Beware Session Replay Scripts on VPN websites

One of the main reasons to use a VPN is to provide privacy while online. It may, therefore, come as something of a surprise to learn that many VPN s not only track visitors to their websites, but share this information with extensive advertising and analytics networks.

Even more worrying is the fact that the information collected goes far beyond mere tracking. Session replay scripts have hit the headlines recently because they record every interaction a visitor makes with the website.

According to a recent report by Princeton University researchers:

These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

Even when text is inputted into a text field but not sent, session replay scripts will still record the data. Alarmingly, a follow-up report found that these scripts can also leak passwords to session replay companies:

In our research we found password leaks to four different third-party analytics providers across a number of websites. The sources are numerous.

Astrill still uses a tracking script from Hotjar (above), while HideIP.me uses a confirmed session replay script from Yandex.

Protect yourself against session replay scripts

As always, it is best not to rely on others when it comes to protecting your privacy. Good news is that most ad-blocker and script-blocker browser add-ons will protect you from session repay scripts.

Ad-blockers mostly work using bock-lists, however, so do please be aware that:

Two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts. EasyPrivacy has filter rules that block Yandex, Hotjar, ClickTale and SessionCam.

I recommend using the uBlock Origin ad-blocker for Firefox with Fanboy’s Enhanced Tracking List, in combination with the EFF’s Privacy Badger add-on. Note that Privacy Badger on its own should block session replay scripts, but it works best in combination with a good ad-blocker.

Script-blockers such uMatrix and NoScript will also work very well, although most users will find them too complex for day-to-day use.

Image credit: By REDPIXEL.PL/Shuterstock.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at ProPrivacy.com. Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.

9 Comments

  1. Pooter

    on May 22, 2018
    Reply

    I don't have a vpn but I thought I'd install "the uBlock Origin ad-blocker for Firefox with Fanboy’s Enhanced Tracking List" to Firefox - it sort of broke your own site, with most pages just showing as text! I had PrBadger and Disconnect and HTTPS Everywhere running. One at a time I disabled Disc., Fanboy's list, the uBlock itself, re-starting FF each time, but just as bad. All other sites were fully functional, except ProPrivacy! I've restored my previous - HTTPS, Badger, Disconnect, ProPrivacy coming back, I think Badger is re-learning which is ok itself.

    1. Douglas Crawford replied to Pooter

      on May 23, 2018
      Reply

      Hi Pooter, Hmm. Interesting. I also run uBlock Origin with Fanboy’s Enhanced Tracking List in Firefox (along with pretty much all the default lists!). When I visit bestvpn.com the social media buttons and YouTube videos are hidden, but everything else works ok. So maybe it isn't uBlock Origin? Anyway, Privacy Badger + Disconnect + HTTPS Everywhere should provide you with more than enough protection.

    2. Pooter replied to Pooter

      on May 23, 2018
      Reply

      in Firefox I have now removed uBlock. I was still getting most of your pages only as text, then I went to preferences and cleared saved browser data - cookies, cache, and that improved things a lot, though still some text only pages. I've opened ProPrivacy in Chromium, which is a bit less strict, and it works fine. So I think the problem is in my Firefox, maybe I over-confused it yesterday with too many add-ons.

  2. Douglas Crawford

    on March 5, 2018
    Reply

    Hi micheal, But using a VPN can definitely improve this situation...

  3. Casey Wrey

    on March 3, 2018
    Reply

    Ironically, according to Ghostery, ProPrivacy has 5 trackers on this page: • DoubleClick • Google Dynamic Remarketing • Google Analytics • Matomo (formerly Piwik) • GA Audiences

    1. Douglas Crawford replied to Casey Wrey

      on March 5, 2018
      Reply

      Hi Casey and Larry, I have raised this issue with the team and it has been tabled for discussion. In the meantime, please remember that we have always actively encouraged our readers to use ad-blocker and anti-tracking browser add-ons.

  4. Larry

    on March 3, 2018
    Reply

    Privacy badger shows 11 potential trackers on this site; interesting.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

Large brand with very good value, and a budget price

The fastest VPN we test, unblocks everything, with amazing service all round

Longtime top ranked VPN, with great price and speeds

One of the cheapest VPNs out there, but still a good service