Almost Every Website You Visit Records Exactly How Your Mouse Moves

Services that replay your digital body language like it’s a movie are extremely common and easy to install

Photo: Richard Baker/Getty Images

When you visit any website, its owner will know where you click, what you type, and how you move your mouse. That’s how websites work: In order to perform actions based on user input, they have to know what that input is.

On its own, that information isn’t all that useful, but many websites today use a service that pulls all of this data together to create session replays of a user’s every move. The result is a video that feels like standing over a user’s shoulder and watching them use the site directly — and what sites can glean from these sorts of tracking tools may surprise you.

Session replay services have been around for over a decade and are widely used. One service, called FullStory, lists popular sites like Zillow, TeeSpring, and Jane as clients on its website. Another, called LogRocket, boasts Airbnb, Reddit, and CarFax, and a third called Inspectlet lists Shopify, ABC, and eBay among its users. They bill themselves as tools for designing sites that are easy to use and increase desired user behavior, such as buying an item. If many users add items to their cart, but then abandon the purchase at a certain rough part of the checkout process, for instance, the service helps site owners figure out how to change the site’s design to nudge users over the checkout line.

It felt like observing digital body language.

To understand what this type of tracking looks like in practice, I set up FullStory on my personal portfolio site (I have since removed it). It was surprisingly easy. After signing up for a free trial account, I just copied a small, 23-line script and added it to my site’s header — which would be a simple task for any web developer, but even easier for me since my site uses Squarespace — and the tracking worked immediately. With almost no development or coding experience, I was able to see what every single visitor to my site did.

In an incognito window, I opened my site and browsed around for a minute. When I came back to my FullStory dashboard, I found a video recreation of every single movement I’d just made waiting for me.

I expected the video to show the links I clicked on, and maybe text I highlighted. What surprised me was that the software even recorded when I shook my mouse around while deciding what to click on. It felt like observing digital body language.

FullStory even has a feature that tracks what it calls “rage clicks.” This is when a user gets frustrated with a site and starts angrily clicking over and over.

There are innocuous reasons for site owners to want this sort of data. Being able to see when a user hesitates to click or scrolls past the product they were looking for can tell them a lot about the effectiveness of their site. It can also be a powerful customer support tool.

Beyond the replay, FullStory and services like it provide sites with analytics reports on aggregate user behavior and heat maps that show where users have clicked — helpful if, for example, users are clicking on an image or logo expecting it to be a link.

But after seeing the session replay myself, I had questions about user privacy.

While a site itself always has access to raw behavior data — and could hypothetically look in on any individual user session — using a service like FullStory brings a third party into the mix. Users aren’t just sharing data with the site they’re on, which they expect, but also with an analytics service that may be watching over their shoulder.

Replay services offer tools to selectively exclude or hide information from the third parties they partner with, such as content entered into boxes for passwords or credit card information. But it’s up to sites to format their forms correctly and use the exclusion tools to keep sensitive data out of the recording service’s hands. For example, when I added a box that was properly coded to be marked as a password, FullStory automatically hid the information typed into it from its recordings. But when I added a basic text field and just gave it the label “password,” FullStory was still able to see any text entered into the box, even if it was never submitted.

In the company’s acceptable use policy, which outlines how it expects sites to use its product, FullStory explicitly says it “never wants to see” sensitive information like credit card numbers or government-issued IDs. But it’s possible for sites to either fail to take the precaution of hiding them or to make errors that leave data exposed.

FullStory’s policy also says sites shouldn’t use FullStory to collect email addresses that a user enters into a box, but then never submits, or to collect information to share to other third parties.

It’s unclear how much FullStory and apps like it can proactively enforce proper usage of its tools (In a statement to OneZero, FullStory said that it has “an established pattern to respectfully engage them to determine whether [a website’s] use is acceptable” and has stopped working with customers who violated its policy in the past). It’s theoretically possible for someone to add a script to a cheap site and track users without disclosing it, as I did. In fact, FullStory even warns against using the service in browser extensions to scrape data from sites the user doesn’t own. Which means it’s possible someone has already tried.

Update: This article has been edited to include a statement from FullStory.