Understanding Session Replay Scripts – a Guide for Privacy Professionals

Over the last few months, privacy researchers at Princeton University’s Center for Information Technology Policy (CITP) have published the results of ongoing research demonstrating that many website operators are using third-party tools called “session replay scripts” to track visitors’ individual browsing sessions, including their keystrokes and mouse movements. These “session replay scripts,” typically used as analytics tools for publishers to better understand how visitors are navigating their websites, were found on 482 of the 50,000 most trafficked websites, including government (.gov) and educational (.edu) websites, and websites of major retailers.

As the research demonstrated, session replay scripts can raise serious privacy concerns if implemented incorrectly, causing security vulnerabilities and the potential for inadvertent collection of personal data (e.g. credit card numbers, health information, or other sensitive data). Therefore, privacy professionals should be involved in decisions related to whether and how to use these kinds of tools, and should carefully consider their usefulness and potential risks. With the right privacy and security safeguards in place, however, limited implementation of session replay scripts can be part of a range of ordinary, useful third-party web analytics tools.

FPF has developed a three-page guide for privacy professionals, who can in turn assist website marketing and design teams with decisions about whether and how to implement these types of analytics scripts. In this guide, we define and describe the term “session replay scripts,” and provide a checklist of privacy tips to use when deciding how best to implement them. In deciding whether and how to implement third-party scripts, privacy professionals should evaluate script providers’ terms and privacy policies, carefully select which pages within a site may or may not be appropriate for their use, and continue to assess the strength of technical safeguards — such as automated and manual redaction tools — over time.

• Link to PDF: Steven Englehardt’s presentation to the FPF Location & Ad Practices Working Group (Feb. 2, 2018)
• Steven Englehardt, No Boundaries: Exfiltration of Personal Data by Session-replay Scripts, Freedom to Tinker (Nov. 12, 2017), https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay-scripts/.
• Arvind Narayanan, Website operators are in the dark about privacy violations by third-party scripts, Freedom to Tinker (Jan. 12, 2018), https://freedom-to-tinker.com/2018/01/12/website-operators-are-in-the-dark-about-privacy-violations-by-third-party-scripts/.
• Steven Englehardt, No boundaries for credentials: New password leaks to Mixpanel and Session Replay Companies, Freedom to Tinker (Feb. 26, 2018), https://freedom-to-tinker.com/2018/02/26/no-boundaries-for-credentials-password-leaks-to-mixpanel-and-session-replay-companies/.