You need an ad blocker

Ad networks, marketing services and the websites using their products regularly complain about the prevalence of ad-blocker use among their visitors. Comparing it to theft of services.

If stories of these same outfits regularly abusing their position and aggressively invading users' privacy didn't surface with amazing regularity, they might have a chance to defend their position.

Just this week, The Verge revealed that some ad targeting scripts are pulling data from your browser’s built-in password manager tool:

The researchers examined two different scripts — AdThink and OnAudience — both of are designed to get identifiable information out of browser-based password managers. The scripts work by injecting invisible login forms in the background of the webpage and scooping up whatever the browsers autofill into the available slots. That information can then be used as a persistent ID to track users from page to page, a potentially valuable tool in targeting advertising.

This is way beyond standard "tracking" and well into personal data theft. If you're not already using an external password manager, I suggest you start now. There are plenty of options out there like 1Password, Bitwarden or KeepassX.

Meanwhile, session replay scripts are also grabbing personal information from pages they're installed on. If you don't know what these are (and, unless you work in online marketing, there's little reason to), the linked article describes them accurately:

You may know that most websites have third-party analytics scripts that record which pages you visit and the searches you make. But lately, more and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behavior, along with the entire contents of the pages you visit, and send them to third-party servers. Unlike typical analytics services that provide aggregate statistics, these scripts are intended for the recording and playback of individual browsing sessions, as if someone is looking over your shoulder.

Unlike the deliberately malicious ad targeting scripts mentioned above, the session replay ones attempt to automatically redact sensitive information or require their users to manually do so. This is not enough, and sensitive information can be transmitted and stored by these services:

Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third-party as part of the recording. This may expose users to identity theft, online scams, and other unwanted behavior. The same is true for the collection of user inputs during checkout and registration processes.

If you're not using privacy plugins in your browser, you should start right now. Install an ad blocker, my personal favourite is uBlock Origin. Then install an extra tracker blocking plugin like or Privacy Badger.