1. As the article mentions, in some cases these apps end up leaking sensitive data like credit card detail and passwords. Generally, if you are taking snapshots of the user's screen instead of sending text metrics, it becomes much harder to mask sensitive data at all times.
> From time to time, GLASSBOX grants certain of its enterprise clients a license or other rights to GLASSBOX’s proprietary software products and solutions (the “GLASSBOX Solutions”). Through their use of these GLASSBOX Solutions and/or through other means, enterprise clients of GLASSBOX may get access to, collect and use: (i) End User non-personally identifiable information; and (ii) End User Personal Data.
> There are also times when we will combine such information with additional non-personal or de-identified information we obtain from other companies as well as End User Personal Data, in order for our enterprise clients to market directly to a certain person subject to requirements of applicable law. We typically analyze this information and organize it into user groups and audiences, based on factors such as age, gender, geography, interests and online actions. We and our enterprise clients then use these user groups and audiences, along with information about the possible relationships among different browsers and devices, to design and deliver customized advertising campaigns or other relevant content.
Movement of your finger on the screen is not personal data. Screenshots most of the time aren’t either.
Well, as long as the app 1. lets me know and 2. lets me choose whether to have this feature on or not, I don't have a problem with an app recording my usage of it in order to improve UI flow or what have you.
The issue here is that 1. sensitive data is being transmitted via automated screenshots and 2. the users are not even being made aware of this fact, let alone being given a choice.
And that's why UX is optimized for people who don't care about privacy :)
On my jailbroken i-devices (all of them) I was always installing "Firewall IP", and when an app was running, for any connection not previously (or globally - meaning rule applies for all apps) approved I would get a pop-up message (screenshot of an earlier iOS Firewall IP).
Now with the jailbreaks being less efficient, and the Firewall IP app not been updated for a few years, I switched to Android and I am using "NoRoot Firewall"  for the same exactly purpose. I globally block all FB, ads, trackers
There is always the extra option for rooter/jailbroken phones to block things on the hosts file using host file selections from someonewhocares.org .
You could further connect to a vpn service if you wanted anonymity, although that would of course require trusting them.
it's a lot more difficult/leaky, for example it's not possible to block a certain app from accessing the internet;
Sure, you can gather all the domains it connects to and block those, but those domains and/or ip addresses can change over time. And when they do, you will not notice, and the app will be able to access the internet until maybe one day you notice and start blocking the new domains/ip addresses.
- Blokada (https://blokada.org/): Does DNS-based blocking, good for blocking ads/trackers generally
- NetGuard (https://www.netguard.me/): With Pro, has traffic logging and the ability to filter by address or app. My approach for most apps is to disable all access then selectively whitelist as necessary to make it functional again.
My Pixel 2 is rooted with Magisk, and passes Safetynet. I use Google Pay all the time.
The documentation talked about how to block this capture but that involved a developer getting involved and the developers didn't even know about the plug-in.
Basically, don't add a third party service to any app or website without doing a secuity review, especially if marketing, product or UX have suggested it!
* www.mydomain.com - install Google Tag Manager, let the marketing people go crazy
* app.mydomain.com - all tracking request has to go through a developer
That works well for SaaS type of products. Not so well for online stores where you want everything integrated.
Even there, that's dangerous. Most marketing people are not trained in legal matters and install all kinds of shit with dubious legality. In addition the tons of trackers on websites make the user experience really slow. Approval by legal and tech should be the standard process, not "marketing has free rein to fuck over the company due to messing up GDPR compliance".
You're reliant on them behaving in the same manner consistently, and behaving ethically when they change their service's behaviour.
You win a medal!
We could never get away with doing this for our (Windows) app, but sometimes I have conversations with people in my user base and I really, really wish I had some idea of how they got into some $random_weird_state.
But yeah, it oughta be in the T&C if nothing else.
This is quite different than the sensational headline.
update: fixed wording
This isn't the same thing. This is an actual recording of a user's entire session. While it doesn't capture a rendered image like a "screen recorder" would do, it captures every change in real-time, so it can play it back perfectly, and the end result is the same: you can watch a video of your user's session.
And I can personally confirm that people definitely stand around the water cooler and talk about the stuff they watched. It's creepy.
Does it really even matter if you're sending them your credit card details anyway?
