terms of service

Auto Added by WPeMatico

Have ‘The Privacy Talk’ with your business partners

As a parent of teenagers, I’m used to having tough, sometimes even awkward, conversations about topics that are complex but important. Most parents will likely agree with me when I say those types of conversations never get easier, but over time, you tend to develop a roadmap of how to approach the subject, how to make sure you’re being clear and how to answer hard questions.

And like many parents, I quickly learned that my children have just as much to teach me as I can teach them. I’ve learned that tough conversations build trust.

I’ve applied this lesson about trust-building conversations to an extremely important aspect of my role as the chief legal officer at Foursquare: Conducting “The Privacy Talk.”

The discussion should convey an understanding of how the legislative and regulatory environment are going to affect product offerings, including what’s being done to get ahead of that change.

What exactly is The Privacy Talk?

It’s the conversation that goes beyond the written, publicly posted privacy policy and dives deep into a customer, vendor, supplier or partner’s approach to ethics. This conversation seeks to convey and align the expectations that two companies must have at the beginning of a new engagement.

RFIs may ask a lot of questions about privacy compliance, information security and data ethics. But it’s no match for asking your prospective partner to hop on a Zoom to walk you through their broader approach. Unless you hear it firsthand, it can be hard to discern whether a partner is thinking strategically about privacy, if they are truly committed to data ethics and how compliance is woven into their organization’s culture.

Powered by WPeMatico

Privacy-oriented search app Xayn raises $12M from Japanese backers to go into devices

Back in December 2020 we covered the launch of a new kind of smartphone app-based search engine, Xayn.

“A search engine?!” I hear you say? Well, yes, because despite the convenience of modern search engines’ ability to tailor their search results to the individual, this user-tracking comes at the expense of privacy. This mass surveillance might be what improves Google’s search engine and Facebook’s ad targeting, to name just two examples, but it’s not very good for our privacy.

Internet users are admittedly able to switch to the U.S.-based DuckDuckGo, or perhaps France’s Qwant, but what they gain in privacy, they often lose in user experience and the relevance of search results, through this lack of tailoring.

What Berlin-based Xayn has come up with is personalized, but a privacy-safe web search on smartphones, which replaces the cloud-based AI employed by Google et al. with the innate AI in-built into modern smartphones. The result is that no data about you is uploaded to Xayn’s servers.

And this approach is not just for “privacy freaks”. Businesses that need search but don’t need Google’s dominant market position are increasingly attracted by this model.

And the evidence comes today with the news that Xayn has now raised almost $12 million in Series A funding led by the Japanese investors Global Brain and KDDI (a Japanese telecommunications operator), with participation from previous backers, including the Earlybird VC in Berlin. Xayn’s total financing now comes to more than $23 million.

It would appear that Xayn’s fusion of a search engine, a discovery feed and a mobile browser has appealed to these Asian market players, particularly because Xayn can be built into OEM devices.

The result of the investment is that Xayn will now also focus on the Asian market, starting with Japan, as well as Europe.

Leif-Nissen Lundbæk, co-founder and CEO of Xayn said: “We proved with Xayn that you can have it all: great results through personalization, privacy by design through advanced technology and a convenient user experience through clean design.”

He added: “In an industry in which selling data and delivering ads en masse are the norm, we choose to lead with privacy instead and put user satisfaction front and center.”

The funding comes as legislation such as the EU’s GDPR or California’s CCPA have both raised public awareness about personal data online.

Since its launch, Xayn says its app has been downloaded around 215,000 times worldwide, and a web version of its app is expected soon.

Over a call, Lundbæk expanded on the KDDI aspect of the fund-raising: “The partnership with KDDI means we will give users access to Xayn for free, while the corporate — such as KDDI — is the actual customer but gives our search engine away for free.”

The core features of Xayn include personalized search results; a personalized feed of the entire internet, which learns from their Tinder-like swipes, without collecting or sharing personal data; and an ad-free experience.

Naoki Kamimeada, partner at Global Brain Corporation said: “The market for private online search is growing, but Xayn is head and shoulders above everyone else because of the way they’re re-thinking how finding information online should be.”

