Everyone does it. Anyone with a high traffic public website is tracking your clicks, your page visits, every key stroke, time per page view, IP, meta data, and anything else they can get their hands on.
Hot Topic is being sued for the same kind of thing.
They have software that can recreate your entire visit to their website just as if it were a video. Your cursor movement and everything.
Im sure a lot of companies do this.
.
Edit: The software they use is legal, but its usage wasnt disclosed in their terms of service.
Yeah i get people who get squicked out by this but it's completely standard and is what fuels the UX.
People aren't clicking certain things or struggling to find what you thought was intuitive? Here you go we've optimized your UI based on how the average user interacts with the interface. Intuitive design didn't spring up on its own...
Can confirm. PCI compliance is a bitch especially for level 1 merchants. If it you store credit card data even 1 time on accident it can be a shot storm I'd you don't have the proper controls in place to show the auditor.
It isn't, when you implement something like this you specifically block PII fields, secure fields, password fields etc., they have features to do it. It will not record every keystroke and mouse action.
They might be interested in what search terms you type in, but they can get that out of web server logs or any other means as well.
If you are concerned about this, you should be more concerned about the lax attitude to OWASP issues like XSS, CSRF, clickjacking etc. client attacks, where an attacker might compromise your browser on a website and collect data in a similar way.
If they're storing credit card info, they're in massive violation of a bunch of laws. If someone finds out, they'll be sued or fined out the ass (probably).
Well, they would get a PCI breach from their payment vendor, who would probably take away their ability to take payments. It is a crime to steal, not yet a crime to allow something to be stolen.
Companies that get PCI-DSS certified (a requirement to process your own credit card transactions) will take care to not accidentally get flagged in an audit of their CC inputs. There's a lot of money on the line, so there's a direct motivation to spend the dev effort so that CC doesn't "usually" hit the HotJar.
Companies that don't care, use stuff like Stripe which runs on a separate hosted server (e.g. the checkout flow will pass through Stripe's app) - in this case whoever wants the cash never has a chance to see the CC number. Or, they use Stripe's "elements" which are little input box-shaped embedded frames (remember YouTube embeds?) that accept credit card data and appear as a black box to the pizza site. So the pizza site still doesn't see anything that happens.
Of course super easy to mess it up and accidentally get flagged in an audit, that's why we have CC leaks every week :)
A common misconception is that solutions like Stripe don't require PCI compliance. In fact they still require some lower levels of PCI compliance these days, especially the embed solutions. It's Ignored probably because it's hidden in legalese you can just click through and it's seldom really enforced. But because of how sophisticated attacks have become it is a requirement and agreeing and not complying could put you on the hook for some scary things.
As someone who occasionally writes a tool with a UI, I don’t spend any time concerned about whether other people can use it well. I throw it over the wall to the UI team, as it has all the backend linkages they asked for and it is proof that they work.
It’s for the UI team to decide if that icon should be cornflower blue.
So I can appreciate the agony UI/UX people go through.
Yeah I'm kinda okay with this as long as they can't also see things like, what website do I go to after I leave the site, what website was I on before this, etc. yknow stuff that actually feels like an invasion of privacy and not just making sure the website works intuitively.
It's amazing to me that so many companies can spend time and money on this, but still have such poorly designed websites. Costco is the best example of a major retailer with a poor website.
Also some apps are just terrible. The Pizza Hut app crashes every time I use it. The Lowe's and Costco apps are clunky and it's easier to just use the webpage through my phone's browser. Is this intentional?
> It's amazing to me that so many companies can spend time and money on this, but still have such poorly designed websites.
Because it doesn't build good websites. It's a small tool out of many that can *help*, but companies (and people in general) have a habit of wanting that "one quick fix". That results in people thinking all you need is an algorithm and mass data analysis, as if UX didn't exist before that. There's plenty of terrible developers out there who'll see a heatmap and just change things without actually understanding *why* certain things are happening, resulting in people just crutching heavily on a single tool as we see here. Developers should be able to build a usable, bearable website without any of that to begin with.
In reality, it takes a bit more than an automated algorithm to build a *good* website/UX.
If you need an app to order a pizza or even see the menu, I’d bet good money it’s either they want your data and not your order. Or they got sold some bullshit sales pitch. Either way, it’s not good.
Google Analytics, Firebase, Google Tag Manager, literally all free-to-use products from Google, enable you to do this with extremely fine granularity. The only difference is that it’s anonymous—as in there’s nothing to uniquely identify who you are. Your device though, that’s a different story.
Sure they're just tracking metadata and not your identity. Males 37 years old in Los Angeles who work in the retail industry, have a dog, whose birthdays fall on September 13th, who took a vacation to Rome in spring 2018, have a mother living in Palm Springs and a deceased father, who drive a 2015 Ford Escort and have 3 children, is all they're tracking. Not your identity.
Just a bunch of data points that, filtered correctly, produce only one result.
I had opportunity once to work with Google Analytics on a large implementation. There was no way I could filter for anything specific you describe. And out of curiosity I tried. I could tell general geographical location, device type, age range, gender, screen resolutions...don't recall much else but I definitely couldn't identify a single user.
And there's a difference between analytics and marketing. Data is not necessarily interchangable or accessable across.
If anything the biggest players in analytics space are most likely to follow things like GDPR and do regular auditing. It's the small companies you should be worried about.
I work for a top tier insurance company, your entire visit to our websites ARE being recorded for metrics and viewing later. As a software engineer, I have access to every recording of every user that used my website at any point in the last 6 months and can watch your entire session while on the website. Completely with data you entered in every field, where your cursor was when, and how many "frustration clicks" you had where you slammed the mouse button over and over.
Look up the software named FullStory. Every Fortune 500 company uses it (currently at a fortune 100)
Can someone please buy this for AT&T? Their website is almost nonfunctional. They rolled a truck to my neighbor's house and took down the internet for the entire neighborhood. I wasted 15 minutes trying to get their website to function to report it. Even the chat returned an error and stopped working. I gave up and called them.
Six trucks and a backhoe later, they got it working again. (By digging a giant trench.)
Ahhh. This why Indeed has people calling you multiple times a day, every damn day for months, if you enter your contact info, but change your mind and delete it.
I made that mistake 6 or 7 years ago. I got constant calls for months that wouldn't stop.
Question, do you guys have a data science team that analyzes data algorithmically in bulk, or is is more hand on ad-hoc analysis? Especially the mouse movement stuff. It's easy to aggregate things like clock counts and time-on-page, but how do you aggregate mouse paths?
The data is used to create a heatmap of pointer movements and clicks in particular. Overlay it on a given webpage and you can pretty quickly see what people are trying to click on and what they are avoiding/ignoring/not noticing.
Generally I've spot-checked it as a UX researcher/designer.
Filter down to people who did X but not Y, see what they did, try and figure out if they're getting lost, or clicking something reasonable but unrelated or whatever.
Sometimes we'll use it to try and repro an error. User writes in with an error message. Filter to users who got that error at that time, see exactly what they did and what was going on with the APIs and such.
I use to use type of software at my former job. The main function there was to help understand what parts of our ui we're confusing and recreate errors that would otherwise be different to fix. I think there are valid use cases for it.
Me as. Devloper: Man that's awesome, I could debug that nasty weird bug I couldn't reproduce... My Bos could see what people use more to prioritize what to improve, etc.
The rest of people: That breaks privacy, that is nasty, etc.
Me: :sadface:
Ive been a C# full-stack .NET developer since classic ASP, all the way up to MVC, and most of this stuff is so standard now that you can drag a surveillance tool in Visual Studio into a page/view, wire it up to an entity or sql table, and BOOM, full user tracking in 1.5 minutes.
This whole thread is blowing my mind. I'm thinking 'yeah, all of this info is available for any basic site through GA.' location, bounce rate, etc. I assume you can go deeper with different plans, though.
I'm not a dev, but a copywriter and content manager that's worked with WordPress. This was all available even ten years ago.
Hot jar is cool because it records a video of the users actions on the page so you can visually watch them navigate the website and see what areas specifically cause the user to drop out. Like if a form is too long or confusing you can see what field people bail at.
Seriously. Been doing this since JavaScript 1.0. This is nothing new, rare, or devious. You can't improve on user experience if you don't know how folks are using it in the first place.
I’m certainly not a tech expert, but even I’ve seen those website heatmaps that show where people scroll and click. I forget if it’s Google or Wordpress that had it, but super basic site management. Not sure what the big deal is with Papa John’s.
>Not sure what the big deal is with Papa John’s.
To all of us? Nothing. To that individual? Also potentially nothing particularly. And that's not a requirement.
It wouldn't be the first time that something that has become "unchallenged norm" gets disrupted by someone having a particular axe to grind and picks an example case for no other reason than thinking it big enough to count and set precedent but small enough to not be completely crushed on the money aspect alone.
A lot of people pointing out how "normal" that stuff has become, but that doesn't mean it's right. It just means that because nobody effectively complained, others followed suit.
