Hacker News new | ask | show | jobs
by _noqo 2692 days ago
And when browsers will protect users against activity recording without consent?

For example Hotjar [1], I did a review [2] of the product a year ago and I could not believe the creepy surveillance level of this tool.

For me, manually disable JS or install content blockers will not get mainstream appeal for the regular users who just want to browse the web (and didn't know that maybe are being recorded).

This should be blocked by default on every browser.

[1] https://hotjar.com

[2] https://www.youtube.com/watch?v=FDgybTvnhjY
2 comments
djsumdog 2692 days ago
It's hardly new back in 2008, I worked for a company that used Tealeaf, a proxy that intercepted all web traffic before it even hit the load balancer, to record every click and request. It was used by the help desk and, when they couldn't figure it out, the Tealeaf session and player were forwarded to the devs. (This was a company under HIPPA, so a bunch of that data was related to personal health records).

In 2012, I worked at a University with analytic tools that showed a color map indicating the average scroll speed for pages on our website and heat maps indicating how long different users hovered over a section.

This stuff has been around for a long long time.

link
WrtCdEvrydy 2692 days ago
> the average scroll speed for pages on our website and heat maps indicating how long different users hovered over a section.

Optimizely has all of this stuff (sampled), but the fact they can 'sample' something means they have the full data.

link
randormie 2692 days ago
It's creepy indeed. Not only do they collect all your actions (key presses included) but I believe they also send the activity to their servers via HTTP, rendering the SSL on the page that includes their script, useless.
link
CraftThatBlock 2692 days ago
If it's a HTTPS page, wouldn't that be blocked due to mixed content though? Or is HTTP requests from a HTTPS-loaded script allowed?
link
djsumdog 2692 days ago
Modern browsers should block all backend/javascript http communication if the main request is made over HTTPS, unless you specifically disable it with a Content Security Policies.
link
inetknght 2691 days ago
Better to just disable javascript altogether. Sure, there's no dynamic loading of garbage, but I didn't want that anyway. If your back-end server can't render HTML then you need to build an app.

At least with native desktop apps I can put that garbage into a VM or container. Load whatever you want. I can then apply my own firewall/containerization/VM rules.

link
jeromegv 2692 days ago
According to their documentation it is sent in https

https://help.hotjar.com/hc/en-us/articles/115011639887-Data-...

link