Publication Details

Data Exfiltration by Hotjar Revisited

POLČÁK, L.; SLEZÁKOVÁ, A. Data Exfiltration by Hotjar Revisited. In Proceedings of the 19th International Conference on Web Information Systems and Technologies. Řím: SciTePress - Science and Technology Publications, 2023. p. 347-354. ISBN: 978-989-758-672-9.
Czech title
Přezkum získávání dat nástoji firmy HotJar
Type
conference paper
Language
English
Authors
Polčák Libor, Ing., Ph.D. (DIFS)
Slezáková Alexandra, Bc.
URL
Keywords

Web privacy, Session Replay, Data Protection

Abstract

Session replay scripts allow website owners to record the interaction of each web site visitor and aggregate the interaction to reveal the interests and problems of the visitors. However, previous research identified such techniques as privacy intrusive. This position paper updates the information on data collection by Hotjar. It revisits the previous findings to detect and describe the changes. The default policy to gather inputs changed; the recording script gathers only information from explicitly allowed input elements. Nevertheless, Hotjar does record content reflecting users' behaviour outside input HTML elements. Even though we propose changes that would prevent the leakage of the reflected content, we argue that such changes will most likely not appear in practice. The paper discusses improvements in handling TLS. Not only do web page operators interact with Hotjar through encrypted connections, but Hotjar scripts do not work on sites not protected by TLS. Hotjar respects the Do Not Track signal; however, users need to connect to Hotjar even in the presence of the Do Not Track setting. Worse, malicious web operators can trick Hotjar into recording sessions of users with the active Do Not Track setting. Finally, we propose and motivate the extension of GDPR Art. 25 obligations to processors.

Published
2023
Pages
347–354
Proceedings
Proceedings of the 19th International Conference on Web Information Systems and Technologies
ISBN
978-989-758-672-9
Publisher
SciTePress - Science and Technology Publications
Place
Řím
DOI
EID Scopus
BibTeX
@inproceedings{BUT185162,
  author="Libor {Polčák} and Alexandra {Slezáková}",
  title="Data Exfiltration by Hotjar Revisited",
  booktitle="Proceedings of the 19th International Conference on Web Information Systems and Technologies",
  year="2023",
  pages="347--354",
  publisher="SciTePress - Science and Technology Publications",
  address="Řím",
  doi="10.5220/0012192500003584",
  isbn="978-989-758-672-9",
  url="https://arxiv.org/abs/2309.11253"
}
Back to top