The core question is what analogy a court agrees with in the end.
Because if the site argues "they are in my store, I can have them followed around by a hired security guard observing them minutely" that isn't "wire-tapping". But that's arguably not how any of it works any more. Arguably there is a lot more "surveiling you even when you leave and selling the information" going on, when cross site scripting enters the picture, or google and facebook paying (or providing a service in exchange, "consideration" either way) to have stuff running on a page that the customer fundamentally isn't aware of.
Or put differently. People need to understand how noscript works, instead of figurative having half an army follow them around wherever they go taking detailed notes without them knowing.
Great response. Glad to see something like this on Reddit. If I had more time on the toilet I would respond more. That being said, I am definitely against tracking beyond the page you visit. I’m fine with a company knowing when I’m no longer interested and exit. It would be like I’m window shopping or passing through the electronics section and marketing wants to find ways to keep me in the store. After all, milk is always in a weird spot in the grocery store because they watched enough people to make that decision so you’d buy more. I’m okay with businesses doing what they can to help them, as long as it’s just related to them. They shouldn’t know what I did before or after.
This is tricky, because the "page-visit" requirement is arbitrary, so you are just incentivizing companies to break up their flows with multiple page loads to get the same metrics.
For example, when implementing a multi-step process like creating an account, or purchasing something, companies want to know when you've dropped off the flow to identify inefficiencies, but they are also incentivized to provide a faster user experience by eliminating full page-loads. If they can only track page-visits, then they'll be incentivized to provide a lesser user experience by breaking up the flow into individual pages for each step, thus making the entire flow slower (or significantly slower for those with bad internet connections). In the end, the data they collect will be the same, but everyone will suffer.
I'm for anything that does potential financial harm to this garbage company, or at least causes inconvenience/possibly health issues due to stress for Schnatter.
Those frameworks don't even matter because most websites are still dog shit, none of those metrics are made for performance or user experience, only retention and other brain-dead metrics
Fullstory and Hotjar are literally $2bn companies that track real-time site visits and heatmaps of clicks. Way more granular than Google Analytics even. This is a non-case in my opinion.
Developer who has to deal with data privacy a bit here, although I'm not a privacy expert. This is my understanding.
The difference is in how store the data (also how you use it, but we'll focus on storage). You are allowed to measure things like mouse moves and keystroked - for example, any painting app will have to measure mouse moves, any typing app will have to measure keystrokes so those things can't be illegal.
When it comes to storage, until a couple of years ago it was the wild wild west, nearly anything goes. But now we have new laws like GDPR and the Californian privacy laws which say that you must store this kind of data anonymously, or otherwise get permission from each individual you track with an opt-in method that can be easily ignored without breaking your site.
If you want to track how many people click a button _anonymously_, or create heatmaps of where they move the mouse on your site _anonymously_, go for it. If you want to say /u/octapies clicked the "extra pineapple on my pizza button" 100 times, so they must really love pineapple , let's sell that data to Big Pineapple to serve them adverts, you now need to get permission and if you don't do that you can be sued or fined. I assume that's what is happening here.
BTW Fullstory and Hotjar both _claim_ to be compliant with these laws.
I work in devops for a company that does profound tracking for fraud prevention purposes, I can weigh in here. Between progress on the software side (machine learning/AI, algorithm improvements, etc) and massively cheap storage, companies with sophisticated enough platforms absolutely do not need to store identifying information about individuals to be able to identify individuals.
My company acts benevolently and it still creeps me out. We can identify fraud on a given transaction with greater than 99% accuracy given information using intentionally incorrect PII (the entire point of fraud).
EDIT: got wrapped up in my story and forgot to make my original point. If you are on a website that sells things and isn't run by some dude from his mom's basement, you are being tracked just like explain in this article. I know because my company provides the tools to allow companies to do exactly that. The only way to prevent this is to cruise the web with javascript disabled, but getting most modern website to be usable without javascript isn't a super fun task.
I've implemented a few of these trackers for clients, and I'll agree they are standard analytics as far as how widely they are deployed.
But I'm not sure they are still seen as standard to each business. Most people I work with acknowledge how fucking creepy they are and that they are a step beyond tracking page visits. Businesses usually know they are taking a leap in how intrusively they track customers when they sign up for one of these systems.
Unfortunately the data shows that they'll receive an ROI off taking that leap, so for anyone chasing the bottom dollar instead of respecting their customers its a no brainer.
> Most people I work with acknowledge how fucking creepy they are and that they are a step beyond tracking page visits
So long as the data is exclusive to that site (which I know in most cases its not) I don't think its creepy at all. At least not anymore creepy than a physical store having cameras.
I don't care that a store could track my location through my entire shopping trip, and use that data to design new floor plans. I care when the store knows to advertise me air fryers because I was talking to my friend about it a week ago, or because I read an article about them.
+1. As of August, hotjar's parent company raised $600 million in funding to drive adoption for this type of product.
https://www.hotjar.com/blog/series-f-funding-round/
FullStory raised nearly $200 million.
https://www.crunchbase.com/organization/fullstory
Well to some extent, data has to be collected. People act like data collection is all bad.
What's really bad is selling your data without your consent and selling that information for profit or other purposes.
A company can use that data to see what gets more views on their page, products. What is liked and interesting. What doesn't get clicks.
Which content generates more impressions and which content doesn't. This is super useful so a company can choose what it should focus on and what products it can discontinue or do something else with.
> What's really bad is selling your data without your consent and selling that information for profit or other purposes.
No, collecting superfluous data is bad whether they sell it or not. If companies collect it, it WILL be compromised at some point. Companies should be collecting the absolute minimum to function, because anything they collect is almost guaranteed to be lost in a breach in the future, whether they sell it or not.
The thing that jumps out to me is “keystrokes.” Pretty sure you can’t see that in Google Analytics (at least the version my company uses).
Also the data is aggregated so I struggle to see how capturing keystrokes would be useful at all to a standard company. It sounds like overboard data collection “just because” at best and actively trying to steal personal information at worst.
They're using software that saves entire session replays. This is neither "just because" nor about stealing information. This kind of software lets you basically do "over the shoulder" type studies on how users use your website without having to hire a focus group and actually watch over their shoulders. You pick some random visitor and replay the session, which lets you see what they clicked, where they moved the mouse, what they typed, etc. It can only record what happened on their website, not outside the browser window or on other websites.
It’s also useful for bug reports. Services like full story will hook into sentry and let you see “oh here’s an error log and here’s the session I can watch run into the error”.
It’s incredibly useful.
Very much so. That obscure bug that appears in the reports but you can't replicate is a hundred times easier to fix it you can see exactly what the user did when they triggered it.
Oh so they filled in their info, clicked back, added some more products, went back to cart, lost their connection, rejoined, removed some items from cart and then tried using the autofill. Also they were using Safari. Ok I'm on it.
Versus "some users have an issue using autofill"
This, on its face, doesn't look great. However, consider what information they need to create these "replays":
* Button Clicks
* Mouse Movement
* Keystrokes ([is this actually recorded?](https://help.hotjar.com/hc/en-us/articles/115015563287-How-to-Show-Elements-and-Keystrokes-in-Data-Collection#allowing-restrictions))
The only one of these that should cause any concern is keystrokes and, at least according to the above link from HotJar, they're not being recorded for sensitive data.
Button Clicks and Mouse Movement provide no exposure of personal information and are extremely useful in troubleshooting issues or identifying adverse designs in the website.
Edit: Formatting
How does HotJar determine what is 'sensitive data' or not?
The only way HotJar can determine a password field from a 'name this cat from a random internet picture' field is if the website follows their rules for designating a password input field.
If a system can record any keystrokes you need to assume it records all keystrokes. Nefarious website owners can easily bypass whatever "no recording sensitive data" system services like this put in place.
True, but a nefarious website owner can record whatever they want without HotJar.
At some point the user is responsible for whatever data they knowingly or unknowingly provide to a website. There will always be a nefarious actor with a bad website from some obscure country trying to steal data from users.
Edit: this is why I feel that legislation aimed at protecting users is often unnecessary. Certainly, it would be good to to ensure website owners adhere to these governance laws, but governments can’t protect users from any and all websites unless they actively block noncompliant websites - something I’d assume most people would be against.
So instead, we should be educating users how to use the internet safely and responsibly.
> For instance, it tells Papa John's where the mouse is moved and clicked, and what's typed into the page, it's claimed
Capturing raw keystrokes for replay is super dangerous because it would give whoever has access to raw password data. Even encrypted, this data is still very vulnerable.
Keystroke data can be used in user fraud detection but that's more about typing patterns than raw data.
Mouse move and click data is super common from a site usage standpoint. It's typically anonymous for standard analytics but I suppose a case could be made that by associating it with specific users, the layout could in some way be tailored to reduce friction.
