Publication Details
Data Exfiltration by Hotjar Revisited
Slezáková Alexandra, Bc.
Web privacy, Session Replay, Data Protection
Session replay scripts allow website owners to record the interaction of each web
site visitor and aggregate the interaction to reveal the interests and problems
of the visitors. However, previous research identified such techniques as privacy
intrusive. This position paper updates the information on data collection by
Hotjar. It revisits the previous findings to detect and describe the changes. The
default policy to gather inputs changed; the recording script gathers only
information from explicitly allowed input elements. Nevertheless, Hotjar does
record content reflecting users' behaviour outside input HTML elements. Even
though we propose changes that would prevent the leakage of the reflected
content, we argue that such changes will most likely not appear in practice. The
paper discusses improvements in handling TLS. Not only do web page operators
interact with Hotjar through encrypted connections, but Hotjar scripts do not
work on sites not protected by TLS. Hotjar respects the Do Not Track signal;
however, users need to connect to Hotjar even in the presence of the Do Not Track
setting. Worse, malicious web operators can trick Hotjar into recording sessions
of users with the active Do Not Track setting. Finally, we propose and motivate
the extension of GDPR Art. 25 obligations to processors.
@inproceedings{BUT185162,
author="Libor {Polčák} and Alexandra {Slezáková}",
title="Data Exfiltration by Hotjar Revisited",
booktitle="Proceedings of the 19th International Conference on Web Information Systems and Technologies",
year="2023",
pages="347--354",
publisher="SciTePress - Science and Technology Publications",
address="Řím",
doi="10.5220/0012192500003584",
isbn="978-989-758-672-9",
url="https://arxiv.org/abs/2309.11253"
}