I hate, hate, HATE session recording, yet it’s absolutely everywhere on websites, as well as applications.
Basically, session recording refers to, well, recording a person’s browsing session, usually including all mouse and possibly keyboard activity. Most session recording services I’ve seen literally generate a video of the user’s interactions with the web page, much like a screen recording.
The amount of data this gives the website is enormous, and enormously invasive. They can see literally everything that is showing up on your screen on a second by second basis, albeit only the parts that are displaying the website, including what content was there, where your mouse hovers, what you thought about clicking but didn’t, everything.
They quite possibly also know everything you typed, especially if it was typed into a text field. I hope you didn’t accidentally enter your username and password because thought you were switched into the other browser instance. Did you type out half a post but decided that you’d rather not have the internet know that? They have that now. Did you hit control-V but forgot that your social security number and not some mundane thing was in the clipboard? Now it’s theirs. Did you delete an image that you posted? Even assuming that the original file was deleted, it still exists in the form of session recordings.
There are also ways of fingerprinting a person’s “browsing style” by analyzing how they interact with UI elements. This can be used to identify a person, not just a browser or a computer.
Worst of all, session recording is often provided by a third party, so not only does the site itself have this data, a third party does too, possibly forever. That’s to say nothing about what happens if either company gets hacked.
Session recording is the bane of the web surfer’s existence, and there is no way to completely block it without outright disabling JavaScript. You can block the events associated with mouse and keyboard activity, but that breaks websites and they can still session record the initially visible page.
So, if you run a company that provides session recording, I just want to say: “FUCK YOU! You are ruining the internet!”
Could you point at such services?
AFAIK browser session is usually referred to cookie session. Various web applications use sessions storage to store parameter configurations and other various states. This storage is also extremely limited and often wouldn’t even store anything but references to server database.
I’ve heard of fingerprinting and tracking but session recording seems awfully complex for the same results you’d get from the former.
Here is a demo from one of those companies, Mouseflow: https://mouseflow.com/demo/
You go on the site, scroll up and down, move your mouse, click a few dummy buttons, and then get a literal video of everything you did. Keep in mind that there is no delete button on that video if you do try it though, and anyone with the link can access them. Shows how scummy these companies are.
Fortunately it’s being blocked by every ad block on my machine but it is trully disgusting. Another reason why javascript is a mistake - why on earth it would need such access? I’m struggling with coming up with legitimate uses for this.
I think it’s supposed to be an insight into how users behave on the site and how intuitive it is, but it’s far too invasive to deserve to exist.
As someone who worked on similar QA issues - that’s way too much but I definitely see how this would be useful. Outsource QA to the userbase! It’s definitely too far though, like by a long margin.
I’d be less hateful of this tech (though still NOT fully accepting) if every single website made absolutely sure that no personally identifiable information was captured (like if the recordings showed mouse movements on a page with only dummy content in place of real user generated content), the recordings anonymized, and were truly deleted after a set time, oh and no keylogging, just mouse movements.
Unfortunately, that’s not happening, ever, so it’s a moot point.