GF being one of them it seems. They use FullStory who are mentioned in the article.
5 Likes
I find that quite disturbing.
Big Brother is with us (and has been for quite some time.)
2 Likes
Iâm curious how you found the GF uses keystroke tracking.
GF doesnât have any computer-side software. Everything happens in the web browser. With Firefox, Chrome, and even IE/Edge, the local sandbox prevents keystroke tracking outside of the active tab. And all javascript is restricted to the current tab.
I use NoScript and Disconnect add-ons to stop connections to undesirable web sites. I do not see any of GFâs web sites (community.glowforge.com, app.glowforge.com, glowforge.com) connecting to any tracking content beyond Google Analytics. And Google doesnât track keystrokes.
If you use Windows 10, then Microsoft does track keystrokes. But thatâs unrelated to the article you cited and not related to GF.
I just opened up the network debugger on my web browser (control-shift-i on Firefox, select Network tab, and reload page). GF regularly checks for updated content, but they do not appear to track keystrokes.
Maybe Iâm wrong. Can you elaborate on why you think GF tracks every keystroke?
3 Likes
They use FullStory, which the article mentions as one of the companies that record keystrokes. Or they did until recently. I canât see it in the debugger today.
1 Like
I wouldnât worry about it. They only record your activity when interacting with their web app, which is in fact a good practice - it lets them learn where users are confused so that they can improve the UX, and to debug issues. This is the same info that (for example) apps running on your desktop see - they see events in their window, and (if well behaved) nowhere else.
They arenât logging any keystrokes anywhere else. As @dr.krawetz points out, the web browser sandboxes each tab/window, so that apps can only see what users do in their context, so itâs not possible for (for example) Glowforge to capture the credit card number you type into an Amazon window. And Amazon canât see what youâre printing in the GFUI. 
3 Likes
I used to work for a company that used Clicktale (not FullStory), but it was used to improve the user experience and tune the buy flow, not for anything nefarious. It helped us to make amazing improvements. I donât recall, but donât remember seeing CC info or passwords. Obviously, this puts a lot of trust in the tool and should probably be an area that is closely monitored by authorities. The benefits are huge for making the UX better through actual replays of sessions as long as the privacy protections are solid.
This is what I found from a reviewer who used Clicktale (not FullStory) in 2016:
Good point - no UX logging should contain personally identifiable information, credit card numbers, medical data, etc., unless they have a really good reason to, because that raises all sorts of risks because sensitive data would be stored in a logging system, which is much harder to manage properly.
That being said, keep in mind that Glowforge can only see whatâs visible to their app - weâre not talking about a keylogger in the operating system capturing passwords, etc. - thatâs never visible to the Glowforge app. So even calling it a âkeyloggerâ is a bit misleading; what web apps can see is even less than desktop apps can see. And Glowforge capturing how people use their app isnât scary - itâs a best practice for optimizing web apps. Many sites do this, even if itâs just with Google Analytics.
1 Like
So can they see your password when you log in to the app?
Glowforge certainly can capture everyoneâs passwords when they type them in. Whether they configure FullStory to send that info out to FullStory is up to them, though (IMO) best practice would be to filter out any sensitive info like passwords to reduce risk.
1 Like
Looking at the article and blog post, it looks like FullStory captures passwords in the clear? Am I reading that incorrectly.
Iâm more concerned about some of the health information that could be exposed through these apps. I have to wonder how many of these implementations have gone through any sort of HIPAA assessment.
I donât have any objection to GF capturing information that helps them understand how their users use the application. Thereâs nothing sensitive about using the appâother than the password to get into it. There may be some sensitivity about designs we all upload to use from a copyright or trademark perspective, which the GF team can technically see if they want to anyway.
2 Likes
Fullstory is just like web logs - theyâll capture anything you tell them to capture, and exclude whatever you tell them to exclude. (Their doc for this is at https://help.fullstory.com/spp/138664 ). Itâs the app developerâs responsibility to configure FullStory to filter out passwords, etc. Just as it is the app developerâs responsibility not to log passwords, etc. This is routine - any company dealing with HIPAA or other regulated data should be keenly aware of the importance of not capturing any sensitive or regulated data in logs or in tools like FullStory.
Glowforgeâs terms of service give them broad permission to integrate third party services, software and sites, and to send them the data required for them to work. https://glowforge.com/terms-of-service . Their privacy policy goes into quite a bit of detail about what information they collect, and what they share with partners. https://glowforge.com/privacy-policy/.
1 Like
thank you for sharing
Nice find. At a high level it looks like FullStory has the capability to filter out sensitive information from known fields.
I wish this were true. Sadly, I have seen many companies that do not have a deep enough understanding of their own technology stack to discover these types of potential issues.
2 Likes
Well, I certainly donât know everyone. But I know that for the companies I have visibility into, regulatory compliance is very important, because the liability can be very high, both legally and in terms of reputation. Thatâs not to say that everyoneâs perfect, of courseâŚ
1 Like
Um yes, they have to unless they hash it on the client side, since presumably user authentication happens on the server.
1 Like
Obviously GF need to see it, but do the third parties see it like the news article implies? Also looks like they see your credit card details when you shop in the GF store.
The article is more subtle than the headline. All theyâre really saying is that tools that capture user activity on web sites âmayâ do all sorts of horrible things, but thatâs purely hypothetical - for that to happen the sites would need to configure the tools to capture everything everywhere, and then the services they use violate their contracts and use the data for evil purposes (or get hacked and lose control of the data). Any responsible web site would configure the tools to never capture sensitive data, so it would never be on the third-party site, and thus not be vulnerable to third parties getting hacked.
All of the info is already known to the web site (itâd be in a normal web siteâs web server logs, for example).
So while I guess itâs a good reminder that web sites should make sure not to send sensitive data to third parties, itâs a huge leap from â480 companies use user activity logging servicesâ to â480 companies record every keystrokeâ and from there that theyâre endangering their identity, medical data, etc.
1 Like
Maybe this is a good thing. It could be the key to being able to save your design settings.
Maybe we can get our Full Story logs, which are only there to (eventually) help us customers, and play them back.
4 Likes
uBlock Origin and Privacy Badger are doing a fine job blocking the few things itâs finding with GF sites, but Iâm not seeing any fullstory links, scripts, or network calls on any of the GF sites with any browser â OSX, Chrome/Safari/Firefox Nightly. (I also didnât find GF in the search tool provided by the articleâs original source)
I wonder if something that Iâm blocking is doing the loading of fullstory scripts too â though those are only a google analytic link and some stuff from newrelic. ??