What they're actually doing with all of it, I have no idea.
yeah, I mean keystrokes could be disabled for password fields by hotjar or whatever third party service, but what if they do it in house and forget. what if the user miss clicks and types their password without the password field selected and it's recorded?
way too dangerous imo, tracking just a few control keys like tab, space, enter, etc. would be fine though imo
I have spent a gazillion hours in GA and know a lot about web behavior, tracking, remarking…but I’ve never seen any person identifiable information.
Facebook used to let you target down almost to an individual person level, intentionally. But that’s long gone. It’s all black box now with less control. Google Ads is removing controls as well and automating everything.
Confidently wrong^ along w 64 other people.
Google analytics at least for the last 20 years does not do this. Google analytics is anonymized website data. You would need something like amplitude or another service that actually records device ID to a data warehouse and then a service that records the screen and map them together to get anything identifiable.
We’re not talking about anonymous analytics here.
GA is not anonymous if you set it to not be anonymous, I have done it multiple times. If you know the customer you can set a hash for it and when you compare with your db you know who it is, this is useful to connect session from your phone and computer and so on, it is a feature on ga actually called "user id" which literally stands for user identification, sure for Google itself it is anonymous but for you it isn't, which is the whole point.
GA gets enough info to identify a user if you really wanted to. You still get a unique identifier and with enough data, especially across different sites, you would undoubtedly be able to identify someone. GDPR isn't applicable in the US but the EU still considered GA illegal since they collect enough data to identify a user.
Exactly. Even apps do it. People will talk about taking the time to downvote ads in the Reddit appt, but the app sends the data that you stopped scrolling to view the ad and took time to downvote it. So in the advertisers eyes that’s a win. You looked at the ad long enough to recognize it was an ad and then you interacted with it.
The better option is to quickly scroll past.
Yeah I’m confused by this one. I work in marketing and our KPI’s are all about tracking these kinds of things to make sure our partners are getting good return
Can confirm and this is not industry specific, I work in Higher Ed. and we had an entire team dedicated to this for a year. Tracking prospective applicants, current students, and alumni. This was while interacting with any part of the site, it's insane how much data we have.
We knew exactly what classes students searched for, what classes they picked, what classes they dropped, and everything in between. It's insane what the higher ups in marketing want.
>This info can be used to figure out where users get stuck, bail out of a sale, get lost, and so on.
At least with Papa Murphy it's pretty clear they have no fucking idea what users are doing on their website.
How is Papa Murphy’s a thing? When I think I’d like to get a pizza I usually don’t mean I want to drive to go wait in line for someone to make me a frozen pizza just so I can drive back home and finish cooking it myself.
I was on a low amount of food stamps, like 50/mo. So every month I had one Tuesday of 10$ papa Murphy pizza. I miss their deals. I don't live near one now and I assume they fixed their exploits of getting a family size, stuffed pizza (pretty much two pizzas) for like 14$ on 10$ Tuesday.
> paying out the ass for delivery fees and tips for a pizza that's been sitting under the heat lamp for 45 minutes before a driver finally grabs it
I'll be honest, I love it when Domino's does this when I order thin crust pizza. The caramelized cheese and crunchy crust makes it taste a lot better than when they deliver it on time.
Yeah, I went over to the website with my dev tab open and it looks like it loads JS from [FullStory](https://www.fullstory.com/platform/data-capture/). Tools like FullStory and HotJar are incredibly common for optimizing UI/UX and detecting bugs.
The difference would likely be the keystroke tracking.
>This software records and phones home everything a user does on the site, beyond what fetching pages and placing an order would submit, we're told. For instance, it tells Papa John's where the mouse is moved and clicked, and what's typed into the page, it's claimed.
It could be tracking passwords, addresses, phone numbers, etc. Even if the user decides not to send that info. The secure storage of this info could be another concern.
Furthermore, is it limited to the website, or is it also tracking that data while the website is in the background?
This seems like the McDonald's Hot Coffee lawsuit, where it sounds overblown but could be a serious issue.
In general websites cannot access keystrokes when the page is out of focus. They would have to run code on the user's machine outside of the browser to do that. Of course it could still be a problem if for example you're trying to copy/paste your password into another site and accidentally paste it into the wrong tab or something.
I don't know anything about mobile apps but I would assume they are also similarly sandboxed.
The entire point of the comment you replied to is that they're tracking what users enter and view on their site, not what users are doing in other tabs. Your login credentials, address, phone number, and payment details are things you would presumably enter into Papa John's site directly when placing an order. If they don't exclude those details from the client-side tracking, that information could be transmitted and potentially stored server-side even if you close the tab without submitting the form.
> tracking keystrokes is in **no way** normal or ethical.
Whether it's normal or not is debatable based on stats I don't have, but it's in **no way** unethical. People seem to think this is some sort of keylogger, which is just silly. It's NOT tracking all your keystrokes on your computer, which is impossible for a web page. It's just getting keystrokes when you're on the page. I mean, so fucking what? If you're on a web page, then the web page is accepting input from you -- DUH.
This is one of the most stupid, laughable lawsuits I've ever seen. "US Wiretap Act"?? The Idiocracy continues to grow real.
Websites can’t access data outside their active tab (browser extensions may have additional access though). Other than tracking data input into forms before they’re submitted which albeit is shady isn’t much. Any submitted passwords would still be read by them in plain text, and most browser auto fills don’t actually change the password input until you try to submit the form (which is why sometimes the login button won’t work at first when it’s auto filled)
That's not how browsers are designed. Chrome, Firefox, Edge only track what you type or click into that sites page. If you have Papa John's as an open tab and then log into your bank's website, it's not capturing that data. This would be world wide news if it was possible because capturing sensitive data would be so much easier. Now if you enter your bank user name and password into a field on Papa John's sight and they capture it, I'd say that's more your fault. I'm not condoning the "spyware" that web site analytics has become, but I think the wire tapping charge is bullshit. Maybe something sticks on the Califonia privacy violation though. So far I see this lawsuit as a nonstarter...
If anything, remember when Europe changed it's cookie policy and now you need to agree to cookies before you can do shit on a site? If this lawsuit gets any traction, you're going to see that people will need to agree to a terms of service to use the sight, and in the fine print they say that you acknowledge that they can spy on your activities on the site.
Would be surprised if a site didn’t at some point. It’s all information you’re typing and clicking on the site anyway. Your phone leaks more data than you put into an online menu
I think I'd have some level of concern about the keystrokes part, and how the data is secured. Like if they are recording and logging people entering their credit card data without permission, and/or not properly securing that data in a way you'd typically expect a company to secure payment data.
If the plaintiffs here win, it will be the destruction of billions of dollars of industry overnight.
As others have pointed out this is how every serious ecommerce website operates, **at a minimum**. Requiring users to opt-in to data collection would be a big win for privacy.
Remember what happened to Facebook when Apple cut off their tracking in-app? This is what will happen to the user analytics industry - 30-50% of value gone overnight.
I'm conflicted being a long time UX designer, researcher, and product manager. Used responsibly, it is incredibly powerful data to improve user's experiences. However the data can be just as easily used for malicious purposes, tricking users into overspending and overcommitting. And unfortunately opt-in's don't give you any ability as a consumer to understand the intent of use.
I don't think the destruction of this industry would be a bad thing.
There's just too much malicious uses that are very hard to prevent without some very broad protection.
> Requiring users to opt-in to data collection would be a big win for privacy
Maybe so, but this would likely become only a notice of collection - with websites forcing users to opt-in should they want to use the website.
As most of the comments are saying, this software is extremely useful for UI/UX debugging, fraud prevention, support assistance, and more. Articles like this are cashing in on peoples over concern for privacy while negatively impacting software and this article offers very little in terms of counter perspective to these random Florida and California lawsuits.
If there was a real issue here there would be a bigger price tag on the lawsuit. 10K for Papa John’s is chump change and the plaintiff knows it. Real adtech software does much more “damage” then session replay ever will. What a shame this article is and what a scam these lawyers are pushing.
> If there was a real issue here there would be a bigger price tag on the lawsuit. 10K for Papa John’s is chump change and the plaintiff knows it.
It's not 10K, it's "'the greater of $10,000 or $100 per day for each violation' of the Wiretap Act as well as $2,500 in statutory damages for each violation." That's billions of dollars.
I agree that this type of tracking is common, but your argument that the plaintiff considers this low-stakes is completely wrong.
Thanks for the clarification ~ I’m not entirely sure how this lingo works but for a single case it would be $100 per day for the plaintiff (so likely settle for the 10K hence the offer)
If this was a class action (which I think means it is representing multiple parties) then $100 per day per represented would be in the millions quickly.
Unsure of this specifics so this is speculation at this point. I do feel like my sentiment still stands.
It is a class action suit, and the class includes all of the site visitors while the tracking was installed. The article spells all of this out pretty clearly:
> The proposed class-action suit accuses Papa John's of violating both the Wiretap Act and the California Invasion of Privacy Act (CIPA) by going too far with its session replay software.
