Over 400 of the world’s most popular websites record your every keystroke, Princeton researchers find


The idea of websites tracking users isn’t new, but research from Princeton University released last week indicates that online tracking is far more invasive than most users understand. In the first installment of a series titled “No Boundaries,” three researchers from Princeton’s Center for Information Technology Policy (CITP) explain how third-party scripts that run on many of the world’s most popular websites track your every keystroke and then send that information to a third-party server.

Some highly-trafficked sites run software that records every time you click and every word you type. If you go to a website, begin to fill out a form, and then abandon it, every letter you entered in is still recorded, according to the researchers’ findings.

This list of the websites that do this should make you very, very angry.

  • MrKahuna

    Another good reason to use an Adblocker that blocks more than just “Ads”. Thank you uBlock Origin!

    • davebarnes

      AdBlockPlus and Ghostery for me

  • rick gregory

    It’s nice clickbait but note that a minority of those sites show evidence of recording. Hotjar, for example, is a popular analytics tool and I’d bet that few users of it even know it can do session recording – ( I didn’t but then I don’t use it).

    Also, yes, clicks are recorded in a lot of cases. If it’s news to anyone that analytics software tracks your clicks on links, that person needs to pay some actual attention to reality. Amusingly, you do this here via Google Analytics which, of course, captures what people click on at this site.

    Capturing incompletely filled out forms is… less OK. I get why people would want to do it for ‘good’ reasons (to see if a lot of people stop at a particular point, indicating that the form has some issue there) but I don’t like it and wouldn’t do it because to me it’s when someone clicks “Submit” that they’re saying “OK, here’s my info…”

    • Cranky Observer
      = = = Capturing incompletely filled out forms is… less OK = = =

      is…. arguably a violation of the Computer Fraud & Abuse Act, particularly if the form contains PII. Not that there will ever be any prosecution of corporate entities for crimes of that type.

  • Sigivald

    And this is why everyone should run tracker-blockers, as well as “because it makes everything faster”.

    • rosea

      Such as? Also, does going “incognito” on chrome help?

  • TheRealSpark

    I have no problem with this. Tracking click points, search terms and form completions on a site is valuable for web managers to improve site content and performance.

    • davebarnes

      For “web managers”. Tell me how it benefits me?

      • rick gregory

        IN theory, if you’re the kind of visitor the site usually sees and values, a good web business will use analytics to improve the site for people like you.

        It’s a data-driven version of watching who comes into a physical store and what they’re most interested in. Imagine you ran a shop and some people who walk into your shop routinely ask about Red Widgets. Well then, you’d be smart to make them more visible, maybe put them up front near the entrance, right? This helps you as a shop owner because you’re likely to sell more (after all some people probably want them but never ask your staff where they are and just leave) and it also helps the people who keep coming into your shop wanting Red Widgets.

        For a site like this I imagine they use it when they sell the little ad in the sidebar so they can tell advertisers that some many people visit the site, etc.

        Look, in the VAST majority of cases people running analytics on websites aren’t out to screw you over and it’s simply wrong to start with that assumption. Most people want to figure out how to make the site better for their business… how to increase sales etc. In general, that’s going to mean making the site better for the kinds of visitors who are likely to buy. If you object to that I sure as hell hope you don’t get paid by a company that sells to consumers because that would be incredibly hypocritical.

        • davebarnes

          I build websites for a living and none of my customers do this kind of tracking.

          • rick gregory

            Any analytics at all or saving partial forms? If they don’t do any analytics then you and they are not optimizing their site performance which is professionally irresponsible.

            Business and non-profit websites are there to serve a purpose and if an organization refuses to use any analytics they can’t tell how well or how poorly they’re doing that.

            For an online business, that’s leaving money on the table – how do their employees feel about that if they don’t get a raise or business isn’t good and one is let go? For a non-profit, they could be leaving donations on the table or not getting volunteers who could help or otherwise failing to engage their visitors as well as they could, all of which means they’re less able to help those that they serve.

            The form saving is, I agree, over the line. I understand there are innocuous reasons to do it (where are people abandoning the form, let’s design that better…) but I don’t like it because the visitor hasn’t given permission to record the data by clicking the Submit button.

          • davebarnes

            My customers are very small companies. They have zero resources to devote to analytics. By very small, I mean 1-5 employees. The next time you are in your local cake shop, ask them how much they care about website analytics.

          • rick gregory

            Cake shops can do offers, etc. They can see who comes to their site, what pages they see, have an order form and see how many people go there vs go there and leave, send emails to customers with offers and see how those convert.

            THEY shouldn’t have to think of these things. YOU should have.

          • davebarnes

            When they are approached about it, they say no. “No time.” I have one customer (a small high-tech company) who refuses to pay for SEO tracking at $6/mo. I have tried twice over the last few years and each time I turn it on, I get yelled at.

          • rick gregory

            Wow. OK. I take that back then – and good on you for offering. You can’t help it if they don’t care. I would offer it to everyone with some description of the benefits and perhaps examples, though. In my experience ‘no time’ sometimes means “I don’t understand this, I don’t have time to learn, I have enough to do’ which could be a paid service you offer. Maybe a once per quarter “here’s a 1 page Analytics review” thing.