But are you sending them this info? I thought a lot of sites used third-party payment processors precisely in order not to handle this data themselves (and be liable for mishandling).
I have no comment regarding the ethical implications of this technology, but I can see why it is useful practically.
Most of vendors record keyboard inputs and thus can record password as well as credit card information, there was an affair about it a few years ago . To not have this issue, most of vendors provide a way to not record those information. It requires manual tagging of the website on the element that contains critical content.
But many of session replays vendors have many clients, and don't force or don't verify that all the critical information are masked. This is not GDPR compliant, because when the GDPR apply you need to consent of the user to record his PII, and you are not even allowed to record information like password, sexual orientation, credit card even if you have the consent.
- Nowadays on the web most of payment pages are not hosted on the client website, so those analytics tools are not included (but we still have many websites that don't use third party for that)
- This data is not (most of the time) recorded in a structured way, data of inputs is recorded as some element of an HTML, and thus it is not super easy to extract the information at scale
The key phrases here are "recording every tap and swipe" and "on their iPhone apps". I'm not saying it is okay, but the sensationalist headline takes away from the real issue.
In smaller publications, some shoddy reporting can often be attributed to a lack of experience or resources. It's hard to find an excuse for larger publications with well-established editorial resources, however. These stories are presented under the guise of public interest, but in reality they seem increasingly driven by politics and sinister ulterior motives. The end result is the spread of misinformation and further public distrust of the media and technology as a whole.
Pick a popular company / product / service, find something that they could be doing, throw up an article suggesting that's what they could be doing but have the title inferring that it is what they are actually doing. Rinse / repeat.
I imagine readers on HN actually read articles at a vastly higher rate than e.g. Reddit or Facebook, yet on reading the comments it often becomes quickly apparent that many users, even here, do not bother reading articles before commenting on them. In an ideal world I wouldn't mind seeing misleading headlines put in the same bucket as false or misleading advertising. Of course in practice that'd be a terrible idea since this rule would simply be used for the powers that be to litigate against anything they don't like being published.
This is what happens under capitalism when private news organizations are disrupted by the Internet.
The solution is a collaborative news site, we don’t need intrepid reporters going into war zones when everyone can record video on their phone. We don’t need biased clickbait news providing fodder for soial network algorithms to herd us into echo chambers. We need a place where people of all viewpoints meet and duke it out like Wikipedia but for news.
PS: wikinews in particular sucks though
I don't want this to devolve into an argument of semantics, but given NYT's editorial resources there's no doubt they carefully scrutinized how the "read" and "write" would be interpreted by their readership in the context of a negative report about Facebook.
I saw the title and thought "so the app is recording what's on the screen... which on a phone, is going to be itself... that's not such a big deal." As much as I don't like this sort of telemetry, it is in no way the sort of security issue the title appears to be insinuating.
I assume you are against their choice to send a log of their drawing commands in the form of images.
“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.
The takeaway is that some companies are capturing things that they shouldn't be storing, and the article has exposed atleast one instance where this information has been sent to a third party without masking.
As a side note, I've always been afraid to use payment options within apps that redirect to bank logins or payment gateways and this only feeds my fears.
Even if you're making the payment through a trusted bank or a payment provider, these apps still probably intercept and store the information you gave your bank.
This is so that should there be a dispute they have a screen shot of the forms presented and what details the customer provided. Payment screens would not be captured this way.
Also, as I recall, banks legitimately "track" user interactions as a means of fraud detection.
Effectively an invisible captcha.
And some porn sites also ask for camera access.
I think you are measuring video engagement/scoring from your reactions to video using your facial expressions.
It's a very good approach for bypassing fake views.
I realize there isn't functionally much difference within an app. But unless I'm reading it incorrectly, it's not recording the screen it's just the UI of the app. That's not nothing, but I always assumed (sadly?) that a lot of apps have been doing that for years to hone their UX dark arts.
Maybe this is a bit much, but developers do need some data as to how their app is performing in the real world. You might have some metrics that says 0% of visitors to your order checkout page on FooPhone 1.0 are completing orders successfully. With a screenshot, you can immediately see that that screen doesn't even work on that device. It doesn't sound like a tragic loss of privacy to me, but rather an important tool for developers to help smooth over the reality of massive device incompatibility.
As a user, I don't care at all if it makes dev's life easier. I bought the app and don't want my personal info to be leaked.