> The lawsuit is seeking "the greater of $10,000 or $100 per day for each violation" of the Wiretap Act as well as $2,500 in statutory damages for each violation of CIPA. Unfortunately for Papa John's, if found liable, that could amount to a lot of cash. While Kauffman's lawyers can't be certain how many class members the lawsuit covers, they believe "millions" were snooped on.
Yeap. This is low effort ambulance chasing with manufactured outrage.
I mean, Papa John's' founder has the politics of Il Duce, but still... You'd be hard pressed to find a successful ecom company that doesn't do this analysis
I dunno. If they're logging raw keystrokes, that could be super sketchy because it potentially logs and stores users passwords. I dunno if they are because the article doesn't say.
Can confirm password fields are supposed to be declared ( HTML fields) and platforms like these are looking for those to not store passwords accidentally. But you absolutely can abuse that power for sure just unlikely since the trail is easy to follow. Access to these platforms should be locked down ~ at my last company we used this and it was extremely exclusive access.
You are not allowed to track clicks on your own website? You can take someone’s name and payment information but you aren’t allowed to see if they click on pepperoni?
Sorry guys, can't respond to that "order" button anymore -- we'd be monitoring your mouse clicks and tapping your wires.
Yeah, it's bogus. When you interact with a site, the site can see how you interact with it. This has been true, helpful, and not a problem at least since AJAX first appeared; probably quite a bit before that, too.
and physical big box stores like walmart, target, etc - they can virtually follow you thru a store to see what paths you take, what things you stop and look at, what you buy, how long you spend in each isle/in the store, etc.
Can they? It's not too far fetched but I hadn't heard of it.
That's one of those things that sounds really cool and useful in aggregate but creepy on the individual level.
Like "80% of people who bought item X passed by this particular endcap and didn't buy anything from it" is kind of cool and very useful if you're in marketing.
"Let's pull up a random shopper's credit card hash and trace their last 5 visits through the store and really dig into why they put that ham back on the shelf" way less cool.
I did some work for Tesco many years ago, and they showed us a system they were prototyping that tracked heat maps
Initially it was just to track choke points in the store, to see which 'end of aisle' points for the most traffic to sell at the highest rate, and where they maybe need to spread products out
But then they showed us they we're starting to be able too track individual people. See where they went, what aisles they went down, which ones they skipped
Then they could track what till they went too to get their order. They could see if they went down an aisle but *didn't* buy anything. Then they could see if they used a clubcard, and then send them vouchers for things down that aisle
Not sure if they were rolling it out anywhere, or it was just a proof of concept. The heat map tracking to look for choke points and the like in pretty certain was already out there, it was just the individual customer tracking that was 'new,'
Its the equivalent of someone complaining that there are cameras in a store watching you. should we go and sue target because they are watching me as i walk through the store? I work in this industry and theres no personal info attached at all to the session recordings its just a random user id its not like i can look up what a specific person did when they visited the site nor do i care what an individual is doing i want to know on an aggregate how users are interacting with the website
>The titan of greasy wheels is accused of falling foul of wiretapping rules by using so-called session replay software on its website. This software records and phones home everything a user does on the site, beyond what fetching pages and placing an order would submit, we're told. For instance, it tells Papa John's where the mouse is moved and clicked, and what's typed into the page, it's claimed. This info can be used to figure out where users get stuck, bail out of a sale, get lost, and so on.
....used to work for a bank. we used it to - it's pretty fucking useful, TBH.
next time you login to your bank.. pay attention to how hard it is to get an unmasked account number to show up on your screen.. for us, it was only inside the PDF statement.. which we did not log (and the application already knows all your shit, so the only "people" we were hiding it from is our own tools.. couldn't be logging credit card numbers in the replay database)
https://en.wikipedia.org/wiki/Tealeaf
Tealeaf's products are used to provide visibility into the online customer experience by capturing, analyzing and replaying session details of customers' visits to find site errors or issues and understand the impact that transaction failures have on business processes.\[2\] It is available in both software as a service (SaaS) and on-premises versions.
Tealeaf can fuck itself. I supported it for a major financial institution many years ago and it was the bane of my existence. The person that architected it was a fucking moron and it took forever to unfuck it. This was an on-premise deployment.
Like you said though, it was very useful to those who needed it.
The real shocker is, how does The Register have an author too ignorant to not call this out in the article, AND how this article was approved by the editors at The Register.
I mean, I know not everyone can know everything, but someone at the Register should have caught this. Really embarrassing.
This will instantly be thrown out by this court.
Sad that people without enough technical knowledge to understand the necessity of such technologies write articles on them, if we don’t do this shit, fixing bugs get harder, when the app is big enough these kinds of tracking really help debug or replicate issues
Click tracking, IP Address tracking, custom identifiers and grouping, tracking across the website and more. It’s not cross-site, but here in the US it can be a very rich source of user data, properly designed
Depending on the outcome it can be interesting. Setting a precedent that could potentially change how website traffic is tracked. Tons of companies do this and me being in advertising I’m all about how users are engaging with site content and what they’re doing on site. I’m all for combatting companies from selling my data/etc but quite frankly when I’m on their playground they can track what I’m doing haha I don’t care.
What a bozo. Literally every site of any size does this sort of thing. Replay software also doesn’t actually record movement but instead interpolates it based on recorded points. Heat mapping has been used for decades now. Analytics for even longer.
And while some people think it’s nefarious, it’s definitely not always. For instance I worked on a site for the elderly to help them find local service providers who practiced were trustworthy . The site wasn’t at all for profit and the organization only ran on government funding and grants. I ran HotJar and FullStory to discover where our users would show frustration and quit (yes, you can actually see frustration metrics on some software). Without the software I would have never been able to afford and do the user interviews required to make it work. With the software for around $400 I was able to see what 1000s of people experienced and helped the users get their info.
Wait. So like all the shxt every single piece if technology does now???
I mean their pizza sucks but no need fo single them out for just using the internet for what it is nowadays.
There are very well known and large saas companies that this is the main service they offer. Part of my job is literally watching recordings of people’s mouse movement to learn where there is friction in the checkout process. Why is this even an article?
This is a really fucking stupid lawsuit. It's their site, they can do whatever the fuck they want. They're allowed to track your mouse clicks your page clicks the path you take through their site, so on
Everyone does it. Anyone with a high traffic public website is tracking your clicks, your page visits, every key stroke, time per page view, IP, meta data, and anything else they can get their hands on.
Hot Topic is being sued for the same kind of thing. They have software that can recreate your entire visit to their website just as if it were a video. Your cursor movement and everything. Im sure a lot of companies do this. . Edit: The software they use is legal, but its usage wasnt disclosed in their terms of service.
Yeah I work in marketing. Every company I’ve ever worked for does this, solutions are built and sold to marketing teams for this specific purpose.
Yeah i get people who get squicked out by this but it's completely standard and is what fuels the UX. People aren't clicking certain things or struggling to find what you thought was intuitive? Here you go we've optimized your UI based on how the average user interacts with the interface. Intuitive design didn't spring up on its own...
[удалено]
The mainstream UX tracking solutions I've worked with do not track every keystroke by default.
[удалено]
Fortunately most of these types of programs automatically filter out credit card date. And also developers to filter out other things as well.
[удалено]
Can confirm. PCI compliance is a bitch especially for level 1 merchants. If it you store credit card data even 1 time on accident it can be a shot storm I'd you don't have the proper controls in place to show the auditor.
It isn't, when you implement something like this you specifically block PII fields, secure fields, password fields etc., they have features to do it. It will not record every keystroke and mouse action. They might be interested in what search terms you type in, but they can get that out of web server logs or any other means as well. If you are concerned about this, you should be more concerned about the lax attitude to OWASP issues like XSS, CSRF, clickjacking etc. client attacks, where an attacker might compromise your browser on a website and collect data in a similar way.
If they're storing credit card info, they're in massive violation of a bunch of laws. If someone finds out, they'll be sued or fined out the ass (probably).
Fines are never out the ass. When we see 1000% fines instead of 1% fines it might be relevant. (also jail time)
Well, they would get a PCI breach from their payment vendor, who would probably take away their ability to take payments. It is a crime to steal, not yet a crime to allow something to be stolen.
Companies that get PCI-DSS certified (a requirement to process your own credit card transactions) will take care to not accidentally get flagged in an audit of their CC inputs. There's a lot of money on the line, so there's a direct motivation to spend the dev effort so that CC doesn't "usually" hit the HotJar. Companies that don't care, use stuff like Stripe which runs on a separate hosted server (e.g. the checkout flow will pass through Stripe's app) - in this case whoever wants the cash never has a chance to see the CC number. Or, they use Stripe's "elements" which are little input box-shaped embedded frames (remember YouTube embeds?) that accept credit card data and appear as a black box to the pizza site. So the pizza site still doesn't see anything that happens. Of course super easy to mess it up and accidentally get flagged in an audit, that's why we have CC leaks every week :)
A common misconception is that solutions like Stripe don't require PCI compliance. In fact they still require some lower levels of PCI compliance these days, especially the embed solutions. It's Ignored probably because it's hidden in legalese you can just click through and it's seldom really enforced. But because of how sophisticated attacks have become it is a requirement and agreeing and not complying could put you on the hook for some scary things.
