The Privacy Risks of Session Recording Tools

Session Recording Tools

Session recording tools are wildly popular today. There should be no doubt about the allure and potential business benefits of utilizing session recording tools to help website operators, marketers, and UX/UI professionals see how users interact with their websites.

For anyone looking for an in-depth review of the uses and benefits of session recorders, this Hoitjar post covers a good amount of ground: The Complete Guide to Session Recordings. But if the benefits are clear, the privacy and cybersecurity concerns are less so. Let’s take a closer look at the problems session recorders might pose and the impact they can have on your business and brand trust.

They cast a wide net

For a privacy professional looking at these tools, the first concern is that they collect everything a user does on the site. Since “only collect what you need for your purpose” is a fundamental principle of privacy (enshrined in regulation), site owners using these tools could fall out of compliance from the start.

At a minimum, you should use the configuration options to avoid capturing data elements you don’t need and have written justifications available for why you need everything else (in GDPR jurisdiction, you may need a DPA). Your privacy statements and consents need to communicate how much data you’re tracking and what you’re doing with it and identify all third parties (more about this below) receiving user data as part of the process. While large providers have the option to anonymize IP addresses, which is helpful because they’re often direct identifiers, those may not be the only identifiers that should concern you.

They record sensitive information

Even worse, some of the information users enter into forms – captured keystroke by keystroke by these tools– may be sensitive personal data by law. Under the GDPR, the upcoming CA CPRA, and the new VA CDPA, sensitive personal information requires more specific consent (as well as opt-in under the VA CDPA).

And suppose users of your site enter specifically regulated data types, like financial or health information, into those forms. In that case, you have an even bigger problem: you may have just brought the data your UI/UX team uses for website evaluation under the scope of something like GLBA or HIPAA. These regulations require you to meet standards around access controls, storage, and more and create large regulatory risks if the data gets out. While the storage of this data will always be a risk if it includes any personal information, having the data regulated under HIPAA, for example, significantly raises the stakes.

Session recording tools allow keystroke logging

Some, if not all, session recorders, allow you to disable keystroke logging, and it would be wise to do so if you don’t have a specific need. Many even do it by default for website visitors who fall under the GDPR (Mouseflow, for example), but remember, those may not be the only visitors who can enter something problematic in a form.

Third-party concerns

This brings us to another key topic: these tools are owned and operated by third parties, who generally handle the analytics in their environments, so the data will have to be in their hands. Whenever you work with any third party, you need to make sure the legal contracts cover any applicable regulatory requirements. The simplest way to mess up here is by allowing GDPR-scoped personal data to travel outside the EEA; this is an area where most vendors are aware and can help you comply. But it’s not the only area of concern.

Even though providers in this arena are aware of GDPR and CCPA, you still need to know what they’re committing to do and what’s remains on your plate. While they are used to functioning as GDPR processors, have DPOs, and exclude things like the IP address for you, you still own most compliance tasks.

Controlling your vendors

It’s your job to ensure that you don’t send your third-party application vendors anything you shouldn’t. If you fail, the consequences will fall on you, not them.

Of course, the other issue with third parties is that they dramatically extend your attack surface. First, if they have copies of your data, those copies can be compromised on third-party sites. Second, and more likely to cause issues these days, they require you to install third-party code on your website, with all the risks of compromise and lack of visibility that entails and that we’ve discussed elsewhere. If they’re compromised, or a party they use is, so are you.

Minimizing your attack surface

To summarize: while session replay tools are valuable, they raise many privacy concerns that website owners need to consider. Chief among those are:

  • Ensuring that privacy notices and user consents adequately cover the use of these tools
  • Making sure you aren’t collecting more than you need for UX/marketing purposes
  • Excluding sensitive personal data from collection or providing appropriate consents
  • Determining whether the personal data being collected fall under sector-specific regulations such as HIPAA or GLBA (and deciding about whether they should get that)
  • Knowing who the third parties are, what they’re getting, and whether this transfer is appropriate under GDPR (or other applicable laws with trans-border data flow restrictions)
  • Assessing and controlling the risks of storage and use of this data
  • Making sure you fully understand and can manage what they are getting

You need a privacy improvement plan

We’ve written about the need for website operators, privacy pros, and security teams to work on taking back control of their websites from a privacy perspective. Figuring out if and how you are using session recording tools on your website should be one of the first areas of focus.  The most important thing is to fully understand where these tools are operating within your environment and what data they are capturing. Lokker provides this clarity for you.

While our solution can’t make decisions for you about what you allow the tools to see, we can help you enforce the decisions you make. For example, you may want to exclude specific applications entirely from pages where users enter health or financial information and make sure they don’t creep back on those pages.

Lokker Privacy Automation Platform

Lokker can tell you if any session recording tools reappear or become compromised. It should go without saying, the consequences of a data leak can be enormous. Using Lokker in proxy mode will immediately notify you (and can even automatically block data flow) of any change that occurs that gives session capture tools any unwarranted data access.

 

Author:
J.D., CISSP, CIPM, CIPP/E, FIP. Expertise in law, technology, information security, data privacy, healthcare analytics, and healthcare. Develops privacy and security programs; collaborates across the company to deliver creative solutions while ensuring the privacy and security of data. Passionate about creating a culture where all employees understand the importance of handling data correctly, recognize and speak up about potential issues, and are actively engaged in the process. Experience with Privacy Regulations (HIPAA, GDPR, CCPA etc.), Formal Certifications (ISO, SOC, HITECH, EHNAC), and De-Identification of Data.