Website owners can monitor your every scroll and click

As avid internet users, we are all aware of technology companies tracking our browsing habits to target ads. However, did you know that retailers and tech giants alike are also monitoring your digital body language aka mouse moves and clicks?

In some ways, the information is useful for website owners. Users visit sites, click here and there, and allow the websites to perform actions based on the input.

The protocol is also helpful for e-commerce owners. For example, a few visitors simultaneously put a bunch of stuff in their shopping carts but abandon the purchase due to some ‘technical’ glitch during the checkout process. Analyzing the user’s behavior during the ‘problematic’ session helps website owners and marketers make modifications that make purchasing easy for the customer.

On the other hand, the tactic makes many users feel like someone is standing above their shoulders and recording their every move. Unfortunately, they are!

Session replay

Websites are using a feature called the session replay (also known as Heatmap) that tracks every move you make on a website and runs it in a video format. This is done by third-party integration and of course – without the user’s consent.

One such leading service is called FullStory that is being used by top sites including TeeSpring, Zillow, and Jane. Other third-party session replay services include LogRocket and Inspectlet. These services claim to have partnered with Airbnb, Shopify, ABC, eBay, and Reddit to facilitate user’s tracking.

A quick experiment conducted by Eric Ravenscraft about FullStory shows that the session replay script recorded more than just a list of links the user clicked. In fact, after analyzing the service, Ravenscraft saw that FullStory even recorded when users shook their mouse or ‘rage/repeated click’ out of sheer frustration.


As we mentioned above, the data may be helpful in some ways as they allow website owners to analyze user’s behavior with various pages and links. However, the question regarding user’s privacy arises as most users are not aware they are sharing their browsing details with a third-party along with the respective website.

What about passwords?

The biggest concern with the third-party tracking system was the use of passwords, credit card information, and other sensitive data. According to the FullStory guidelines, the company does not want to see any confidential information in their script. However, they also acknowledge that they can come across passwords and bank account numbers if website owners fail to hide them or mark them secure.

Eric Ravenscraft also tested out the same and saw that FullStory did hide passwords from their recordings when the data was entered in a properly coded box. However, when the same password was simply added in a basic text field, it was indeed visible in the session replay provided by FullStory.

Although, some ad-blockers are starting to block session replays through their system. However, it is very unlikely that the protocol would stop completely. In fact, researchers from Princeton’s Center for Information Technology Policy (CITP) claims that most of the popular websites are affiliated with a session replay companies. This includes Lenovo, Microsoft, Michael Kors, Kaspersky, GoDaddy, Udemy, Souk, and Grammarly.



Read next: Global Tech Consultancy Urges Companies to Protect User Privacy or Face the Consequences
Previous Post Next Post