It might be one more place to screw up, but so is just having more actions your app can do.
I'm not sure I see any difference between an app recording all I traction within it (for single purpose apps, but not browsers) and a store video recording everything in it.
Correct. The payment code is usually gone over with a comb for PCI compliance (or completely outsourced to someone like Stripe), whereas the UX tracking is much less so. It's also a common enough issue that stuff like credit cards or API codes end up leaking into logs.
That said, my point isn't necessarily that you should trust apps gathering UX metrics more, but that you should probably trust all apps quite a bit less, whether they track user actions or not.
Most of these kind of tools (ie:HotJar) have a flag that will prevent theses data from being sent.
> These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.
IMHO that is deceptive. System alerts, notifications, etc are presented in a protect system context the application can't see so there is in fact a very big difference between recording button taps and "screenshott[ing]".
Is there much of a practical difference here? Employees at the company can essentially watch a video-like recreation of how you went through and used their app. This includes details that you might not expect such as which email you typed into a field before backspacing and choosing another to sign up with.
I want to believe that a product owner at companies like Tinder aren't watching videos of me sexting someone to "learn how we can improve the user experience". If the response is then to say "don't use Tinder!", start considering the alternatives - you end up having to trust someone, or do nothing digitally.
Yes, because an app provider can know a dozen different ways what they're showing you already, but nothing else on your system. There is a world of difference between Tinder knowing i dismissed an incoming text alert because I swiped up at the top of the screen and knowing what the content of that text message was, to use your example. Tinder can already log the content of the messages you send in their platform,
The other is that PCI helps mitigate their handling on the CC side but those user analytics companies aren't part of that.
Plain old Google Analytics is a bigger deal when you think about it. Anyone that has this configured half decently where the IDs are provided by some backend server really has got the low down on how you use the website. Every aspect of 'engagement' can be recorded and reports made that don't entail watching through untold hours of 'user engagement'.
It is a bit like spying in the modern age. In the olden days any intelligence agency could throw resources at tracking one individual of interest. However if you need a team of twenty people to stalk someone then getting the budget can be hard. They would have to be the 'Chairman of the Communist Leadership' or the leader of a striking union for that to be approved. In the modern era we all know how NSA et al. do it, surveillance on everyone and able to do a report on anyone deemed 'Communist' (or whatever).
It isn't the 'everything on screen' you need to worry about as nobody except an intern is going to be looking at that. It is the half decent Google Analytics setups that are a far greater concern if you are terrified of marketing people. Yet nobody bats an eyelid to Google Analytics, the cookie notices say it is mostly harmless and just there for your own good.
Luckily though very few companies are really that competent at Google Analytics. They may have people adding ever more bloat to Google Tag Manager for this to feed various things such as affiliate marketing schemes, however the people doing SEO are rarely familiar with web development and, not understanding the 'problem space', don't realise the possibilities.
If you don't want Abercrombie to know which items you looked at, don't look at them on the Abercrombie app, or at the Abercrombie store, or on the Abercrombie website.
I do not expect Abercrombie to "see what I do in real time," including where I position my mouse on my screen, text I type and then choose to delete, my physical location, etc.
the expectation of privacy when dealing with a business that can monetise the data about you in some way may be a dead thing already until the govt gets involved.
We need the engineers in the these companies to join the fight, refuse to install or add these features. If that impossible because there are many people who don't see this as a corrupt practice, then we need others to step up and help block and expose it.
Please don't give up on privacy or freedoms, that just dooms us more.
AFAIK it's a pretty standard practice in UX and product design. A&F might have analysed hours of your finger gesture activity, but I doubt they're gonna know what brand of toilet paper you wiped with this morning.
This is a problem with the Silicon Valley bubble. Just because everyone else is in your shit pile doesn’t mean it doesn’t stink. You just can’t smell it.
All I hear is that every mobile/web app connected to the internet has significant privacy issues.
Where I point my mouse is my business dammit.
Nor of any alerts / notifications that are unrelated to the app itself.
So I'd say it can be quite a privacy issue.
Corporate cheerleading at its finest.
[Having hundreds of SV companies offer products that track user behaviour in iOS/Android/Web apps is of course a huge privacy concern, since that can very accurately profile you as a person.]
There are other ways to get information as to what to fix, and I have no need to know what people are doing in my app.