Last week, an article came out from Princeton’s Center for Information Technology Policy analyzing several user replay solutions, including Smartlook. That jumpstarted a stream of articles on other media sites, including The Next Web, the BBC, and Motherboard. The articles talk about data privacy and present session replay solutions in a somewhat negative light. Some of the articles have a bit of a doomsday feeling to them, labeling visitor recording products as keyloggers, which is technically incorrect. Because of this, we wanted to explain what Smartlook does to protect user privacy and share with you a few security updates.
First off, we developed Smartlook so companies around the world could improve customer experience. UX and UI designers look at session replays to see how visitors interact with a new feature. Customer care reps check user recordings to pinpoint and verify an issue reported by a customer. (We’re pretty sure the other products listed in the research have similar goals.)
The personal data of users might be recorded in the process, so of course it’s important to make sure everything is secure. At Smartlook, we take user privacy seriously and constantly improve our security measures. It’s important to clarify that Smartlook (or any session replay product) tracks only what’s happening on a website on which a company willingly installed our script.
Smartlook doesn’t “record every keystroke”, as many articles were happy to put in their headlines. Our user replay visually captures what is on the page. If you randomly start typing letters on your keyboard, nothing gets captured unless those letters are visually shown on the website in question. So it’s important to treat the information in most media articles with caution. It’s actually better to read the original article from CITP.
One of the main points the Princeton article talks about is that our Smartlook Player doesn’t run on HTTPS. (It’s good to note we are talking only about the Player itself, not the data retrieval, which was already secured. Our website, dashboard, and internal recorder component have already been using an SSL for a long time.) Updating the Player is something we had planned to do in our new product version in Q1 2018, but because of the media coverage, we have sped up the release and are happy to say that the Smartlook Player switch to HTTPS was done yesterday. So now, all Smartlook components are updated. At the same time, we improved the masking of password fields to make sure the password length is not recognizable anymore.
It’s also good to say that Smartlook gives companies lots of tools to further protect the privacy of their visitors, including the masking of form inputs, anonymizing IP addresses, an opt-out for individual visitors that don’t wish to be recorded, or an API to do advanced custom masking of specific elements on websites. All of these options have been available in Smartlook for some time and are described in detail in our Help section. As we are located in the EU, Smartlook is going to be GDPR compliant once the new EU regulation comes into effect in May 2018. We’ll be putting out more info about our GDPR compliance in the upcoming weeks.
Many articles were critical of the fact that companies don’t properly notify their visitors about being recorded. We agree that this should be done, and we cover this in our Help section. We’ve also been informing customers about this from the start. From a legal point of view, session replay is no different from any third-party web script that might track personal data.
It’s definitely good that CITP published their research. It makes sure everyone in our industry is aware of their shortcomings and keeps improving. Transparency is important to us at Smartlook as we keep on hustlin’ and delivering a secure product that our customers can trust. To be honest, our team was actually excited to see Smartlook included in the research as one of major session replay solutions out there.
At the end of the day, we strongly believe that user replay technology is a good thing that helps in a big way. Companies can create better websites thanks to us, which results in better user experience, more simple online shopping, and better software.
Feel free to reach out to us about any further questions in the comments or via email at email@example.com.