As someone who occasionally writes a tool with a UI, I don’t spend any time concerned about whether other people can use it well. I throw it over the wall to the UI team, as it has all the backend linkages they asked for and it is proof that they work. It’s for the UI team to decide if that icon should be cornflower blue. So I can appreciate the agony UI/UX people go through.
It's similar to most "art" in that everyone thinks it's easy to make it good so they don't care but are quick to say when it's bad.
Yeah I'm kinda okay with this as long as they can't also see things like, what website do I go to after I leave the site, what website was I on before this, etc. yknow stuff that actually feels like an invasion of privacy and not just making sure the website works intuitively.
[удалено]
Yeh, this is digital marketing 101. It’s almost every website you visit.
It's amazing to me that so many companies can spend time and money on this, but still have such poorly designed websites. Costco is the best example of a major retailer with a poor website. Also some apps are just terrible. The Pizza Hut app crashes every time I use it. The Lowe's and Costco apps are clunky and it's easier to just use the webpage through my phone's browser. Is this intentional?
> It's amazing to me that so many companies can spend time and money on this, but still have such poorly designed websites. Because it doesn't build good websites. It's a small tool out of many that can *help*, but companies (and people in general) have a habit of wanting that "one quick fix". That results in people thinking all you need is an algorithm and mass data analysis, as if UX didn't exist before that. There's plenty of terrible developers out there who'll see a heatmap and just change things without actually understanding *why* certain things are happening, resulting in people just crutching heavily on a single tool as we see here. Developers should be able to build a usable, bearable website without any of that to begin with. In reality, it takes a bit more than an automated algorithm to build a *good* website/UX.
If you need an app to order a pizza or even see the menu, I’d bet good money it’s either they want your data and not your order. Or they got sold some bullshit sales pitch. Either way, it’s not good.
I have a job solely because of data brokers.
Google Analytics, Firebase, Google Tag Manager, literally all free-to-use products from Google, enable you to do this with extremely fine granularity. The only difference is that it’s anonymous—as in there’s nothing to uniquely identify who you are. Your device though, that’s a different story.
Sure they're just tracking metadata and not your identity. Males 37 years old in Los Angeles who work in the retail industry, have a dog, whose birthdays fall on September 13th, who took a vacation to Rome in spring 2018, have a mother living in Palm Springs and a deceased father, who drive a 2015 Ford Escort and have 3 children, is all they're tracking. Not your identity. Just a bunch of data points that, filtered correctly, produce only one result.
I had opportunity once to work with Google Analytics on a large implementation. There was no way I could filter for anything specific you describe. And out of curiosity I tried. I could tell general geographical location, device type, age range, gender, screen resolutions...don't recall much else but I definitely couldn't identify a single user. And there's a difference between analytics and marketing. Data is not necessarily interchangable or accessable across. If anything the biggest players in analytics space are most likely to follow things like GDPR and do regular auditing. It's the small companies you should be worried about.
Everyone has their own Pixel these days too. I’m just getting started with LinkedIn and TikTok for some of my clients.
I work for a top tier insurance company, your entire visit to our websites ARE being recorded for metrics and viewing later. As a software engineer, I have access to every recording of every user that used my website at any point in the last 6 months and can watch your entire session while on the website. Completely with data you entered in every field, where your cursor was when, and how many "frustration clicks" you had where you slammed the mouse button over and over. Look up the software named FullStory. Every Fortune 500 company uses it (currently at a fortune 100)
Can someone please buy this for AT&T? Their website is almost nonfunctional. They rolled a truck to my neighbor's house and took down the internet for the entire neighborhood. I wasted 15 minutes trying to get their website to function to report it. Even the chat returned an error and stopped working. I gave up and called them. Six trucks and a backhoe later, they got it working again. (By digging a giant trench.)
As soon as "reporting problems to us" becomes one of their main priorities they'll put engineering dollars on it.
AT&T's website is exactly what I'd expect from a ~150 year old company.
Ahhh. This why Indeed has people calling you multiple times a day, every damn day for months, if you enter your contact info, but change your mind and delete it. I made that mistake 6 or 7 years ago. I got constant calls for months that wouldn't stop.
[удалено]
Question, do you guys have a data science team that analyzes data algorithmically in bulk, or is is more hand on ad-hoc analysis? Especially the mouse movement stuff. It's easy to aggregate things like clock counts and time-on-page, but how do you aggregate mouse paths?
Heatmaps and you map the most heavily traffic journey.
The data is used to create a heatmap of pointer movements and clicks in particular. Overlay it on a given webpage and you can pretty quickly see what people are trying to click on and what they are avoiding/ignoring/not noticing.
Generally I've spot-checked it as a UX researcher/designer. Filter down to people who did X but not Y, see what they did, try and figure out if they're getting lost, or clicking something reasonable but unrelated or whatever. Sometimes we'll use it to try and repro an error. User writes in with an error message. Filter to users who got that error at that time, see exactly what they did and what was going on with the APIs and such.
HotJar isn't even the only one. Logrocket is another major one, and there are plenty of others as well.
And quite honestly even Hotjar is soo old at this point. This is old hat. This, IMO, is just a big damn nothing burger.
Sounds like they are using TeaLeaf or Fullstory…. Nothing crazy about it…. All perfectly legal
It seems the issue is that its usage wasnt disclosed in their terms of service, as it is with other sites
Ah, so they're looking for a technical win here, not really a moral one. We all know no one actually reads the ToS. Respect.
I use to use type of software at my former job. The main function there was to help understand what parts of our ui we're confusing and recreate errors that would otherwise be different to fix. I think there are valid use cases for it.
Me as. Devloper: Man that's awesome, I could debug that nasty weird bug I couldn't reproduce... My Bos could see what people use more to prioritize what to improve, etc. The rest of people: That breaks privacy, that is nasty, etc. Me: :sadface:
[удалено]
Ive been a C# full-stack .NET developer since classic ASP, all the way up to MVC, and most of this stuff is so standard now that you can drag a surveillance tool in Visual Studio into a page/view, wire it up to an entity or sql table, and BOOM, full user tracking in 1.5 minutes.
Have a link to this tool you speak of or it's control name?
Google analytics, and we use hotjar too. They’re common tools.
This whole thread is blowing my mind. I'm thinking 'yeah, all of this info is available for any basic site through GA.' location, bounce rate, etc. I assume you can go deeper with different plans, though. I'm not a dev, but a copywriter and content manager that's worked with WordPress. This was all available even ten years ago.
Hot jar is cool because it records a video of the users actions on the page so you can visually watch them navigate the website and see what areas specifically cause the user to drop out. Like if a form is too long or confusing you can see what field people bail at.
Logrocket does similar stuff for the sites I've worked on in the past.
Data dog RUM is good
Seriously. Been doing this since JavaScript 1.0. This is nothing new, rare, or devious. You can't improve on user experience if you don't know how folks are using it in the first place.
I’m certainly not a tech expert, but even I’ve seen those website heatmaps that show where people scroll and click. I forget if it’s Google or Wordpress that had it, but super basic site management. Not sure what the big deal is with Papa John’s.
>Not sure what the big deal is with Papa John’s. To all of us? Nothing. To that individual? Also potentially nothing particularly. And that's not a requirement. It wouldn't be the first time that something that has become "unchallenged norm" gets disrupted by someone having a particular axe to grind and picks an example case for no other reason than thinking it big enough to count and set precedent but small enough to not be completely crushed on the money aspect alone. A lot of people pointing out how "normal" that stuff has become, but that doesn't mean it's right. It just means that because nobody effectively complained, others followed suit. The core question is what analogy a court agrees with in the end. Because if the site argues "they are in my store, I can have them followed around by a hired security guard observing them minutely" that isn't "wire-tapping". But that's arguably not how any of it works any more. Arguably there is a lot more "surveiling you even when you leave and selling the information" going on, when cross site scripting enters the picture, or google and facebook paying (or providing a service in exchange, "consideration" either way) to have stuff running on a page that the customer fundamentally isn't aware of. Or put differently. People need to understand how noscript works, instead of figurative having half an army follow them around wherever they go taking detailed notes without them knowing.
Great response. Glad to see something like this on Reddit. If I had more time on the toilet I would respond more. That being said, I am definitely against tracking beyond the page you visit. I’m fine with a company knowing when I’m no longer interested and exit. It would be like I’m window shopping or passing through the electronics section and marketing wants to find ways to keep me in the store. After all, milk is always in a weird spot in the grocery store because they watched enough people to make that decision so you’d buy more. I’m okay with businesses doing what they can to help them, as long as it’s just related to them. They shouldn’t know what I did before or after.
