Everyone is watching what you do, all the time:
“More and more sites use “session replay” scripts. These scripts record your keystrokes, mouse movements, and scrolling behaviour, along with the entire contents of the pages you visit, and send them to third-party servers,” Princeton researcher Steven Englehardt wrote in a blog post under the No Boundaries banner.
“Collection of page content by third-party replay scripts may cause sensitive information such as medical conditions, credit card details and other personal information displayed on a page to leak to the third party as part of the recording. This may expose users to identity theft, online scams, and other unwanted behaviour.”…
Companies using such software included The Guardian, Samsung, Al-Jazeera, VK, Adobe, Microsoft, WordPress, Samsung, CBS News, the Telegraph, Reuters, and US retail giant Home Depot, among many others.
So, if you are logging in one of these websites, you should expect that everything you write, type, or move is being recorded.
I assume this means if you open a Guardian article in one tab, and then switch to your word processor to compose a confidential letter to your lawyer, then buy something online with your credit card, then write a confidential email to your mistress, then read the Guardian article and shut the tab, everything you were doing on those other tasks is forwarded to the database.
And that is just some random ad software, which isn’t explicitly trying to spy on you.
You can see how NSA can do pretty much anything it wants on your system.
Tell everyone about r/K Theory, while you have other webpages open and logging your key strokes
Man, it would really suck if those NSA guys where paper or tarmac Americans. I hope the nukes still work at least, or else we could all end up speaking Chinese.
Fortunately, javascript can only record user information (keylogging, mouse cursor tracking, etc) in the tab it is running in. So the Guardian page could only read what you typed into it, and not what you wrote into another tab. It also wouldn’t be able to read anything outside the browser. Different pages running tracking scripts provided by the same third party could potentially allow said third party to combine what you did on those two pages, but anything done on any other tabs and anything outside the browser is still safe.
Of course, this is assuming that there aren’t any vulnerabilities in the javascript parser in your browser. These vulnerabilities are less common than in Flash or old plugins like Silverlight, but they have been found before. So your best bet is probably just to block all scripts/applets/plugins with NoScript. That only leaves the code that handles HTML, CSS, and images as potential attack surface.
I suppose if you were really paranoid you could just browse the internet in 1993 mode with Lynx or w3m, which only display text and ignore images and CSS. Bonus points for compiling everything yourself with ASLR and stack smashing protection and using a computer without the Intel management engine that’s running Qubes and has had its BIOS flashed with Libreboot.
Wow, IAmNotTheNSA, you go. Its word salid to me.
I run ubuntu 16.04, and use one computer for bank, fiancial and tax; and a second laptop for general reading, web commmenting. The two never meet. Not as safe as total gizmo wiz computer self built system, but better than nothing.