Yesterday, TechCrunch discovered that multiple popular iPhone apps from major companies are using intrusive analytics services that capture data ranging from taps and swipes to full screen recordings, all without customers knowing about it.
Today, Apple has informed app developers that this kind of screen recording analytics code needs to be clearly disclosed to customers or removed from iOS apps. From an Apple spokesperson's email to TechCrunch:
"Protecting user privacy is paramount in the Apple ecosystem. Our App Store Review Guidelines require that apps request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity."
"We have notified the developers that are in violation of these strict privacy terms and guidelines, and will take immediate action if necessary," the spokesperson added.
At least one developer has already been told to remove the code that recorded app activities. From an email to the developer:
"Your app uses analytics software to collect and send user or device data to a third party without the user's consent. Apps must request explicit user consent and provide a clear visual indication when recording, logging, or otherwise making a record of user activity."
Apple is serious about getting rid of this code and gave the developer in question less than a day to remove it and resubmit the app before it would be pulled from the App Store.
High-profile apps like Abercrombie & Fitch, Hotels.com, Air Canada, Hollister, Expedia, and Singapore Airlines are using Glassbox, a customer experience analytics firm with a "session replay" screen recording feature.
Session replays are designed to let developers screenshot or record or a user's screen and then play back those recordings to see how users interact with their apps. Taps, button pushes, and keyboard entries are all captured and provided to app developers.
None of the apps above disclosed that they were recording a user's screen in their privacy policies, which is apparently in violation of Apple's App Store rules.
Apple also requires apps that record the screen to have a little red icon on the top left corner of the phone to make it clear that the screen is being recorded, and it sounds like Apple is going to enforce this rule for this kind of analytics tracking.
Most likely, apps will need to remove this feature because customers are not going to willingly use an app that's recording everything that they're doing and displaying a persistent red icon while the app is open.
There are many other analytics companies that have similar practices like Appsee and UXCam, so there are undoubtedly many more apps that are using these secret screen recording features without customer knowledge.
Update: Glassbox, the company that many apps use for screen recording analytics capabilities, provided the following statement to MacRumors on the issue:
"TechCrunch's piece raised valid concerns. Yet we believe it is partial and doesn't adequately convey the many benefits for our customers and their users; or reflect the security and privacy capabilities inherent in Glassbox.
Glassbox and its customers are not interested in "spying" on consumers. Our goals are to improve online customer experiences and to protect consumers from a compliance perspective. Since its inception, Glassbox has helped organizations improve millions of customer experiences by providing tools that record and analyze user activity on web sites and apps. This information helps companies better understand how consumers are using their services, and where and why they are struggling.
We are strong supporters of user privacy and security. Glassbox provides its customers with the tools to mask every element of personal data. We firmly believe that our customers should have clear policies in place so that consumers are aware that their data is being recorded -- just as contact centers inform users that their calls are being recorded.
Furthermore: No data collected by Glassbox customers is shared with third parties, nor enriched through other external sources.
Glassbox meets the highest security and data privacy standards and regulations (e.g. SOC2, GDPR), and all data captured via our solution is highly secured and encrypted.
We provide our customers with the ability to mask every piece of data entered by a consumer, restrict access to authorized users, and maintain a full audit log of every user accessing the system.
We don't simply record data and provide customers with session replay. Brands come to us because Glassbox means source-proof, tamper-proof, encrypted records of digital activity. These characteristics make Glassbox invaluable, not to 'spy' on customers, but to (a) aid in creating the best and easiest digital journey, and (b) protect both brands and customers with evidential truth that allows for safe and compliant digital experiences."
