I hate, hate, HATE session recording, yet it’s absolutely everywhere on websites, as well as applications.

Basically, session recording refers to, well, recording a person’s browsing session, usually including all mouse and possibly keyboard activity. Most session recording services I’ve seen literally generate a video of the user’s interactions with the web page, much like a screen recording.

The amount of data this gives the website is enormous, and enormously invasive. They can see literally everything that is showing up on your screen on a second by second basis, albeit only the parts that are displaying the website, including what content was there, where your mouse hovers, what you thought about clicking but didn’t, everything.

They quite possibly also know everything you typed, especially if it was typed into a text field. I hope you didn’t accidentally enter your username and password because thought you were switched into the other browser instance. Did you type out half a post but decided that you’d rather not have the internet know that? They have that now. Did you hit control-V but forgot that your social security number and not some mundane thing was in the clipboard? Now it’s theirs. Did you delete an image that you posted? Even assuming that the original file was deleted, it still exists in the form of session recordings.

There are also ways of fingerprinting a person’s “browsing style” by analyzing how they interact with UI elements. This can be used to identify a person, not just a browser or a computer.

Worst of all, session recording is often provided by a third party, so not only does the site itself have this data, a third party does too, possibly forever. That’s to say nothing about what happens if either company gets hacked.

Session recording is the bane of the web surfer’s existence, and there is no way to completely block it without outright disabling JavaScript. You can block the events associated with mouse and keyboard activity, but that breaks websites and they can still session record the initially visible page.

So, if you run a company that provides session recording, I just want to say: “FUCK YOU! You are ruining the internet!”

  • AgreeableLandscapeOPM
    link
    fedilink
    arrow-up
    3
    ·
    edit-2
    5 years ago

    Some session recording platforms tell you to configure it so it blanks out any “personally identifiable information”. They won’t do it for you, mind you, you have to manually configure it specifically for your site.

    Yeah, that’s like a YouTube ripping site/app telling users to “not use this for piracy and copyright infringement”. They know that it’s ignored but they have to cover their asses.