A lot of people here are commenting that its no big deal that organizations are recording every screen, tap and swipe for their own apps. There are two problems with that:
1. As the article mentions, in some cases these apps end up leaking sensitive data like credit card detail and passwords. Generally, if you are taking snapshots of the user's screen instead of sending text metrics, it becomes much harder to mask sensitive data at all times.
2. The bigger issue is that these services generally use third parties to record this, and their privacy policy is a big problem. For example, Glassbox explicitly mentions that it will share end user personal data with their "enterprise" clients (which I am guessing are basically ad companies):
> From time to time, GLASSBOX grants certain of its enterprise clients a license or other rights to GLASSBOX’s proprietary software products and solutions (the “GLASSBOX Solutions”). Through their use of these GLASSBOX Solutions and/or through other means, enterprise clients of GLASSBOX may get access to, collect and use: (i) End User non-personally identifiable information; and (ii) End User Personal Data.
> There are also times when we will combine such information with additional non-personal or de-identified information we obtain from other companies as well as End User Personal Data, in order for our enterprise clients to market directly to a certain person subject to requirements of applicable law. We typically analyze this information and organize it into user groups and audiences, based on factors such as age, gender, geography, interests and online actions. We and our enterprise clients then use these user groups and audiences, along with information about the possible relationships among different browsers and devices, to design and deliver customized advertising campaigns or other relevant content.
Are any of these apps used in the EU? If there’s no user consent for this privacy policy it strikes me that this isn’t GDPR compliant and these guys are just waiting to get fined. I wonder if they can get it around it by having their clients (Hotels.com, etc) essentially proxy this consent through their own privacy policies.
I’m not sure how that’s true when the article mentions that they’re leaking users’ personal data like credit cards and so forth. Also it seems Apple just released a “cease and desist” due to privacy on this front.
1. As the article mentions, in some cases these apps end up leaking sensitive data like credit card detail and passwords. Generally, if you are taking snapshots of the user's screen instead of sending text metrics, it becomes much harder to mask sensitive data at all times.
2. The bigger issue is that these services generally use third parties to record this, and their privacy policy is a big problem. For example, Glassbox explicitly mentions that it will share end user personal data with their "enterprise" clients (which I am guessing are basically ad companies):
> From time to time, GLASSBOX grants certain of its enterprise clients a license or other rights to GLASSBOX’s proprietary software products and solutions (the “GLASSBOX Solutions”). Through their use of these GLASSBOX Solutions and/or through other means, enterprise clients of GLASSBOX may get access to, collect and use: (i) End User non-personally identifiable information; and (ii) End User Personal Data.
> There are also times when we will combine such information with additional non-personal or de-identified information we obtain from other companies as well as End User Personal Data, in order for our enterprise clients to market directly to a certain person subject to requirements of applicable law. We typically analyze this information and organize it into user groups and audiences, based on factors such as age, gender, geography, interests and online actions. We and our enterprise clients then use these user groups and audiences, along with information about the possible relationships among different browsers and devices, to design and deliver customized advertising campaigns or other relevant content.
https://www.glassboxdigital.com/privacy-policy/