Many smartphone users are probably aware that their digital devices collect a significant amount of personal information about them on a daily, if not hourly, basis. However, what they might not be aware of is the fact that many of the most popular iPhone apps include “session replay” technology that makes it possible to record their every touch, tap or swipe, all without their user privacy consent.
Session replays without privacy consent
According to a study carried out by Tech Crunch, iPhone apps recording user screen activity without privacy consent included apps from retailers, hotel companies, travel sites, airlines, cell phone carriers, and banks. For example, if you recently booked a trip using the Expedia app, there’s a high likelihood that your entire app experience was monitored, recorded, and then sent back to Expedia for further analysis. The same is true if you booked a flight on Air Canada, purchased a new shirt from Hollister or Abercrombie & Fitch, or booked a hotel on Hotels.com.
What all of these apps have in common is their use of “session replay” technology from firms like Glassbox. This technology was originally designed not to spy on customers, but simply to help app developers figure out where customers were having problems, what features were causing glitches, and what parts of the app experience were not easy to follow. However, it’s easy to see how personal data and information collected during these sessions could be used to snoop on users. This is especially the case since the apps did not include any privacy consent features.
Paul Bischoff, privacy advocate with Comparitech.com, emphasized the serious privacy issues created by this user tracking technology, “The use of session replay services in iPhone apps is serious cause for concern for two reasons. The first is that the apps did not get consent to record sessions and take screenshots of users’ devices and send them back to the app developers. Many of the apps make no explicit mention of the use of session replay services in their privacy policies.” Moreover, said Bischoff, “The data collected and sent to the app developers might not be properly secured. If the app developers do not take measures to properly mask sensitive information in their apps, then unencrypted screenshots containing passwords and credit card information could be accessed or intercepted by attackers.”
And, indeed, in several cases, very sensitive personal data (including passport numbers and credit card numbers) were not masked during the app session. Air Canada, for example, failed to mask sensitive user data within the app experience. As a result, when session replays were sent back to the app developers, the potential existed for unscrupulous individuals to get access to this information. Obviously, this is in direct violation of basic data privacy practices, which suggest that sensitive data must always be masked.
Moreover, the app developers also violated another clear data privacy best practice: giving a clear visual indication when any recording or logging is about to happen, and then requesting privacy consent from the user. From a purely legal perspective, then, recording and capturing user screens is not illegal. What is not allowed, however, is to do this without first informing the user and requesting privacy consent.
Apple’s response to the new privacy scandal
Apple, clearly sensing that this new Tech Crunch report might have an immediate impact on the way users view its privacy practices, took action immediately. The company alerted developers that the session replay and tracking technology that collected personal information was in clear violation of the App Store Review Guidelines. Apple requested that developers immediately change their practices, noting that, “Protecting user privacy is paramount.” If developers did not take steps to address this violation of privacy consent terms, Apple would have no other option than to remove the offending apps from the App Store.
Recently, Apple has had to deal with other app-related privacy scandals, including one involving a Facebook research app that collected user data from teenagers on a paid basis. According to Apple, Facebook was misusing its developer privileges, which enabled the social network to build and provide apps outside of the App Store experience that could theoretically sidestep any concerns about privacy consent.
The new privacy concerns about Apple are, in many ways, a further outgrowth of user concerns about smartphone app privacy. For example, in 2018, a report from a group of researchers at Northeastern University found that 8,000 of the total 17,000 apps they tested sent personal data and personal information back to Facebook. Moreover, over 9,000 of these apps had permission to access the camera or microphone of the user, heightening fears about surreptitious user surveillance.
The response from Glassbox about possible privacy violations
As might be imagined, Glassbox has rejected any claims that it was helping companies to spy on users. In fact, said Glassbox, there were many other companies using the same exact technology to help app developers make their apps as glitch-free as possible. Responding to the report, Glassbox said that it was “misleading” because the technology was not intended for spying purposes. Moreover, said Glassbox, no data was shared with third parties – just the app developer that originally integrated the technology.
And other companies contacted about the Tech Crunch report also sought to distance themselves from the story. For example, private sector retailer Abercrombie & Fitch said that the technology was only used to “help support a seamless shopping experience.” And Air Canada, even while failing to mask sensitive personal data, made it clear that it does not and cannot capture any iPhone screens outside of the app experience.
Yet, as privacy advocates warn, there is more that these companies should be doing to protect user privacy. Chris Olson, CEO of The Media Trust, suggested that, “If app providers are truly concerned about the user experience, they should find out who all their third-party code suppliers are and what these suppliers’ code do to users. They should also ensure that their privacy policies reflect suppliers’ data processing activities. Sweeping data privacy laws like GDPR and California’s Consumer Data Privacy Act will hold them either partly or solely responsible and levy stiff penalties for theirs and their third parties’ unsanctioned processing of consumer information. This widespread blind spot toward third party code can cost companies their reputation and revenue.”
Potential regulation on the horizon
So, despite any protests from companies that they are doing nothing wrong, the fact remains that the European Union’s General Data Protection Regulation (GDPR) has fundamentally changed the game when it comes to what types of data apps can collect, how they can use that data, and when they must obtain privacy consent from users. Failure to comply with the GDPR could lead to substantial penalties.
Thus, as more reports like the Tech Crunch study of popular apps go mainstream, it is quite likely that the U.S. regulatory environment will shift in favor of a more aggressive stance. With smartphones nearly ubiquitous in our daily private lives, it is important that the proper safeguards are in place to protect user privacy. The time might be soon near for similar GDPR-type legislation for the United States.