More than 480 web firms record 'every keystroke'


#1

GF being one of them it seems. They use FullStory who are mentioned in the article.


#2

I find that quite disturbing.

Big Brother is with us (and has been for quite some time.)


#3

I’m curious how you found the GF uses keystroke tracking.

GF doesn’t have any computer-side software. Everything happens in the web browser. With Firefox, Chrome, and even IE/Edge, the local sandbox prevents keystroke tracking outside of the active tab. And all javascript is restricted to the current tab.

I use NoScript and Disconnect add-ons to stop connections to undesirable web sites. I do not see any of GF’s web sites (community.glowforge.com, app.glowforge.com, glowforge.com) connecting to any tracking content beyond Google Analytics. And Google doesn’t track keystrokes.

If you use Windows 10, then Microsoft does track keystrokes. But that’s unrelated to the article you cited and not related to GF.

I just opened up the network debugger on my web browser (control-shift-i on Firefox, select Network tab, and reload page). GF regularly checks for updated content, but they do not appear to track keystrokes.

Maybe I’m wrong. Can you elaborate on why you think GF tracks every keystroke?


#4

They use FullStory, which the article mentions as one of the companies that record keystrokes. Or they did until recently. I can’t see it in the debugger today.


#5

Actually they still do. I can see continuous traffic to www.fullstory.com


#6

I wouldn’t worry about it. They only record your activity when interacting with their web app, which is in fact a good practice - it lets them learn where users are confused so that they can improve the UX, and to debug issues. This is the same info that (for example) apps running on your desktop see - they see events in their window, and (if well behaved) nowhere else.

They aren’t logging any keystrokes anywhere else. As @dr.krawetz points out, the web browser sandboxes each tab/window, so that apps can only see what users do in their context, so it’s not possible for (for example) Glowforge to capture the credit card number you type into an Amazon window. And Amazon can’t see what you’re printing in the GFUI. :slight_smile:


#7

I used to work for a company that used Clicktale (not FullStory), but it was used to improve the user experience and tune the buy flow, not for anything nefarious. It helped us to make amazing improvements. I don’t recall, but don’t remember seeing CC info or passwords. Obviously, this puts a lot of trust in the tool and should probably be an area that is closely monitored by authorities. The benefits are huge for making the UX better through actual replays of sessions as long as the privacy protections are solid.

This is what I found from a reviewer who used Clicktale (not FullStory) in 2016:


#8

Good point - no UX logging should contain personally identifiable information, credit card numbers, medical data, etc., unless they have a really good reason to, because that raises all sorts of risks because sensitive data would be stored in a logging system, which is much harder to manage properly.

That being said, keep in mind that Glowforge can only see what’s visible to their app - we’re not talking about a keylogger in the operating system capturing passwords, etc. - that’s never visible to the Glowforge app. So even calling it a ‘keylogger’ is a bit misleading; what web apps can see is even less than desktop apps can see. And Glowforge capturing how people use their app isn’t scary - it’s a best practice for optimizing web apps. Many sites do this, even if it’s just with Google Analytics.


#9

So can they see your password when you log in to the app?


#10

Glowforge certainly can capture everyone’s passwords when they type them in. Whether they configure FullStory to send that info out to FullStory is up to them, though (IMO) best practice would be to filter out any sensitive info like passwords to reduce risk.


#11

Looking at the article and blog post, it looks like FullStory captures passwords in the clear? Am I reading that incorrectly.

I’m more concerned about some of the health information that could be exposed through these apps. I have to wonder how many of these implementations have gone through any sort of HIPAA assessment.

I don’t have any objection to GF capturing information that helps them understand how their users use the application. There’s nothing sensitive about using the app–other than the password to get into it. There may be some sensitivity about designs we all upload to use from a copyright or trademark perspective, which the GF team can technically see if they want to anyway.


#12

Fullstory is just like web logs - they’ll capture anything you tell them to capture, and exclude whatever you tell them to exclude. (Their doc for this is at https://help.fullstory.com/spp/138664 ). It’s the app developer’s responsibility to configure FullStory to filter out passwords, etc. Just as it is the app developer’s responsibility not to log passwords, etc. This is routine - any company dealing with HIPAA or other regulated data should be keenly aware of the importance of not capturing any sensitive or regulated data in logs or in tools like FullStory.

Glowforge’s terms of service give them broad permission to integrate third party services, software and sites, and to send them the data required for them to work. https://glowforge.com/terms-of-service . Their privacy policy goes into quite a bit of detail about what information they collect, and what they share with partners. https://glowforge.com/privacy-policy/.


#13

thank you for sharing


#14

Nice find. At a high level it looks like FullStory has the capability to filter out sensitive information from known fields.

I wish this were true. Sadly, I have seen many companies that do not have a deep enough understanding of their own technology stack to discover these types of potential issues.


#15

Well, I certainly don’t know everyone. But I know that for the companies I have visibility into, regulatory compliance is very important, because the liability can be very high, both legally and in terms of reputation. That’s not to say that everyone’s perfect, of course…


#16

Um yes, they have to unless they hash it on the client side, since presumably user authentication happens on the server.


#17

Obviously GF need to see it, but do the third parties see it like the news article implies? Also looks like they see your credit card details when you shop in the GF store.


#18

The article is more subtle than the headline. All they’re really saying is that tools that capture user activity on web sites “may” do all sorts of horrible things, but that’s purely hypothetical - for that to happen the sites would need to configure the tools to capture everything everywhere, and then the services they use violate their contracts and use the data for evil purposes (or get hacked and lose control of the data). Any responsible web site would configure the tools to never capture sensitive data, so it would never be on the third-party site, and thus not be vulnerable to third parties getting hacked.

All of the info is already known to the web site (it’d be in a normal web site’s web server logs, for example).

So while I guess it’s a good reminder that web sites should make sure not to send sensitive data to third parties, it’s a huge leap from “480 companies use user activity logging services” to “480 companies record every keystroke” and from there that they’re endangering their identity, medical data, etc.


#19

Maybe this is a good thing. It could be the key to being able to save your design settings.

Maybe we can get our Full Story logs, which are only there to (eventually) help us customers, and play them back.


#20

uBlock Origin and Privacy Badger are doing a fine job blocking the few things it’s finding with GF sites, but I’m not seeing any fullstory links, scripts, or network calls on any of the GF sites with any browser – OSX, Chrome/Safari/Firefox Nightly. (I also didn’t find GF in the search tool provided by the article’s original source)

I wonder if something that I’m blocking is doing the loading of fullstory scripts too – though those are only a google analytic link and some stuff from newrelic. ??