Made this post on /r/ChangeMyView: https://old.reddit.com/r/changemyview/comments/mzxttk/cmv_session_recording_is_an_evil_tracking/?

I’ve posted about this on Lemmy before, so if the wording seem familiar to you, you probably saw a post just like this one.

I’ve been using a JavaScript event blocker, and it’s staggering just how many websites use session recording, most commonly evident by their use of the mousemove JavaScript event, even when the website has absolutely no visible elements that would need mouse tracking. It’s everywhere in mobile and desktop apps too, and with the added bonus of not being able to block any of it!

Basically, session recording refers to, well, recording a person’s internet browsing session, usually including all mouse and possibly keyboard activity. Most session recording services I’ve seen literally generate a video of the user’s interactions with the web page, much like a screen recording.

Here is a demo from one of those companies, Mouseflow: https://mouseflow.com/demo/

You go on the site, scroll up and down, move your mouse, click a few dummy buttons, fill in some text fields, and then get a literal video of everything you did. Keep in mind that there is no delete button on that video if you do try it though, and anyone with the link can access them. Shows how scummy these companies are.

The amount of data this gives the website is enormous, and enormously invasive. They can see literally everything that is showing up on your screen on a second by second basis, albeit only the parts that are displaying the website, including what content was there, where your mouse hovers, what you thought about clicking but didn’t, everything.

They quite possibly also know everything you typed, especially if it was typed into a text field. I hope you didn’t accidentally enter your username and password for another site because thought you were switched into the other tab. Did you type out half a post but decided that you’d rather not have the internet know that? They have that now. Did you hit control-V but forgot that your social security number and not some mundane thing was in the clipboard? Now it’s theirs. Did you delete an image that you posted? Even assuming that the original file was deleted, it still exists in the form of session recordings.

There are also ways of fingerprinting a person’s “browsing style” by analyzing how they interact with UI elements. This can be used to extremely reliably identify a person, not just a browser or a computer.

Worst of all, session recording is often provided by a third party, so not only does the site itself have this data, a third party does too, possibly forever. That’s to say nothing about what happens if either company gets hacked.

Session recording is the bane of the web surfer’s existence, and there is no way to completely block it without outright disabling JavaScript. You can block the events associated with mouse and keyboard activity, but that breaks websites and they can still session record the initially visible page.

I’d be less hateful of this tech (though still NOT fully accepting) if every single website made absolutely sure that no personally identifiable information was captured (like if the recordings showed mouse movements on a page with only dummy content in place of real user generated content), the recordings anonymized, and were truly deleted after a set time, oh and no keylogging, just mouse movements. But that’s not happening, ever, so it’s a moot point. Some session recording platforms do tell you to configure it so it blanks out any “personally identifiable information”. They won’t do it for you, mind you, you have to manually configure it specifically for your site. Yeah, that’s like a YouTube ripping site/app telling users to “not use this for piracy and copyright infringement”. They know that it’s ignored but they have to cover their asses.