FullStory: Merchants of Death
We are generally used to (though not happy with) the idea that most of what we do online is monitored. Every page we visit, every button we click, every thing we purchase gets logged and cross-referenced by the omnipotent corporations that sponsor our free web browsing and shopping experiences.
For companies with a lot of technical expertise, doing this work (often called analytics) to better target ads and products to their users is kept in-house. For other companies, there is no shortage of off-the-shelf analytics and tracking software they can use. Everyone wants to control their street corner, beating out the competition with better content or more relevant products, and taking home a bigger slice of the ad and e-commerce pie.
When website owners turn to the purveyors of analytics tools, they often unknowingly contribute to a growing internet-wide hegemony. While marketing their wares as tools to help websites improve, these analytics companies also secure more data to help themselves improve. Amazon notoriously used its offerings of marketplace analytics to build rival products and market them better than the original sellers. Google looks at all the data Google Analytics provides for its clients, often using it to power DoubleClick and their omnipresent, voyeuristic ads.
These passive recorders of activity are nothing compared to FullStory, though. If Omniture and Google Analytics are selling sleek assault rifles, then FullStory is selling nuclear warheads. Sinking to a new low, FullStory actively monitors not only which decisive actions users take (button clicks, navigation) but all activity on the browser. Every 200 milliseconds, FullStory is logging mouse movements, touch interactions, keystrokes, ip addresses, and network traffic & conditions. Using the exabytes of data they gather, they can recreate any user’s entire browsing session. Frighteningly, FullStory advertises the ability to replay any specific user’s session, since they can associate cross-session cookie IDs with users’ real names, emails, and account IDs.
FullStory follows an “opt-out” mentality, meaning that they default to gathering far more than a website owner will ever need. To be clear, only their clients (website owners) can opt out of gathering data. The hapless users visiting the website are completely unaware of the activity except for noticing that some websites drain their battery and data allowance very quickly. Most unnerving is that unless credit card input fields are specifically marked as “excluded,” the data in them is captured and stored in FullStory’s servers. Other inputs, like passwords, are “automatically excluded,” but that doesn’t necessarily mean that the passwords are not gathered, only that they’re not replayed for the clients. (FullStory captures every keystroke, so even if they don’t collect the value of the password input, it would be trivial to recreate it.)
How does FullStory treat digital citizens’ data once it has been harvested? The following snippet is taken directly from their legal & privacy page (emphasis mine):
We will never sell your data to third parties or otherwise share it with non-agent third parties. If this practice should change in the future we will update this policy to identify those parties and illustrate how individuals can exercise their right to opt out of such usage.
…
In some cases, we may choose to buy or sell assets. In these types of transactions, user information is typically one of the transferred business assets. If we, or substantially all of our assets, were acquired, or if we go out of business or enter bankruptcy, User and Visitor information would be one of the assets that is transferred or acquired by a third party. You acknowledge that such transfers may occur, and that any acquirer of us or our assets may continue to use your Personal Information as set forth in this Privacy Policy.
To translate: We (FullStory) won’t sell your data to anyone else. Unless we change our minds. Or sell it. Or sell ourselves to another corporation.
All of this is unnerving to me, and I don’t think I’m alone.
I highly recommend installing EFF’s Privacy Badger and adding FullStory.com to the blocked list. This extension does not allow advertisers to pay to not be blocked, unlike Adblock Plus or uBlock.
The opinions in this article are entirely my own and do not necessarily reflect those of my current or former employers or my colleagues.