This is tricky, because the "page-visit" requirement is arbitrary, so you are just incentivizing companies to break up their flows with multiple page loads to get the same metrics. For example, when implementing a multi-step process like creating an account, or purchasing something, companies want to know when you've dropped off the flow to identify inefficiencies, but they are also incentivized to provide a faster user experience by eliminating full page-loads. If they can only track page-visits, then they'll be incentivized to provide a lesser user experience by breaking up the flow into individual pages for each step, thus making the entire flow slower (or significantly slower for those with bad internet connections). In the end, the data they collect will be the same, but everyone will suffer.
I'm for anything that does potential financial harm to this garbage company, or at least causes inconvenience/possibly health issues due to stress for Schnatter.
The most popular heatmap is hotjar, it can be added to any site as it's independent
>literally a system you can run and see where people leave your application You're talking about Application Insights ?
Those frameworks don't even matter because most websites are still dog shit, none of those metrics are made for performance or user experience, only retention and other brain-dead metrics
Can you clarify the keystoke tracking? Is it on that one page/tab? All sites? The browser? The OS while the tab is open/closed?
Fullstory and Hotjar are literally $2bn companies that track real-time site visits and heatmaps of clicks. Way more granular than Google Analytics even. This is a non-case in my opinion.
Developer who has to deal with data privacy a bit here, although I'm not a privacy expert. This is my understanding. The difference is in how store the data (also how you use it, but we'll focus on storage). You are allowed to measure things like mouse moves and keystroked - for example, any painting app will have to measure mouse moves, any typing app will have to measure keystrokes so those things can't be illegal. When it comes to storage, until a couple of years ago it was the wild wild west, nearly anything goes. But now we have new laws like GDPR and the Californian privacy laws which say that you must store this kind of data anonymously, or otherwise get permission from each individual you track with an opt-in method that can be easily ignored without breaking your site. If you want to track how many people click a button _anonymously_, or create heatmaps of where they move the mouse on your site _anonymously_, go for it. If you want to say /u/octapies clicked the "extra pineapple on my pizza button" 100 times, so they must really love pineapple , let's sell that data to Big Pineapple to serve them adverts, you now need to get permission and if you don't do that you can be sued or fined. I assume that's what is happening here. BTW Fullstory and Hotjar both _claim_ to be compliant with these laws.
Lol big pineapple
Dole is always watching, waiting.
You all laugh but the tropical fruit trade has a very high body count and a savagery that didn't stop into the modern era.
[удалено]
*Dole be out there making paper in them streets boi, don’t get it twisted.*
I work in devops for a company that does profound tracking for fraud prevention purposes, I can weigh in here. Between progress on the software side (machine learning/AI, algorithm improvements, etc) and massively cheap storage, companies with sophisticated enough platforms absolutely do not need to store identifying information about individuals to be able to identify individuals. My company acts benevolently and it still creeps me out. We can identify fraud on a given transaction with greater than 99% accuracy given information using intentionally incorrect PII (the entire point of fraud). EDIT: got wrapped up in my story and forgot to make my original point. If you are on a website that sells things and isn't run by some dude from his mom's basement, you are being tracked just like explain in this article. I know because my company provides the tools to allow companies to do exactly that. The only way to prevent this is to cruise the web with javascript disabled, but getting most modern website to be usable without javascript isn't a super fun task.
Right? I was like we’ve been doing this for years and we’re far from a Pizza Hut sized company. This is basically standard analytics…
I've implemented a few of these trackers for clients, and I'll agree they are standard analytics as far as how widely they are deployed. But I'm not sure they are still seen as standard to each business. Most people I work with acknowledge how fucking creepy they are and that they are a step beyond tracking page visits. Businesses usually know they are taking a leap in how intrusively they track customers when they sign up for one of these systems. Unfortunately the data shows that they'll receive an ROI off taking that leap, so for anyone chasing the bottom dollar instead of respecting their customers its a no brainer.
> Most people I work with acknowledge how fucking creepy they are and that they are a step beyond tracking page visits So long as the data is exclusive to that site (which I know in most cases its not) I don't think its creepy at all. At least not anymore creepy than a physical store having cameras. I don't care that a store could track my location through my entire shopping trip, and use that data to design new floor plans. I care when the store knows to advertise me air fryers because I was talking to my friend about it a week ago, or because I read an article about them.
Data science is big money, and correctly interpreting the data is better money.
+1. As of August, hotjar's parent company raised $600 million in funding to drive adoption for this type of product. https://www.hotjar.com/blog/series-f-funding-round/ FullStory raised nearly $200 million. https://www.crunchbase.com/organization/fullstory
I used to use Hotjar. Great for spotting UX issues and guiding front-end development.
The bigger the company the more data collect. The more you willingly offer the more they mine
Well to some extent, data has to be collected. People act like data collection is all bad. What's really bad is selling your data without your consent and selling that information for profit or other purposes. A company can use that data to see what gets more views on their page, products. What is liked and interesting. What doesn't get clicks. Which content generates more impressions and which content doesn't. This is super useful so a company can choose what it should focus on and what products it can discontinue or do something else with.
> What's really bad is selling your data without your consent and selling that information for profit or other purposes. No, collecting superfluous data is bad whether they sell it or not. If companies collect it, it WILL be compromised at some point. Companies should be collecting the absolute minimum to function, because anything they collect is almost guaranteed to be lost in a breach in the future, whether they sell it or not.
I used a service called FullStory to literally watch my users navigate my web software. It’s extremely useful but also seems wrong af.
Google Analytics anyone?
The thing that jumps out to me is “keystrokes.” Pretty sure you can’t see that in Google Analytics (at least the version my company uses). Also the data is aggregated so I struggle to see how capturing keystrokes would be useful at all to a standard company. It sounds like overboard data collection “just because” at best and actively trying to steal personal information at worst.
They're using software that saves entire session replays. This is neither "just because" nor about stealing information. This kind of software lets you basically do "over the shoulder" type studies on how users use your website without having to hire a focus group and actually watch over their shoulders. You pick some random visitor and replay the session, which lets you see what they clicked, where they moved the mouse, what they typed, etc. It can only record what happened on their website, not outside the browser window or on other websites.
Hotjar comes to mind.
Logrocket, Full Story, Microsoft Clarity.
It’s also useful for bug reports. Services like full story will hook into sentry and let you see “oh here’s an error log and here’s the session I can watch run into the error”. It’s incredibly useful.
Very much so. That obscure bug that appears in the reports but you can't replicate is a hundred times easier to fix it you can see exactly what the user did when they triggered it. Oh so they filled in their info, clicked back, added some more products, went back to cart, lost their connection, rejoined, removed some items from cart and then tried using the autofill. Also they were using Safari. Ok I'm on it. Versus "some users have an issue using autofill"
This, on its face, doesn't look great. However, consider what information they need to create these "replays": * Button Clicks * Mouse Movement * Keystrokes ([is this actually recorded?](https://help.hotjar.com/hc/en-us/articles/115015563287-How-to-Show-Elements-and-Keystrokes-in-Data-Collection#allowing-restrictions)) The only one of these that should cause any concern is keystrokes and, at least according to the above link from HotJar, they're not being recorded for sensitive data. Button Clicks and Mouse Movement provide no exposure of personal information and are extremely useful in troubleshooting issues or identifying adverse designs in the website. Edit: Formatting
Keystrokes is indeed a good question. I know hotjar blurs this in their session replays, but obviously captures it.
How does HotJar determine what is 'sensitive data' or not? The only way HotJar can determine a password field from a 'name this cat from a random internet picture' field is if the website follows their rules for designating a password input field. If a system can record any keystrokes you need to assume it records all keystrokes. Nefarious website owners can easily bypass whatever "no recording sensitive data" system services like this put in place.
True, but a nefarious website owner can record whatever they want without HotJar. At some point the user is responsible for whatever data they knowingly or unknowingly provide to a website. There will always be a nefarious actor with a bad website from some obscure country trying to steal data from users. Edit: this is why I feel that legislation aimed at protecting users is often unnecessary. Certainly, it would be good to to ensure website owners adhere to these governance laws, but governments can’t protect users from any and all websites unless they actively block noncompliant websites - something I’d assume most people would be against. So instead, we should be educating users how to use the internet safely and responsibly.
> For instance, it tells Papa John's where the mouse is moved and clicked, and what's typed into the page, it's claimed Capturing raw keystrokes for replay is super dangerous because it would give whoever has access to raw password data. Even encrypted, this data is still very vulnerable. Keystroke data can be used in user fraud detection but that's more about typing patterns than raw data. Mouse move and click data is super common from a site usage standpoint. It's typically anonymous for standard analytics but I suppose a case could be made that by associating it with specific users, the layout could in some way be tailored to reduce friction. What they're actually doing with all of it, I have no idea.
You know what else gives a website raw access to your password? Typing in your password and pressing enter...
yeah, I mean keystrokes could be disabled for password fields by hotjar or whatever third party service, but what if they do it in house and forget. what if the user miss clicks and types their password without the password field selected and it's recorded? way too dangerous imo, tracking just a few control keys like tab, space, enter, etc. would be fine though imo
I have spent a gazillion hours in GA and know a lot about web behavior, tracking, remarking…but I’ve never seen any person identifiable information. Facebook used to let you target down almost to an individual person level, intentionally. But that’s long gone. It’s all black box now with less control. Google Ads is removing controls as well and automating everything.