Kazuhiko Chuman, head of KDDI Open Innovation Fund, said: “This European discovery engine uniquely combines efficient AI with a privacy-protecting focus and a smooth user experience. At KDDI, we’re constantly on the lookout for companies that can shape the future with their expertise and technology. That’s why it was a perfect match for us.”

In addition to the three co-founders (Leif-Nissen Lundbæk, chief executive officer, Professor Michael Huth, chief research officer, and Felix Hahmann, chief operations officer), Dr Daniel von Heyl will come on board as chief financial officer. Frank Pepermans will take on the role of chief technology officer and Michael Briggs will join as chief growth officer.

Powered by WPeMatico

Privacy data management innovations reduce risk, create new revenue channels

Mark Settle
Contributor

Mark Settle is a seven-time CIO, three-time CIO 100 award winner and two-time book author. His most recent book is “Truth from the Valley: A Practical Primer on IT Management for the Next Decade.”

Tomer Y. Avni
Contributor

Tomer Y. Avni is an MBA/MS student at the Harvard Business School and the Harvard School of Engineering and Applied Sciences.

Privacy data mismanagement is a lurking liability within every commercial enterprise. The very definition of privacy data is evolving over time and has been broadened to include information concerning an individual’s health, wealth, college grades, geolocation and web surfing behaviors. Regulations are proliferating at state, national and international levels that seek to define privacy data and establish controls governing its maintenance and use.

Existing regulations are relatively new and are being translated into operational business practices through a series of judicial challenges that are currently in progress, adding to the confusion regarding proper data handling procedures. In this confusing and sometimes chaotic environment, the privacy risks faced by almost every corporation are frequently ambiguous, constantly changing and continually expanding.

Conventional information security (infosec) tools are designed to prevent the inadvertent loss or intentional theft of sensitive information. They are not sufficient to prevent the mismanagement of privacy data. Privacy safeguards not only need to prevent loss or theft but they must also prevent the inappropriate exposure or unauthorized usage of such data, even when no loss or breach has occurred. A new generation of infosec tools is needed to address the unique risks associated with the management of privacy data.

The first wave of innovation

A variety of privacy-focused security tools emerged over the past few years, triggered in part by the introduction of GDPR (General Data Protection Regulation) within the European Union in 2018. New capabilities introduced by this first wave of innovation were focused in the following three areas:

Data discovery, classification and cataloging. Modern enterprises collect a wide variety of personal information from customers, business partners and employees at different times for different purposes with different IT systems. This data is frequently disseminated throughout a company’s application portfolio via APIs, collaboration tools, automation bots and wholesale replication. Maintaining an accurate catalog of the location of such data is a major challenge and a perpetual activity. BigID, DataGuise and Integris Software have gained prominence as popular solutions for data discovery. Collibra and Alation are leaders in providing complementary capabilities for data cataloging.

Consent management. Individuals are commonly presented with privacy statements describing the intended use and safeguards that will be employed in handling the personal data they supply to corporations. They consent to these statements — either explicitly or implicitly — at the time such data is initially collected. Osano, Transcend.io and DataGrail.io specialize in the management of consent agreements and the enforcement of their terms. These tools enable individuals to exercise their consensual data rights, such as the right to view, edit or delete personal information they’ve provided in the past.

Powered by WPeMatico

UK’s NHS COVID-19 app lacks robust legal safeguards against data misuse, warns committee

A UK parliamentary committee that focuses on human rights issues has called for primary legislation to be put in place to ensure that legal protections wrap around the national coronavirus contact tracing app.

The app, called NHS COVID-19, is being fast tracked for public use — with a test ongoing this week in the Isle of Wight. It’s set to use Bluetooth Low Energy signals to log social interactions between users to try to automate some contacts tracing based on an algorithmic assessment of users’ infection risk.

The NHSX has said the app could be ready for launch within a matter of weeks but the committee says key choices related to the system architecture create huge risks for people’s rights that demand the safeguard of primary legislation.

