One of the main reasons to use a VPN is to provide privacy while online. It may, therefore, come as something of a surprise to learn that many VPN s not only track visitors to their websites, but share this information with extensive advertising and analytics networks.
Even more worrying is the fact that the information collected goes far beyond mere tracking. Session replay scripts have hit the headlines recently because they record every interaction a visitor makes with the website.
According to a recent report by Princeton University researchers:
“These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.”
Even when text is inputted into a text field but not sent, session replay scripts will still record the data. Alarmingly, a follow-up report found that these scripts can also leak passwords to session replay companies:
“In our research we found password leaks to four different third-party analytics providers across a number of websites. The sources are numerous.”
The video above shows what information session replay company FullStory can collect when you visit a website that uses its scripts.
Bad as all this might sound, it gets worse…
FullStory is one of these companies. Other top session replay companies named in the report are Yandex, Hotjar, UserReplay, Smartlook, Clicktale, and SessionCam.
It is also safe to assume that none of this highly personal data which is collected (and which can include passwords, remember) will be safe from criminal hackers.
“Recording services increase the exposure to data breaches, as personal data will inevitably end up in recordings. These services must handle recording data with the same security practices with which a publisher would be expected to handle user data.
We provide a specific example of how recording services can fail to do so…. The vulnerabilities we highlight.. are inherent to full-page session recording.”
VPN websites and tracking
The fact that many VPNs track users using tools such as Google Analytics has always been a concern. This is why we have started to include a section on website tracking as part of our standard review process.
We understand that in most cases the VPN is not acting in any way maliciously. The information gained in this way provides them with a great deal of insight into how visitors interact with their website. This allows a VPN to improve the design of its website, which, of course, helps to improve its profits.
It is also important to understand that website tracking has no impact on your privacy when using the actual VPN. It is a basically a separate issue (although passwords leaked thanks to session replay scripts might compromise your actual VPN sessions!).
At BestVPN.com, however, we feel that extensive website tracking by companies that promise to care about your privacy is very bad form. It also does little to inspire trust in a provider, in a business where trust is everything.
VPNs and session replay scripts
If the use of regular tracking scripts by VPN websites is irritating, the use of session replay scripts is frankly unforgivable.
The Princeton researchers have released a list of almost 10,000 websites “which embed scripts from analytics providers that offer session recording services.”
As the researchers note, “the appearance of a website on this list DOES NOT necessarily mean that session recordings the use if scripts by these companies nevertheless very concerning.
A simple search of the downloadable .csv file (mainly for the term “VPN”) turned up 17 VPN services, plus some websites that act in competition to BestVPN.com. There may well be others on there with less obvious names, but I do not have time to manually sift through all 10,000 domains!
Of those VPNs, only two are listed as having “evidence of session recording.” These are HideIP.me and VPN Tunnel, neither of which have been reviewed by us. Do note, however, that this is not evidence that session recoding was not performed by the others on the list – only that there is no evidence for it.
Most of the VPNs on the list now appear to have now removed tracking by session replay companies, so we can only hope their use was a mistake made in good faith and that lessons have been learned.
Astrill still uses a tracking script from Hotjar (above), while HideIP.me uses a confirmed session replay script from Yandex.
Protect yourself against session replay scripts
As always, it is best not to rely on others when it comes to protecting your privacy. Good news is that most ad-blocker and script-blocker browser add-ons will protect you from session repay scripts.
Ad-blockers mostly work using bock-lists, however, so do please be aware that:
“Two commonly used ad-blocking lists EasyList and EasyPrivacy do not block FullStory, Smartlook, or UserReplay scripts. EasyPrivacy has filter rules that block Yandex, Hotjar, ClickTale and SessionCam.”
I recommend using the uBlock Origin ad-blocker for Firefox with Fanboy’s Enhanced Tracking List, in combination with the EFF’s Privacy Badger add-on. Note that Privacy Badger on its own should block session replay scripts, but it works best in combination with a good ad-blocker.
Image credit: By REDPIXEL.PL/Shuterstock.