Are the websites you’re using tracking what you type?
By Lisa Vaas December 19, 2013
- Anybody with a website can capture what you type, as you type it, if they want to – it’s been true since Web 1.0
- Still, big difference between what people think can and cannot be monitored and what’s actually possible
LET'S say that, in the middle of oversharing, I thought better about writing a Facebook post about how the rash has now spread to my … (cue the backspacing, the select all/delete, hitting cancel or whatever it takes to avoid telling the world about that itch).
If that text were a Facebook status update (or a Twitter tweet, a Yahoo email, a comment on a blog or any other typing on a webpage), cancelling it doesn't, theoretically, really matter: What I wrote could still have been recorded, even if I decided not to post it.
That's a point brought up recently by Jennifer Golbeck, director of the Human-Computer Interaction Lab and an associate professor at the University of Maryland.
Slate published an article Golbeck wrote up about a paper, titled Self-Censorship on Facebook (PDF), that describes a study conducted by two Facebook researchers: Sauvik Das, a PhD student at Carnegie Mellon and summer software engineer intern at Facebook; and Adam Kramer, a Facebook data scientist.
Over the course of 17 days in July 2012, the two researchers collected self-censorship data from a random sample of about five million English-speaking Facebook users in the United States and United Kingdom.
How did they know when one of the Facebook users under their microscope had decided to back out of a post?
That's simple as pie, really: They used code they had embedded in the webpages to determine if anything had been typed into the forms in which we compose status updates or comment on people's posts.
To protect users' privacy the researchers decided to record “only the presence or absence of text entered, not the keystrokes or content” – a quote that serves as a helpful reminder that they could have tracked your keystrokes if they had wanted to.
(Note: Logging keystrokes is no super-secret, privacy-sucking vampire sauce. It's plain old Web 1.0. This is not news, but it's certainly worth repeating: Anybody with a website can capture what you type, as you type it, if they want to.)
The researchers tracked that a user had started writing content only if a Facebook user typed at least five characters into a compose or comment box. If the content wasn't shared within 10 minutes, it was marked as self-censored.
Why in the world would Facebook, Twitter, or similar care so much about my rash and subsequent decision not to tell the world about it?
While second thoughts come in handy to stop people who might otherwise post truly embarrassing Facebook or other social media content, as far as the social networks themselves are concerned, self-censoring users just starve sites of the content they otherwise feed upon.
From the paper:
... Understanding the conditions under which censorship occurs presents an opportunity to gain further insight into both how users use social media and how to improve [social networks] to better minimise use-cases where present solutions might unknowingly promote value diminishing self-censorship.
In her Slate article, Golbeck interprets Facebook's 17-day collection of self-censorship data for this research to be an invasion of privacy in that, as she writes, “the things you explicitly choose not to share aren’t entirely private.”
The problem with this thinking is that it conflates two things: 1) Facebook's ability to capture data about users who started typing something but then didn’t publish it; and 2) The incorrect notion that Facebook tracked the content of what users typed.
Could Facebook have captured my need for salve? Absolutely. As I said above, anybody with a website can capture what we type into their website as we type it. It's the nature of the web.
But the researchers took pains to state that while they did track the presence or absence of text entered, they explicitly did not listen in on the abandoned content; indeed, they tracked neither the keystrokes nor the content entered.
From the paper:
That said, Facebook was still looking over its users' shoulders in a fashion that would likely come as an unpleasant surprise to many of them.
Golbeck’s conflation isn’t surprising. Particularly given NSA-gate and the heightened awareness about pervasive surveillance it's bestowed upon us, we're ready to see eavesdropping governments and their corporate lackeys lurking in every corner of the Internet.
But there's a yawning gap between what people think can and cannot be monitored and what is actually possible.
The reality is that JavaScript, the language that makes this kind of monitoring possible, is both powerful and ubiquitous.
It’s a fully featured programming language that can be embedded in webpages and all browsers support it. It’s been around almost since the beginning of the Web, and the Web would be hurting without it, given the things it makes happen.
Among the many features of the language are the abilities to track the position of your cursor, track your keystrokes and call ‘home’ without refreshing the page or making any kind of visual display.
Those aren't intrinsically bad things. In fact they're enormously useful. Without those sorts of capabilities, sites like Facebook and Gmail would be almost unusable, searches wouldn’t auto-suggest and Google Docs wouldn’t save our bacon in the background. There are countless examples of useful, harmless things this (very old) functionality enables.
But yes, it also provides the foundation for any sufficiently motivated website owner to track more or less everything that happens on their webpages.
This is the same old Web we've been using since forever but a lot of people don’t realise. When they find out, they’re often horrified.
This was illustrated by a recent news piece about Facebook mulling the tracking of cursor movements (actually, technically, it would be tracking the movement of users’ pointers on the screen) to see which ads we like best.
The comments on that story make clear that many people are utterly creeped out by the idea that websites can track their pointers. One commenter likened pointer tracking to keylogging.
But as Naked Security’s Mark Stockley pointed out in a subsequent comment on that article, none of this is new, and the capability is certainly not confined to Facebook:
In fact, as Mark noted in his comment on the pointer-tracking story, if he had decided to ditch the comment he was writing halfway through, the Naked Security site could still have captured everything he typed, even if he'd never hit submit (it didn't by the way; we don't do that).
In summary: Facebook spent 17 days tracking abandoned posts in a manner that some might find discomforting and readers are reminded that the Internet allows website owners to be far, far more invasive.
If you want to be sure that nobody is tracking your mouse pointer or what you type then you'll have to turn off JavaScript or use a browser plugin like NoScript that will allow you to choose which scripts you run or which websites you trust.
Lisa Vaas has been writing about technology, careers, science and health since 1995. She rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash and joined the freelancer economy. This article first appeared on the Sophos Naked Security blog and is reprinted with its kind permission.
Related Stories:
The Silk Road arrests, and why users should be worried
Privacy concerns may limit mobile app adoption in Malaysia: GSMA
Internet in schools: Malaysian parents concerned about privacy
For more technology news and the latest updates, follow @dnewsasia on Twitter or Like us on Facebook.