“Assurances from Ministers about privacy are not enough. The Government has given assurances about protection of privacy so they should have no objection to those assurances being enshrined in law,” said committee chair, Harriet Harman MP, in a statement.

“The contact tracing app involves unprecedented data gathering. There must be robust legal protection for individuals about what that data will be used for, who will have access to it and how it will be safeguarded from hacking.

“Parliament was able quickly to agree to give the Government sweeping powers. It is perfectly possible for parliament to do the same for legislation to protect privacy.”

The NHSX, a digital arm of the country’s National Health Service, is in the process of testing the app — which it’s said could be launched nationally within a few weeks.

The government has opted for a system design that will centralize large amounts of social graph data when users experiencing COVID-19 symptoms (or who have had a formal diagnosis) choose to upload their proximity logs.

Earlier this week we reported on one of the committee hearings — when it took testimony from NHSX CEO Matthew Gould and the UK’s information commissioner, Elizabeth Denham, among other witnesses.

Warning now over a lack of parliamentary scrutiny — around what it describes as an unprecedented expansion of state surveillance — the committee report calls for primary legislation to ensure “necessary legal clarity and certainty as to how data gathered could be used, stored and disposed of”.

The committee also wants to see an independent body set up to carry out oversight monitoring and guard against ‘mission creep’ — a concern that’s also been raised by a number of UK privacy and security experts in an open letter late last month.

“A Digital Contact Tracing Human Rights Commissioner should be responsible for oversight and they should be able to deal with complaints from the Public and report to Parliament,” the committee suggests.

Prior to publishing its report, the committee wrote to health minister Matt Hancock, raising a full spectrum of concerns — receiving a letter in response.

In this letter, dated May 4, Hancock told it: “We do not consider that legislation is necessary in order to build and deliver the contact tracing app. It is consistent with the powers of, and duties imposed on, the Secretary of State at a time of national crisis in the interests of protecting public health.”

The committee’s view is Hancock’s ‘letter of assurance’ is not enough given the huge risks attached to the state tracking citizens’ social graph data.

“The current data protection framework is contained in a number of different documents and it is nearly impossible for the public to understand what it means for their data which may be collected by the digital contact tracing system. Government’s assurances around data protection and privacy standards will not carry any weight unless the Government is prepared to enshrine these assurances in legislation,” it writes in the report, calling for a bill that it says myst include include a number of “provisions and protections”.

Among the protections the committee is calling for are limits on who has access to data and for what purpose.

“Data held centrally may not be accessed or processed without specific statutory authorisation, for the purpose of combatting Covid-19 and provided adequate security protections are in place for any systems on which this data may be processed,” it urges.

It also wants legal protections against data reconstruction — by different pieces of data being combined “to reconstruct information about an individual”.

The report takes a very strong line — warning that no app should be released without “strong protections and guarantees” on “efficacy and proportionality”.

“Without clear efficacy and benefits of the app, the level of data being collected will be not be justifiable and it will therefore fall foul of data protection law and human rights protections,” says the committee.

The report also calls for regular reviews of the app — looking at efficacy; data safety; and “how privacy is being protected in the use of any such data”.

It also makes a blanket call for transparency, with the committee writing that the government and health authorities “must at all times be transparent about how the app, and data collected through it, is being used”.

A lack of transparency around the project was another of the concerns raised by the 177 academics who signed the open letter last month.

The government has committed to publishing data protection impact assessments for the app. But the ICO’s Denham still hadn’t had sight of this document as of this Monday.

Another call by the committee is for a time-limit to be attached to any data gathered by or generated via the app. “Any digital contact tracing (and data associated with it) must be permanently deleted when no longer required and in any event may not be kept beyond the duration of the public health emergency,” it writes.

We’ve reached out to the Department of Health and NHSX for comment on the human rights committee’s report.

Let’s go through Matt Hancock’s letter to @HarrietHarman @HumanRightsCtte on the NHSX app and take a closer look at some of these statements 1/ https://t.co/sQe2U8wkiy

— Michael Veale (@mikarv) May 7, 2020

There’s another element to this fast moving story: Yesterday the Financial Times reported that the NHSX has inked a new contract with an IT supplier which suggests it might be looking to change the app architecture — moving away from a centralized database to a decentralized system for contacts tracing. Although NHSX has not confirmed any such switch at this point.

