Many smartphone users are probably aware that their digital devices collect a significant amount of personal information about them on a daily, if not hourly, basis. However, what they might not be aware of is the fact that many of the most popular iPhone apps include “session replay” technology that makes it possible to record their every touch, tap or swipe, all without their user privacy consent.
Session replays without privacy consent
According to a study carried out by Tech Crunch, iPhone apps recording user screen activity without privacy consent included apps from retailers, hotel companies, travel sites, airlines, cell phone carriers, and banks. For example, if you recently booked a trip using the Expedia app, there’s a high likelihood that your entire app experience was monitored, recorded, and then sent back to Expedia for further analysis. The same is true if you booked a flight on Air Canada, purchased a new shirt from Hollister or Abercrombie & Fitch, or booked a hotel on Hotels.com.
What all of these apps have in common is their use of “session replay” technology from firms like Glassbox. This technology was originally designed not to spy on customers, but simply to help app developers figure out where customers were having problems, what features were causing glitches, and what parts of the app experience were not easy to follow. However, it’s easy to see how personal data and information collected during these sessions could be used to snoop on users. This is especially the case since the apps did not include any privacy consent features.
Paul Bischoff, privacy advocate with Comparitech.com, emphasized the serious privacy issues created by this user tracking technology, “The use of session replay services in iPhone apps is serious cause for concern for two reasons. The first is that the apps did not get consent to record sessions and take screenshots of users’ devices and send them back to the app developers. Many of the apps make no explicit mention of the use of session replay services in their privacy policies.” Moreover, said Bischoff, “The data collected and sent to the app developers might not be properly secured. If the app developers do not take measures to properly mask sensitive information in their apps, then unencrypted screenshots containing passwords and credit card information could be accessed or intercepted by attackers.”
And, indeed, in several cases, very sensitive personal data (including passport numbers and credit card numbers) were not masked during the app session. Air Canada, for example, failed to mask sensitive user data within the app experience. As a result, when session replays were sent back to the app developers, the potential existed for unscrupulous individuals to get access to this information. Obviously, this is in direct violation of basic data privacy practices, which suggest that sensitive data must always be masked.
Moreover, the app developers also violated another clear data privacy best practice: giving a clear visual indication when any recording or logging is about to happen, and then requesting privacy consent from the user. From a purely legal perspective, then, recording and capturing user screens is not illegal. What is not allowed, however, is to do this without first informing the user and requesting privacy consent.
Apple’s response to the new privacy scandal
Apple, clearly sensing that this new Tech Crunch report might have an immediate impact on the way users view its privacy practices, took action immediately. The company alerted developers that the session replay and tracking technology that collected personal information was in clear violation of the App Store Review Guidelines. Apple requested that developers immediately change their practices, noting that, “Protecting user privacy is paramount.” If developers did not take steps to address this violation of privacy consent terms, Apple would have no other option than to remove the offending apps from the App Store.