something into a form that was copied to your clipboard, it’s also recorded. Facebook users were outraged in 2013 when it was discovered that the social network was doing something similar with status updates—it recorded what users they typed, even if they never ended up posting it.

These scripts, or bits of code that websites run, are called “session replay” scripts. Session replay scripts are used by companies to gain insight into how their customers are using their sites and to identify confusing webpages. But the scripts don’t just aggregate general statistics, they record and are capable of playing back individual browsing sessions. The scripts don’t run on every page, but are often placed on pages where users input sensitive information, like passwords and medical conditions.

[…]

Most troubling is that the information session replay scripts collect can’t “reasonably be expected to be kept anonymous,” according to the researchers. Some of the companies that provide this software, like FullStory, design tracking scripts that even allow website owners to link the recordings they gather to a user’s real identity. On the backend, companies can see that a user is connected to a specific email or name. FullStory did not return a request for comment.

[…]

Companies that sell replay scripts do offer a number of redaction tools that allow websites to exclude sensitive content from recordings, and some even explicitly forbid the collection of user data. Still, the use of session replay scripts by so many of the world’s most popular websites has serious privacy implications.

“Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details, and other personal information displayed on a page to leak to the third-party as part of the recording,” the researchers wrote in their post.

Passwords are often accidentally included in recordings, despite that the scripts are designed to exclude them. The researchers found that other personal information was also often not redacted, or only redacted partially, at least with some of the scripts. Two of the companies, UserReplay and SessionCam, block all user inputs by default (they just track where users are clicking), which is a far safer approach.

[…]

Finally, the study’s authors are worried that session script companies could be vulnerable to targeted hacks, especially because they’re likely high-value targets. For example, many of these companies have dashboards where clients can playback the recordings they collect.

[…]

It’s not just session scripts that are following you around the internet. A study published earlier this year found that nearly half of the world’s 1,000 most popular websites use the same tracking software to monitor your behavior in various ways.

If you want to block session replay scripts, popular ad-blocking tool AdBlock Plus will now protect you against all of the ones documented in the Princeton study. AdBlock Plus formerly only protected against some, but has now been updated to block all as a result of the researchers’ work.

Facebook Asks Australian Users for Nude Photos to “Combat Revenge Porn”

I see this effort by Facebook as doing much more harm than good, and it provides me with another justified reason for being against Facebook and having never used it personally. This Facebook effort doesn’t stop revenge porn in general, as other sites besides Facebook could be used against victims to post revenge porn.

Facebook is asking users to send the company their nude photos in an effort to tackle revenge porn, in an attempt to give some control back to victims of this type of abuse.

Individuals who have shared intimate, nude or sexual images with partners and are worried that the partner (or ex-partner) might distribute them without their consent can use Messenger to send the images to be “hashed”. This means that the company converts the image into a unique digital fingerprint that can be used to identify and block any attempts to re-upload that same image.

Facebook is piloting the technology in Australia in partnership with a government agency headed up by the e-safety commissioner, Julia Inman Grant, who told ABC it would allow victims of “image-based abuse” to take action before pictures were posted to Facebook, Instagram or Messenger.

Crucially terrible is that Facebook employees will have to review uncensored nude photos as part of the process. That means that another avenue of potential abuse is opened up against victims.

According to a Facebook spokesperson, Facebook workers will have to review full, uncensored versions of nude images first, volunteered by the user, to determine if malicious posts by other users qualify as revenge porn.

Disturbing: Amazon’s Echo Spot is a sneaky way to get a camera into your bedroom

The Amazon Echo Spot is a new level of invasiveness against consumers. Succinctly explained, it’s a new extreme in the exploitation of personal data.

Echo Spot feels like the real push to get cameras inside your smart home. It’s more than just an alarm clock, but Amazon is definitely pushing this as a $130 device that will sit next to your bed. Promotional materials show it sitting on nightstands, providing a selection of clock faces and news / weather information. The privacy concerns are obvious: an always-listening (for a keyword) microphone in your bedroom, and a camera pointing at your bed.

From an article I linked to a month ago:

Amazon is going to show the industry how to monitor more moments: by making corporate surveillance as deeply embedded in our physical environment as it is in our virtual one. Silicon Valley already earns vast sums of money from watching what we do online. Soon it’ll earn even more money from watching what we do offline.

[…]

 Surveillance can transform any physical space into a data mine. And the most data-rich environment, the one that contains the densest concentration of insights into who you are, is your home.

That’s why Amazon has aggressively promoted the Echo, a small speaker that offers a Siri-like voice-activated assistant called Alexa. Alexa can tell you the weather, read you the news, make you a to-do list, and perform any number of other tasks. It is a very good listener. It faithfully records your interactions and transmits them back to Amazon for analysis. In fact, it may be listening not only your interactions, but absolutely everything.

Putting a listening device in your living room is an excellent way for Amazon to learn more about you. Another is conducting aerial surveillance of your house. In late July, Amazon obtained a patent for drones that spy on people’s homes as they make deliveries. An example included in Amazon’s patent filing is roof repair: the drone that drops a package on your doorstep might notice your roof is falling apart, and that observation could result in a recommendation for a repair service. Amazon is still testing its delivery drones. But if and when they start flying, it’s safe to assume they’ll be scraping data from the outside of our homes as diligently as the Echo does from the inside.

It’s becoming more clear why the concerns about Big Tech are rising among more people. These companies are too powerful already, and too much concentrated power results in corrosive corruption.

Article on Tinder’s Data Collection

A woman wrote about seeing her personal information that Tinder had stored about her in The Guardian recently. It’s an insight into how a lot of Internet-based corporations are collecting data too.

The dating app has 800 pages of information on me, and probably on you too if you are also one of its 50 million users. In March I asked Tinder to grant me access to my personal data. Every European citizen is allowed to do so under EU data protection law, yet very few actually do, according to Tinder.

With the help of privacy activist Paul-Olivier Dehaye from personaldata.io and human rights lawyer Ravi Naik, I emailed Tinder requesting my personal data and got back way more than I bargained for.

“I am horrified but absolutely not surprised by this amount of data,” said Olivier Keyes, a data scientist at the University of Washington. “Every app you use regularly on your phone owns the same [kinds of information]. Facebook has thousands of pages about you!”

As I flicked through page after page of my data I felt guilty. I was amazed by how much information I was voluntarily disclosing: from locations, interests and jobs, to pictures, music tastes and what I liked to eat. But I quickly realised I wasn’t the only one. A July 2017 study revealed Tinder users are excessively willing to disclose information without realising it.

“You are lured into giving away all this information,” says Luke Stark, a digital technology sociologist at Dartmouth University. “Apps such as Tinder are taking advantage of a simple emotional phenomenon; we can’t feel data. This is why seeing everything printed strikes you. We are physical creatures. We need materiality.”

Reading through the 1,700 Tinder messages I’ve sent since 2013, I took a trip into my hopes, fears, sexual preferences and deepest secrets. Tinder knows me so well. It knows the real, inglorious version of me who copy-pasted the same joke to match 567, 568, and 569; who exchanged compulsively with 16 different people simultaneously one New Year’s Day, and then ghosted 16 of them.

[…]

What will happen if this treasure trove of data gets hacked, is made public or simply bought by another company? I can almost feel the shame I would experience. The thought that, before sending me these 800 pages, someone at Tinder might have read them already makes me cringe.