Some other countries have reversed course in their choice of app architecture after running into technical challenges related to Bluetooth. The need to ensure public trust in the system was also cited by Germany for switching to a decentralized model.

The human rights committee report highlights a specific app efficacy issue of relevance to the UK, which it points out is also linked to these system architecture choices, noting that: “The Republic of Ireland has elected to use a decentralised app and if a centralised app is in use in Northern Ireland, there are risks that the two systems will not be interoperable which would be most unfortunate.”

Professor Lilian Edwards, a legal expert from Newcastle University, who has co-authored a draft bill proposing a set of safeguards for coronavirus apps (much of which was subsequently taken up by Australia for a legal instrument that wraps public health contact info during the coronavirus crisis) — and who also now sits as an independent advisor on an ethics committee that’s been set up for the NHSX app — welcomed the committee report.

Speaking in a personal capacity she told TechCrunch: “My team and I welcome this.”

But she flagged a couple of omissions in the report. “They have left out two of the recommendations from my bill — one of which, I totally expected; that there be no compulsion to carry a phone. Because they will just be assumed within our legal system but I don’t think it would have hurt to have said it. But ok.

“The second point — which is important — is the point about there not being compulsion to install the app or to display it. And there not being, therefore, discrimination against you if you don’t. Like not being allowed to go to your workplace is an obvious example. Or not being allowed to go to a football game when they reopen. And that’s the key point where the struggle is.”

The conflict, says Edwards, is on the one hand you could argue what’s the point of doing digital contact tracing at all if you can’t make sure people are able to receive notifications that they might be a contact. But — on the other — if you allow compulsion that then “leaves it open to be very discriminatory” — meaning people could abuse the requirement to target and exclude others from a workplace, for example.

“There are people who’ve got perfectly valid reasons to not want to have this on their phone,” Edwards added. “Particularly if it’s centralized rather than decentralized.”

She also noted that the first version of her draft coronavirus safeguards bill had allowed compulsion re: having the app on the phone but required it to be balanced by a proportionality analysis — meaning any such compulsion must be “proportionate to a legitimate aim”.

But after Australia opted for zero compulsion in its legal instrument she said she and her team decided to revise their bill to also strike out the provision entirely.

Edwards suggested the human rights committee may not have included this particular provision in their recommendations because parliamentary committees are only able to comment on evidence they receive during an inquiry. “So I don’t think it would have been in their remit to recommend on that,” she noted, adding: “It isn’t actually an indication that they’re not interested in these concepts; it’s just procedure I think.”

She also highlighted the issues of so-called ‘immunity passports’ — something the government has reportedly been in discussions with startups about building as part of its digital coronavirus response, but which the committee report also does not touch on.

However, without full clarity on the government’s evolving plans for its digital coronavirus response, and with, inevitably, a high degree of change and flux amid a public health emergency situation, it’s clearly difficult for committees to interrogate so many fast moving pieces.

“The select committees have actually done really, really well,” added Edwards. “But it just shows how the ground has shifted so much in a week.”

This report was updated with additional comment

Powered by WPeMatico

OneTrust raises $200M at a $1.3B valuation to help organizations navigate online privacy rules

GDPR, and the newer California Consumer Privacy Act, have given a legal bite to ongoing developments in online privacy and data protection: it’s always good practice for companies with an online presence to take measures to safeguard people’s data, but now failing to do so can land them in some serious hot water.

Now — to underscore the urgency and demand in the market — one of the bigger companies helping organizations navigate those rules is announcing a huge round of funding. OneTrust, which builds tools to help companies navigate data protection and privacy policies both internally and with its customers, has raised $200 million in a Series A led by Insight that values the company at $1.3 billion.

It’s an outsized round for a Series A, being made at an equally outsized valuation — especially considering that the company is only three years old — but that’s because of the wide-ranging nature of the issue, according to CEO Kabir Barday, and OneTrust’s early moves and subsequent pole position in tackling it.

