One of the main reasons to use a VPN is to provide privacy while online. It may, therefore, come as something of a surprise to learn that many VPN s not only track visitors to their websites, but share this information with extensive advertising and analytics networks.
Even more worrying is the fact that the information collected goes far beyond mere tracking. Session replay scripts have hit the headlines recently because they record every interaction a visitor makes with the website.
According to a recent report by Princeton University researchers:
“These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.”
Even when text is inputted into a text field but not sent, session replay scripts will still record the data. Alarmingly, a follow-up report found that these scripts can also leak passwords to session replay companies:
“In our research we found password leaks to four different third-party analytics providers across a number of websites. The sources are numerous.”
Astrill still uses a tracking script from Hotjar (above), while HideIP.me uses a confirmed session replay script from Yandex.
Protect yourself against session replay scripts
As always, it is best not to rely on others when it comes to protecting your privacy. Good news is that most ad-blocker and script-blocker browser add-ons will protect you from session repay scripts.
Ad-blockers mostly work using bock-lists, however, so do please be aware that:
“Two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts. EasyPrivacy has filter rules that block Yandex, Hotjar, ClickTale and SessionCam.”
I recommend using the uBlock Origin ad-blocker for Firefox with Fanboy’s Enhanced Tracking List, in combination with the EFF’s Privacy Badger add-on. Note that Privacy Badger on its own should block session replay scripts, but it works best in combination with a good ad-blocker.
Script-blockers such uMatrix and NoScript will also work very well, although most users will find them too complex for day-to-day use.
Image credit: By REDPIXEL.PL/Shuterstock.