Beware - Web Spying Companies Recording all User Keystrokes

by Allen Williams


A few weeks ago, I decided to have a look at one of the web visitor data recording companies out there to see what kind of information they could collect.. Motherboard reports that a Princeton study revealed that over 400 companies (so far) record your every keystroke and them transmit it to a third party website.  

Typical companies providing this service are FullStory, SessionCam, SmartLookUserReplay, etc.  I opted to try SmartLook simply because the ’geniuses’ at Webnode provided a convenient widget to insert their tracking code.

It just isn’t enough today that American Intelligence agencies are spying on everyone with their Prism software, but they are partnering with major business and social media like the CIA’s 600 million contract with Amazon .com  for cloud access.  We already know that Facebook and until recently Twitter provide information to the CIA.  The bad news here is that all purchases through Amazon are retained on their cloud servers and the CIA will have access.  You can be certain that any cloud service that your application communicates with will be available to the intelligence services as well as a host of unknown third parties because the data is NOT encrypted.

It’s far better to get the ‘mark’ to provide personalized data on him or herself to the tracking recorder thinking that he’s browsing anonymously or at least ignored  but “…many of these companies have dashboards where clients can playback the recordings they collect.   Yandex, Hotjar, and Smartlook’s dashboards run non-encrypted HTTP pages, rather than much more secure, encrypted HTTPS pages.”  The biggest liability is that once the data is removed from your site all control is lost, virtually anyone could have access to this data and you’d never know.

I was curious to find out just what could be collected by SmartLook.  However, I was surprised to find that the actual service is quite haphazard.  Either SmartLook is developing their recording software ‘on the fly’ as the saying goes or you really don’t get much on the ‘free’ side.  But upgrading the service means you’re paying to have your readers spied on.

Fortunately, the SmartLook collected data is not totally accurate or reliable.  Primarily because the staff is not well organized, knowledgeable or well versed in English.  After adding their code to The Patriot’s header and getting nothing, I contacted SmartLook support where a woman named Sofie informed me by email that  “In one case Only in webnode premium you can add code directly to the HTML header of the whole website.  In webnode free, you need to install the code in all pages you wish to track.”   Anyone, who is remotely conscious or understands the language, knows that free websites don’t have custom registered URLs as we do, ergo, we are a premium user!   So this individual is likely responding with canned phrases from the company’s data forum without any understanding of what was conveyed because they can’t communicate beyond an elementary level in English.

In another case, two different users known to me personally, one residing in Kansas and the other in Ohio accessed our site but showed the same IP address in the data collection set.  Upon questioning one of the support staff as to how this could happen, I was told that “The only explanation is that it was the same person and the two different names appeared because you have wrong code settings.”  The company’s help link indicates that if you want to track a particular user, you have to type their email address directly into the tracking code and they give an example case. The SmarLook tracking code is ‘paste-in’ and Webnode provides the widget access so unless you can’t type an address within the two apostrophe markers, you can’t have wrong code settings unless either SmartLook or Webnode made them.  

Individual email identification is no better as I have seen a whole day of data collection of 6 or more people with the same email but different IP addresses. Guess the user has multiple identities so he or she switches every couple of hours throughout the day.  The responses I’ve received from their support staff are disingenuous and you can’t really trust their assessments.

After some dickering back and forth with their support personnel to get things working the way SmartLook advertised,  I indeed found that I could watch a visitor enter our site and view virtually everything he or she clicked on.  This kind of information can and will be abused down the road and It's already happening as "The CBS report suggests in no uncertain terms that the personal information pertaining to millions of Americans collected by one of the World’s largest ad agencies is sold to the CIA." 

Smartlook claimed their software only retained three days worth of data but that’s because I wasn’t paying them to collect it.  Data was collected from approximately Nov 3rd to Nov 24th obviously more than 3 days. There was no data collected beyond Nov 24th, 2017 by their system even though I still had their code installed on the site for several more days.  At first, I thought it was yet another glitch but when nothing more was recorded, I removed the code.  On Nov. 27th, all archived data subsequently disappeared from the SmartLook control panel or at least was interred somewhere where I couldn’t access it.  You can be reasonably certain that it’s still archived there even if I no longer have access to it.

UPDATE  12/12/17 Why Have you Stopped Using SmartLook?

Hi,

I have noticed you removed our code from your website. Can you tell me why did you stop using Smartlook? Just pick a letter:

A) Smartlook doesn't record my website properly
B) I don’t have time to watch the recordings / I find no added value in Smartlook
C) I just removed Smartlook temporarily - plan to use it again
D) I am missing feature X (please fill in)
E) Neither of those, let me tell you why...

I will be glad for any feedback, even if it's negative.


Best regards,


Vladimir Sandera
cofounder, optimist
Smartlook


I received this correspondence from one of the SmartLook co-founders in early December after removing their code from our header.  Why was this an issue? Could it be that they wanted me to leave the code installed to keep recording visitor data whether or not I chose to use it?


Update 1/24/2018

 “We're excited to tell you we're migrating all our data to more powerful cloud service (AWS)! Your account included. The process is time-intensive, but we're working hard to complete the migration by the end of next week.

While the long-term benefits will be great, we wanted to let you know you might experience a few bumps and minor interruptions along the way. (Might.)

The good news:

  • AWS provides us with more safety, stability, and speed
  • Your data will be better serviced and stored securely
  • Smartlook features will run faster
  • This migration is a lot of work, and we appreciate your patience during the next few days while we finish up”

Your Smartlook Team

Long term benefits for whom? This move simply presents more opportunities for data to be accessed by more persons unknown as it’s unlikely that Smarlook’s new AWS storage is any more secure than Yahoo who experienced a major hack. 

I recommend readers give serious consideration to a good AD blocker:  “If you want to block session replay scripts, popular ad-blocking tool AdBlock Plus will now protect you against all of the ones documented in the Princeton study.