ProPrivacy is reader supported and sometimes receives a commission when you make purchases using links on this site.

Beware Session Replay Scripts on VPN websites

One of the main reasons to use a VPN is to provide privacy while online. It may, therefore, come as something of a surprise to learn that many VPN s not only track visitors to their websites, but share this information with extensive advertising and analytics networks.

Even more worrying is the fact that the information collected goes far beyond mere tracking. Session replay scripts have hit the headlines recently because they record every interaction a visitor makes with the website.

According to a recent report by Princeton University researchers:

These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

Even when text is inputted into a text field but not sent, session replay scripts will still record the data. Alarmingly, a follow-up report found that these scripts can also leak passwords to session replay companies:

In our research we found password leaks to four different third-party analytics providers across a number of websites. The sources are numerous.

Astrill still uses a tracking script from Hotjar (above), while uses a confirmed session replay script from Yandex.

Protect yourself against session replay scripts

As always, it is best not to rely on others when it comes to protecting your privacy. Good news is that most ad-blocker and script-blocker browser add-ons will protect you from session repay scripts.

Ad-blockers mostly work using bock-lists, however, so do please be aware that:

Two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts. EasyPrivacy has filter rules that block Yandex, Hotjar, ClickTale and SessionCam.

I recommend using the uBlock Origin ad-blocker for Firefox with Fanboy’s Enhanced Tracking List, in combination with the EFF’s Privacy Badger add-on. Note that Privacy Badger on its own should block session replay scripts, but it works best in combination with a good ad-blocker.

Script-blockers such uMatrix and NoScript will also work very well, although most users will find them too complex for day-to-day use.

Image credit: By REDPIXEL.PL/Shuterstock.

Written by: Douglas Crawford

Has worked for almost six years as senior staff writer and resident tech and VPN industry expert at Widely quoted on issues relating cybersecurity and digital privacy in the UK national press (The Independent & Daily Mail Online) and international technology publications such as Ars Technica.


on May 22, 2018
I don't have a vpn but I thought I'd install "the uBlock Origin ad-blocker for Firefox with Fanboy’s Enhanced Tracking List" to Firefox - it sort of broke your own site, with most pages just showing as text! I had PrBadger and Disconnect and HTTPS Everywhere running. One at a time I disabled Disc., Fanboy's list, the uBlock itself, re-starting FF each time, but just as bad. All other sites were fully functional, except ProPrivacy! I've restored my previous - HTTPS, Badger, Disconnect, ProPrivacy coming back, I think Badger is re-learning which is ok itself.
Douglas Crawford replied to Pooter
on May 23, 2018
Hi Pooter, Hmm. Interesting. I also run uBlock Origin with Fanboy’s Enhanced Tracking List in Firefox (along with pretty much all the default lists!). When I visit the social media buttons and YouTube videos are hidden, but everything else works ok. So maybe it isn't uBlock Origin? Anyway, Privacy Badger + Disconnect + HTTPS Everywhere should provide you with more than enough protection.
Pooter replied to Pooter
on May 23, 2018
in Firefox I have now removed uBlock. I was still getting most of your pages only as text, then I went to preferences and cleared saved browser data - cookies, cache, and that improved things a lot, though still some text only pages. I've opened ProPrivacy in Chromium, which is a bit less strict, and it works fine. So I think the problem is in my Firefox, maybe I over-confused it yesterday with too many add-ons.
Douglas Crawford
on March 5, 2018
Hi micheal, But using a VPN can definitely improve this situation...
Casey Wrey
on March 3, 2018
Ironically, according to Ghostery, ProPrivacy has 5 trackers on this page: • DoubleClick • Google Dynamic Remarketing • Google Analytics • Matomo (formerly Piwik) • GA Audiences
Douglas Crawford replied to Casey Wrey
on March 5, 2018
Hi Casey and Larry, I have raised this issue with the team and it has been tabled for discussion. In the meantime, please remember that we have always actively encouraged our readers to use ad-blocker and anti-tracking browser add-ons.
on March 3, 2018
Privacy badger shows 11 potential trackers on this site; interesting.

Write Your Own Comment

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

Your comment has been sent to the queue. It will appear shortly.

  Your comment has been sent to the queue. It will appear shortly.

We recommend you check out one of these alternatives:

The fastest VPN we test, unblocks everything, with amazing service all round

A large brand offering great value at a cheap price

One of the largest VPNs, voted best VPN by Reddit

One of the cheapest VPNs out there, but an incredibly good service