UK ISP Sky Broadband Says No Need to Fear SessionCam Snooping

Sky Broadband has moved to reassure people after some of their customers noticed that the third-party SessionCam service appeared to be monitoring private activity upon sensitive parts of the ISPs online account management (My Sky) pages, such as the page for entering payment details.

The chances are good that you won’t be familiar with SessionCam. It’s essentially a powerful visitor tracking tool that allows websites to forensically monitor the activity of their readers, such as by recording key presses, mouse movements, mouse clicks, mobile gestures, scrolling and it can even replay the activity as a video.

On the one hand such tools are excellent for improving customer service and identifying problems with how a website functions, so it would make sense for an ISP to be using it. But at the same time you wouldn’t normally expect such services to be found tracking activity on payment detail pages or other similarly sensitive sections.

But this is the reason why one of ISPreview.co.uk’s readers raised their concerns with us and sure enough, after a little checking of our own, we found that JavaScript code for SessionCam.com’s Client Integration v4.0 was indeed being used on the members-only My Sky pages and their “Make a payment” page.. among others.

A quick look through Sky’s privacy policy revealed that the closest reference to SessionCam’s capabilities appeared to be this somewhat vague extract from under the ‘Analytics’ (Cookies) section: “It’s also very useful to be able to identify trends of how people navigate (find their way through) our sites“.

Naturally we queried this with Sky Broadband as well as BT, TalkTalk and Virgin Media. A spokesperson for Virgin quickly confirmed that “we don’t use this type of technology“, while BT added that it did use a similar solution called ClickTale to “understand detailed user journeys and behaviours on BT.com” but that this isn’t employed on sensitive pages. Meanwhile TalkTalk has so far been unable to clarify whether or not they use anything similar.

A BT Consumer Spokesperson told ISPreview.co.uk:

“BT Consumer currently uses a tool called ClickTale to understand detailed user journeys and behaviours on BT.com. This tool is only used on pre-sales shopping pages and not on any ordering pages or personal customer areas, such as MyBT or account management, where personal details, billing and payment information are held.”

So should you be worried about SessionCam? Sky says no. Sky Broadband confirmed that the tool was being used, including on payment pages, but that this was only intended to help the team at Sky improve the “digital customer experience“. Apparently it doesn’t record any sensitive data entered on their payment pages or any other pages within Sky’s website or share what it does collect with SessionCam.com itself.

Sadly Sky didn’t clarify precisely what aspects of SessionCam they actually use and would only say that it was used as a tool to alert them about any possible “technical issues” that might arise across their website. ISPreview.co.uk understands that individual fields, those that may contain sensitive data (names etc.), are only recorded as a series of asterisks (this allows an ISP to pick-up usability issues without seeing the data details).

Sky does conduct their own internal security audits, which are described as being “extremely robust“, and apparently the ISP has worked with SessionCam to ensure 100% compliance with their standards. Any data that does get stored by SessionCam is transferred to a secure environment using SSL encryption and secured / protected using numerous levels of control at an application, data and infrastructure level.

Never the less we suspect that some people might still be unhappy with the use of SessionCam on such pages and if so then some web browsers and browser plugins will allow you block it from loading.