Imagine you’re running a nonprofit site dedicated to keeping seniors safe online. You write articles about conmen bilking people out of their life savings, romance scams, identity theft and the like.
One day, somebody recommends a chat app called Tawk that enables you to respond in real time when your visitors write in with questions. The price is right, particularly for a nonprofit: it is, in fact, free.
All you have to do is copy a simple line of JavaScript into the HTML of your website, and you’re off and running: the chat widget starts working instantly.
…as does your ability to see, in real time, everything your visitors type, even when they hit backspace and delete-delete-delete whatever thoughts first popped into their heads and which never made it into the fully baked, eventually sent message. “Whoa!” you well might think, if, in fact, you haven’t previously encountered how easy it is to set up a site to harvest form data before a user hits “submit.”
That’s precisely what happened to fellow Naked Security writer Christopher Burgess, who recently set up Tawk to work with Senior Online Security.
Christopher recorded a sample of the JavaScript wizardry that caught him by surprise. The video below captures what he saw when I stopped by the site, engaged him in chat, forgot that undercover investigative reporters aren’t supposed to tell anybody that they’re undercover and so backspaced over that detail (though obviously not before he saw me type it and captured the entry), and then threatened to report him to the FBI before changing my mind about entering that “just kidding!” notion into the form.
I come in around minute 1:10:
Note that Christopher recorded this chat just for the purposes of providing a demo. He normally wouldn’t be screen-capturing chats with site visitors. Nor does the Tawk app have an option of recording all keystrokes. But it’s worth keeping in mind that, clearly, Christopher, or anybody else at either end of an online chat, could record conversations if they chose… just as everything we type while in a browser can be tracked and logged, even if the characters are never displayed on screen.
We write about cursor tracking a fair amount, likely because people are often taken aback when they’re reminded that they’re being tracked online. In fact, one of the designers behind a site created to show users how tracking happens said that in spite of being “quite internet-aware”, she’s still very often “surprised that after I watched something on a website, a second later I get instantly personalized ads”.
That site, called ClickClickClick, was set up in November to track visitors and to show them exactly how they’re being tracked, including each and every pointer movement, x/y coordinates of where they moved, whether they zigzagged or moved straight, how many pixels their pointer traveled, how long they were inactive/active, what browser they’re using, when they leave the site, the time zone they’re in, whether they should actually be at work, and more. The designers’ intent: to remind people about the serious themes of big data and privacy.
There’s nothing unique about ClickClickClick’s tracking, just as there’s nothing unique about Tawk’s ability to track everything I enter into a form. Well, ok, there is one unique characteristic of ClickClickClick’s tracking: it’s upfront about it, displaying its tracking in an ongoing log that streams on-screen.
As for Tawk, there’s a unique slant there too – the app was from Christopher’s perspective. He hadn’t before gotten a glimpse into the tracking power typically tucked away from us as site visitors, but that power is evident to those who code sites. JavaScript makes it pretty easy with “events” with names like onkeydown, onkeypress and onkeyup, which you can “hook” (ie connect to a JavaScript function of your choice) in order to allow precise control of the keyboard, such as for games and interactive browser apps.
What’s typically tucked away is the fact that capturing the X and Y coordinates of a mouse pointer is a simple task in JavaScript, and it has been for a very long time.
Back in 2013, Facebook was mulling silently tracking users’ mouse movements to see which ads we like. Some reacted to the possibility by swearing off Facebook entirely.
It’s not just Facebook, though: any site can do it. It’s very easy and it’s very useful.
It’s the job of user interface designers to understand how people interact with web interfaces. Their job is to figure out where users have problems and how to improve their overall experience.
Collecting user behavior on sites enables those designers to work on issues such as where and why users drop off at a checkout page on an e-commerce site, for example.
They do it through mouse tracking, heat maps, click tracking, or eye tracking, among other techniques.
When we write about these subjects, readers often react with outrage. Fellow Naked Security writer Mark Stockley notes that people have a mental model of how the web works, and (incorrectly, but understandably) it doesn’t encompass voices, keystrokes, mouse movements and incomplete forms being harvested. They are shocked to find out that it’s possible at all, never mind that it’s easy.
Beyond that, the power of a single site’s tracking is multiplied exponentially, given that websites often include third-party code like AdWords or Facebook Like buttons, as well as content delivery networks (CDNs) for fast, local delivery of content. That means tens or hundreds of millions of websites share common elements served from a handful of domains. That handful of domains can set cookies on one site and read them on any other, thus tracking you across any site you visit that includes their code.
Mark has actually detailed how Twitter, for one, tracks the websites we visit and thus figures out how to target promoted tweets at individuals.
Do we have to worry about any one of the ad networks or trackers deciding to deploy “slurp your form data before you’ve finished” code that it then winds up disseminating on many millions of sites in the blink of an eye?
Fortunately, the big analytics players like Google provide aggregate views of where users click on pages, keeping the personally identifiable information (PII) out of it so that individual user sessions are anonymized. To do otherwise would be illegal, at least in the US. The Telecommunications Act prohibits sharing or selling “individually identifiable” customer information except under special circumstances, such as to enable your carrier to bill you or to help emergency services to locate you. Sorry, GoFundMe campaigns, no porn-surfing lists of named politicians or ISP industry leaders for you!
It’s worth noting, however, that Big Data can make anonymous data not all that anonymous after all. And Sarah Jamie Lewis, the doyen of .onion privacy, has concluded, after analyzing maps showing the centralization of the web via ad brokers, that “web privacy is dead”.
Today I tried to graph the the advertisement/tracker/centralized cdn relationships shared among popular websites.
Web privacy is dead. pic.twitter.com/RgCoxdzjjQ
— Sarah Jamie Lewis (@SarahJamieLewis) June 18, 2017
Should we worry about being tracked online?
Absolutely. There have already been outfits like AddThis that come up with exotic tracking techniques that do things like come up with invisible cookies that track us and which users can’t even delete.
Should we worry about an app like Tawk letting sites see what we enter into forms, even if it’s text we delete?
Yes, of course, particularly if we’re really paranoid. But if we’re that paranoid, we have no business touching a keyboard that’s attached to an internet-connected device.
We are all fish, and that kind of tracking is simply the water we swim in.
codeinfig
You know whats really awful, is if you look in .xsession-errors for a complete browser history. Everytime Firefox loads a page it seems, it complains to X, which logs the complaint, including either the url or the title in the browser. Thanks helpy-helper app!