Researchers at Princeton University found that over 1,200 websites, including Riot Games, Dota 2 Russia, and Nintendo, are using tracking technology to record what you do on their site.
These websites are using two different methods of recording. The researchers found these by analyzing seven services that record user data, then using bots to visit these sites and see if they had the analytics script embedded.
The first, and most invasive, method is called session replay (or session recording). It tracks everything the user does—every single keystroke a user inputs, including passwords and other sensitive information. Of the 1,200 sites, 482 use this method.
“These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers,” researchers said in a blog post. “Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.”
Among the 482 websites that use session replay are two video game companies, Dota 2’s Russian site and Nintendo. Internet service provider Comcast also uses this tracking method. The researchers noted that just because a website on its list does not have this tag, “does not mean that recordings don’t occur, simply that we don’t know if they do.” They also specified that website developers that have this script embedded may choose to “not enable session recording functionality,” and therefore session recordings might not always occur, as they choose a sample of users.
The second method of tracking is labeled as “analytics scripts exist” in Princeton’s study. Essentially, sites with this code track which of their pages you visit, and the searches you make on their website. At least 13 gaming-related sites are included in this study, such as riotgames.com, leagueoflegends.com, leagueoflegends.co.kr, lolesports.com, xbox.com, minecraft.net, kinguin.net, g2a.com, wargaming.net, worldofwarships.eu, controversial skin betting sites csgolounge.com and dota2lounge.com, and media site gosugamers.net. Many big-name companies, such as Intel, Costco, and Adobe, use these more common analytic scripts to track users.
“This data can’t reasonably be expected to be kept anonymous,” researchers said. “In fact, some companies allow publishers to explicitly link recordings to a user’s real identity.”
H/T BBC News | Saira Mueller contributed to this report