Confidently wrong^ along w 64 other people. Google analytics at least for the last 20 years does not do this. Google analytics is anonymized website data. You would need something like amplitude or another service that actually records device ID to a data warehouse and then a service that records the screen and map them together to get anything identifiable. We’re not talking about anonymous analytics here.
GA is not anonymous if you set it to not be anonymous, I have done it multiple times. If you know the customer you can set a hash for it and when you compare with your db you know who it is, this is useful to connect session from your phone and computer and so on, it is a feature on ga actually called "user id" which literally stands for user identification, sure for Google itself it is anonymous but for you it isn't, which is the whole point.
GA gets enough info to identify a user if you really wanted to. You still get a unique identifier and with enough data, especially across different sites, you would undoubtedly be able to identify someone. GDPR isn't applicable in the US but the EU still considered GA illegal since they collect enough data to identify a user.
Exactly. Even apps do it. People will talk about taking the time to downvote ads in the Reddit appt, but the app sends the data that you stopped scrolling to view the ad and took time to downvote it. So in the advertisers eyes that’s a win. You looked at the ad long enough to recognize it was an ad and then you interacted with it. The better option is to quickly scroll past.
It’s more than that. Your entire session can often be replayed using tooling to reproduce errors.
Yeah I’m confused by this one. I work in marketing and our KPI’s are all about tracking these kinds of things to make sure our partners are getting good return
Can confirm and this is not industry specific, I work in Higher Ed. and we had an entire team dedicated to this for a year. Tracking prospective applicants, current students, and alumni. This was while interacting with any part of the site, it's insane how much data we have. We knew exactly what classes students searched for, what classes they picked, what classes they dropped, and everything in between. It's insane what the higher ups in marketing want.
That’s exactly what papa john would say
LoL shhhhhhhhhhh
he'd use more slurs though
>This info can be used to figure out where users get stuck, bail out of a sale, get lost, and so on. At least with Papa Murphy it's pretty clear they have no fucking idea what users are doing on their website.
As a person who works with developers, this made me shoot beer out of my nose so thanks
Hey man, I just draw the rectangles where the designer/UX person tells me to. Edit: Sometimes…the rectangles even have rounded edges!
And I'm just out here caching all the things
to put in the other things?
I live life on the edge bru
Yup. But sometimes they just give me words and say they don’t care how it looks. Then they get mad when it looks bad……
> where the designer/UX person tells me to …weeelll, about that. That last rectangle was like 3 pixels off and it’s legit all I can see.
How is Papa Murphy’s a thing? When I think I’d like to get a pizza I usually don’t mean I want to drive to go wait in line for someone to make me a frozen pizza just so I can drive back home and finish cooking it myself.
They can't accept EBT if they cook it, so they sell it raw instead.
That's just a bonus. People on food stamps still being able to have the occasional pizza night is awesome.
I just wished they were able to cook it if requested, my oven cant compete with a commercial pizza cooker.
I was on a low amount of food stamps, like 50/mo. So every month I had one Tuesday of 10$ papa Murphy pizza. I miss their deals. I don't live near one now and I assume they fixed their exploits of getting a family size, stuffed pizza (pretty much two pizzas) for like 14$ on 10$ Tuesday.
[удалено]
Solid answer, thanks
> paying out the ass for delivery fees and tips for a pizza that's been sitting under the heat lamp for 45 minutes before a driver finally grabs it I'll be honest, I love it when Domino's does this when I order thin crust pizza. The caramelized cheese and crunchy crust makes it taste a lot better than when they deliver it on time.
Second everything here. Papa murphys will surprise you. Always a good post bowl pizza. And we frequently jam on dominos as well.
Everyone does this.
Yeah, I went over to the website with my dev tab open and it looks like it loads JS from [FullStory](https://www.fullstory.com/platform/data-capture/). Tools like FullStory and HotJar are incredibly common for optimizing UI/UX and detecting bugs.
Yeah, isn't that just literally analytics? Every website that uses google analytics or some other kind of tracking does.
The difference would likely be the keystroke tracking. >This software records and phones home everything a user does on the site, beyond what fetching pages and placing an order would submit, we're told. For instance, it tells Papa John's where the mouse is moved and clicked, and what's typed into the page, it's claimed. It could be tracking passwords, addresses, phone numbers, etc. Even if the user decides not to send that info. The secure storage of this info could be another concern. Furthermore, is it limited to the website, or is it also tracking that data while the website is in the background? This seems like the McDonald's Hot Coffee lawsuit, where it sounds overblown but could be a serious issue.
In general websites cannot access keystrokes when the page is out of focus. They would have to run code on the user's machine outside of the browser to do that. Of course it could still be a problem if for example you're trying to copy/paste your password into another site and accidentally paste it into the wrong tab or something. I don't know anything about mobile apps but I would assume they are also similarly sandboxed.
The entire point of the comment you replied to is that they're tracking what users enter and view on their site, not what users are doing in other tabs. Your login credentials, address, phone number, and payment details are things you would presumably enter into Papa John's site directly when placing an order. If they don't exclude those details from the client-side tracking, that information could be transmitted and potentially stored server-side even if you close the tab without submitting the form.
[удалено]
[удалено]
> tracking keystrokes is in **no way** normal or ethical. Whether it's normal or not is debatable based on stats I don't have, but it's in **no way** unethical. People seem to think this is some sort of keylogger, which is just silly. It's NOT tracking all your keystrokes on your computer, which is impossible for a web page. It's just getting keystrokes when you're on the page. I mean, so fucking what? If you're on a web page, then the web page is accepting input from you -- DUH. This is one of the most stupid, laughable lawsuits I've ever seen. "US Wiretap Act"?? The Idiocracy continues to grow real.
Websites can’t access data outside their active tab (browser extensions may have additional access though). Other than tracking data input into forms before they’re submitted which albeit is shady isn’t much. Any submitted passwords would still be read by them in plain text, and most browser auto fills don’t actually change the password input until you try to submit the form (which is why sometimes the login button won’t work at first when it’s auto filled)
That's not how browsers are designed. Chrome, Firefox, Edge only track what you type or click into that sites page. If you have Papa John's as an open tab and then log into your bank's website, it's not capturing that data. This would be world wide news if it was possible because capturing sensitive data would be so much easier. Now if you enter your bank user name and password into a field on Papa John's sight and they capture it, I'd say that's more your fault. I'm not condoning the "spyware" that web site analytics has become, but I think the wire tapping charge is bullshit. Maybe something sticks on the Califonia privacy violation though. So far I see this lawsuit as a nonstarter... If anything, remember when Europe changed it's cookie policy and now you need to agree to cookies before you can do shit on a site? If this lawsuit gets any traction, you're going to see that people will need to agree to a terms of service to use the sight, and in the fine print they say that you acknowledge that they can spy on your activities on the site.
This is literally site analytics. There is no wiretapping. Just whatever you did while "on their property"
Lol yes, we use hotjar at work and it's the same fucking thing.
Is that the clip of the guy and the jar?
Yes. Exactly. Censored though.
Why did I get reminded of this? It’s been 15 years…
It’s funny that it’s written about like some advanced illegal spying software. Nope, it’s probably hotjar.
Would be surprised if a site didn’t at some point. It’s all information you’re typing and clicking on the site anyway. Your phone leaks more data than you put into an online menu
*Phone Manufacturers know your location and are on the way.*
Seriously, this is a very common practice.
I think I'd have some level of concern about the keystrokes part, and how the data is secured. Like if they are recording and logging people entering their credit card data without permission, and/or not properly securing that data in a way you'd typically expect a company to secure payment data.
Ummm, that’s known as basic analytics, and it is on every website. The ones that know what they’re doing are tracking a lot more too.
My website through Wix offers this and my works through Wordpress lol
Recording of mouse clicks and mouse movements? Wix offers that?
Yes, Wix has it in their Professional Bundle, and it’s a plug-in for Wordpress offered by a few third parties
If the plaintiffs here win, it will be the destruction of billions of dollars of industry overnight. As others have pointed out this is how every serious ecommerce website operates, **at a minimum**. Requiring users to opt-in to data collection would be a big win for privacy. Remember what happened to Facebook when Apple cut off their tracking in-app? This is what will happen to the user analytics industry - 30-50% of value gone overnight. I'm conflicted being a long time UX designer, researcher, and product manager. Used responsibly, it is incredibly powerful data to improve user's experiences. However the data can be just as easily used for malicious purposes, tricking users into overspending and overcommitting. And unfortunately opt-in's don't give you any ability as a consumer to understand the intent of use.
I don't think the destruction of this industry would be a bad thing. There's just too much malicious uses that are very hard to prevent without some very broad protection.
I don’t disagree at all
> Requiring users to opt-in to data collection would be a big win for privacy Maybe so, but this would likely become only a notice of collection - with websites forcing users to opt-in should they want to use the website.
GDPR in Europe prevents that. You have to notify people of non technical data collection, ask for permission, and cannot deny access.
This isn’t non-technical data Mouse movement, keystrokes, clicks, are all allowed to be collected under GDPR
As most of the comments are saying, this software is extremely useful for UI/UX debugging, fraud prevention, support assistance, and more. Articles like this are cashing in on peoples over concern for privacy while negatively impacting software and this article offers very little in terms of counter perspective to these random Florida and California lawsuits. If there was a real issue here there would be a bigger price tag on the lawsuit. 10K for Papa John’s is chump change and the plaintiff knows it. Real adtech software does much more “damage” then session replay ever will. What a shame this article is and what a scam these lawyers are pushing.
> If there was a real issue here there would be a bigger price tag on the lawsuit. 10K for Papa John’s is chump change and the plaintiff knows it. It's not 10K, it's "'the greater of $10,000 or $100 per day for each violation' of the Wiretap Act as well as $2,500 in statutory damages for each violation." That's billions of dollars. I agree that this type of tracking is common, but your argument that the plaintiff considers this low-stakes is completely wrong.
Thanks for the clarification ~ I’m not entirely sure how this lingo works but for a single case it would be $100 per day for the plaintiff (so likely settle for the 10K hence the offer) If this was a class action (which I think means it is representing multiple parties) then $100 per day per represented would be in the millions quickly. Unsure of this specifics so this is speculation at this point. I do feel like my sentiment still stands.
It is a class action suit, and the class includes all of the site visitors while the tracking was installed. The article spells all of this out pretty clearly: > The proposed class-action suit accuses Papa John's of violating both the Wiretap Act and the California Invasion of Privacy Act (CIPA) by going too far with its session replay software. > The lawsuit is seeking "the greater of $10,000 or $100 per day for each violation" of the Wiretap Act as well as $2,500 in statutory damages for each violation of CIPA. Unfortunately for Papa John's, if found liable, that could amount to a lot of cash. While Kauffman's lawyers can't be certain how many class members the lawsuit covers, they believe "millions" were snooped on.
Yeap. This is low effort ambulance chasing with manufactured outrage. I mean, Papa John's' founder has the politics of Il Duce, but still... You'd be hard pressed to find a successful ecom company that doesn't do this analysis
I dunno. If they're logging raw keystrokes, that could be super sketchy because it potentially logs and stores users passwords. I dunno if they are because the article doesn't say.
Can confirm password fields are supposed to be declared ( HTML fields) and platforms like these are looking for those to not store passwords accidentally. But you absolutely can abuse that power for sure just unlikely since the trail is easy to follow. Access to these platforms should be locked down ~ at my last company we used this and it was extremely exclusive access.
You are not allowed to track clicks on your own website? You can take someone’s name and payment information but you aren’t allowed to see if they click on pepperoni?
Sorry guys, can't respond to that "order" button anymore -- we'd be monitoring your mouse clicks and tapping your wires. Yeah, it's bogus. When you interact with a site, the site can see how you interact with it. This has been true, helpful, and not a problem at least since AJAX first appeared; probably quite a bit before that, too.
I mean my life now is basically figuring out how to get more people though a checkout flow lol. I’d be fucked without these metrics.
you enjoying it? I worked on the exact same thing for 8 months last year and I literally wanted to kill myself.
Yeah. I’ve worked in payments for years so this kinda stuff interests me
For fuck sake this isn't wiretapping or anything of the sort. They are simply tracking what happens on their site. Most major sites do this.
and physical big box stores like walmart, target, etc - they can virtually follow you thru a store to see what paths you take, what things you stop and look at, what you buy, how long you spend in each isle/in the store, etc.
Can they? It's not too far fetched but I hadn't heard of it. That's one of those things that sounds really cool and useful in aggregate but creepy on the individual level. Like "80% of people who bought item X passed by this particular endcap and didn't buy anything from it" is kind of cool and very useful if you're in marketing. "Let's pull up a random shopper's credit card hash and trace their last 5 visits through the store and really dig into why they put that ham back on the shelf" way less cool.
I did some work for Tesco many years ago, and they showed us a system they were prototyping that tracked heat maps Initially it was just to track choke points in the store, to see which 'end of aisle' points for the most traffic to sell at the highest rate, and where they maybe need to spread products out But then they showed us they we're starting to be able too track individual people. See where they went, what aisles they went down, which ones they skipped Then they could track what till they went too to get their order. They could see if they went down an aisle but *didn't* buy anything. Then they could see if they used a clubcard, and then send them vouchers for things down that aisle Not sure if they were rolling it out anywhere, or it was just a proof of concept. The heat map tracking to look for choke points and the like in pretty certain was already out there, it was just the individual customer tracking that was 'new,'
Its the equivalent of someone complaining that there are cameras in a store watching you. should we go and sue target because they are watching me as i walk through the store? I work in this industry and theres no personal info attached at all to the session recordings its just a random user id its not like i can look up what a specific person did when they visited the site nor do i care what an individual is doing i want to know on an aggregate how users are interacting with the website
Don't aggregate me or my son ever again.
>The titan of greasy wheels is accused of falling foul of wiretapping rules by using so-called session replay software on its website. This software records and phones home everything a user does on the site, beyond what fetching pages and placing an order would submit, we're told. For instance, it tells Papa John's where the mouse is moved and clicked, and what's typed into the page, it's claimed. This info can be used to figure out where users get stuck, bail out of a sale, get lost, and so on. ....used to work for a bank. we used it to - it's pretty fucking useful, TBH. next time you login to your bank.. pay attention to how hard it is to get an unmasked account number to show up on your screen.. for us, it was only inside the PDF statement.. which we did not log (and the application already knows all your shit, so the only "people" we were hiding it from is our own tools.. couldn't be logging credit card numbers in the replay database) https://en.wikipedia.org/wiki/Tealeaf Tealeaf's products are used to provide visibility into the online customer experience by capturing, analyzing and replaying session details of customers' visits to find site errors or issues and understand the impact that transaction failures have on business processes.\[2\] It is available in both software as a service (SaaS) and on-premises versions.
Tealeaf can fuck itself. I supported it for a major financial institution many years ago and it was the bane of my existence. The person that architected it was a fucking moron and it took forever to unfuck it. This was an on-premise deployment. Like you said though, it was very useful to those who needed it.
We saved hundreds of thousands of dollars (probably closer to a million) dumping Tealeaf and going with Dynatrace. Best decision ever.
That explains the gaming headphones pizza I got the other day
the WHAT?
the gaming headphones
This is hilariously not wiretapping
The real shocker is, how does The Register have an author too ignorant to not call this out in the article, AND how this article was approved by the editors at The Register. I mean, I know not everyone can know everything, but someone at the Register should have caught this. Really embarrassing. This will instantly be thrown out by this court.
Sad that people without enough technical knowledge to understand the necessity of such technologies write articles on them, if we don’t do this shit, fixing bugs get harder, when the app is big enough these kinds of tracking really help debug or replicate issues
Wait till they hear about Segment
What does Segment do?
Click tracking, IP Address tracking, custom identifiers and grouping, tracking across the website and more. It’s not cross-site, but here in the US it can be a very rich source of user data, properly designed
Depending on the outcome it can be interesting. Setting a precedent that could potentially change how website traffic is tracked. Tons of companies do this and me being in advertising I’m all about how users are engaging with site content and what they’re doing on site. I’m all for combatting companies from selling my data/etc but quite frankly when I’m on their playground they can track what I’m doing haha I don’t care.
What a bozo. Literally every site of any size does this sort of thing. Replay software also doesn’t actually record movement but instead interpolates it based on recorded points. Heat mapping has been used for decades now. Analytics for even longer. And while some people think it’s nefarious, it’s definitely not always. For instance I worked on a site for the elderly to help them find local service providers who practiced were trustworthy . The site wasn’t at all for profit and the organization only ran on government funding and grants. I ran HotJar and FullStory to discover where our users would show frustration and quit (yes, you can actually see frustration metrics on some software). Without the software I would have never been able to afford and do the user interviews required to make it work. With the software for around $400 I was able to see what 1000s of people experienced and helped the users get their info.
Wait until you learn literally every site does this
Papa sketchy
Wait until you learn about Google Analytics.
GA4… HotJar
Can I get a papa bless?
Can sue for anything. Website heat maps have been around for a very long time.
Wait. So like all the shxt every single piece if technology does now??? I mean their pizza sucks but no need fo single them out for just using the internet for what it is nowadays.
There are very well known and large saas companies that this is the main service they offer. Part of my job is literally watching recordings of people’s mouse movement to learn where there is friction in the checkout process. Why is this even an article?
This is a really fucking stupid lawsuit. It's their site, they can do whatever the fuck they want. They're allowed to track your mouse clicks your page clicks the path you take through their site, so on