“We’re talking about an operational overhaul in a company’s practices,” Barday said in an interview. “That requires the right technology and reach to be able to deliver that at a low cost.” Notably, he said that OneTrust wasn’t actually in search of funding — it’s already generating revenue and could have grown off its own balance sheet — although he noted that having the capitalization and backing sends a signal to the market and in particular to larger organizations of its stability and staying power.

Currently, OneTrust has around 3,000 customers across 100 countries (and 1,000 employees), and the plan will be to continue to expand its reach geographically and to more businesses. Funding will also go toward the company’s technology: it already has 50 patents filed and another 50 applications in progress, securing its own IP in the area of privacy protection.

OneTrust offers technology and services covering three different aspects of data protection and privacy management.

Its Privacy Management Software helps an organization manage how it collects data, and it generates compliance reports in line with how a site is working relative to different jurisdictions. Then there is the famous (or infamous) service that lets internet users set their preferences for how they want their data to be handled on different sites. The third is a larger database and risk management platform that assesses how various third-party services (for example advertising providers) work on a site and where they might pose data protection risks.

These are all provided either as a cloud-based software as a service, or an on-premises solution, depending on the customer in question.

The startup also has an interesting backstory that sheds some light on how it was founded and how it identified the gap in the market relatively early.

Alan Dabbiere, who is the co-chairman of OneTrust, had been the chairman of Airwatch — the mobile device management company acquired by VMware in 2014 (Airwatch’s CEO and founder, John Marshall, is OneTrust’s other co-chairman). In an interview, he told me that it was when they were at Airwatch — where Barday had worked across consulting, integration, engineering and product management — that they began to see just how a smartphone “could be a quagmire of privacy issues.”

“We could capture apps that an employee was using so that we could show them to IT to mitigate security risks,” he said, “but that actually presented a big privacy issue. If [the employee] has dyslexia [and uses a special app for it] or if the employee used a dating app, you’ve now shown things to IT that you shouldn’t have.”

He admitted that in the first version of the software, “we weren’t even thinking about whether that was inappropriate, but then we quickly realised that we needed to be thinking about privacy.”

Dabbiere said that it was Barday who first brought that sensibility to light, and “that is something that we have evolved from.” After that, and after the VMware sale, it seemed a no-brainer that he and Marshall would come on to help the new startup grow.

Airwatch made a relatively quick exit, I pointed out. His response: the plan is to stay the course at OneTrust, with a lot more room for expansion in this market. He describes the issues of data protection and privacy as “death by 1,000 cuts.” I guess when you think about it from an enterprising point of view, that essentially presents 1,000 business opportunities.

Indeed, there is obvious growth potential to expand not just its funnel of customers, but to add more services, such as proactive detection of malware that might leak customers’ data (which calls to mind the recently fined breach at British Airways), as well as tools to help stop that once identified.

While there are a million other companies also looking to fix those problems today, what’s interesting is the point from which OneTrust is starting: by providing tools to organizations simply to help them operate in the current regulatory climate as good citizens of the online world.

This is what caught Insight’s eye with this investment.

“OneTrust has truly established themselves as leaders in this space in a very short time frame, and are quickly becoming for privacy professionals what Salesforce became for salespeople,” said Richard Wells of Insight. “They offer such a vast range of modules and tools to help customers keep their businesses compliant with varying regulatory laws, and the tailwinds around GDPR and the upcoming CCPA make this an opportune time for growth. Their leadership team is unparalleled in their ambition and has proven their ability to convert those ambitions into reality.”

Wells added that while this is a big round for a Series A it’s because it is something of an outlier — not a mark of how Series A rounds will go soon.

“Investors will always be interested in and keen to partner with companies that are providing real solutions, are already established and are led by a strong group of entrepreneurs,” he said in an interview. “This is a company that has the expertise to help solve for what could be one of the greatest challenges of the next decade. That’s the company investors want to partner with and grow, regardless of fund timing.”

Powered by WPeMatico

Apple ad focuses on iPhone’s most marketable feature — privacy

Apple is airing a new ad spot in primetime today. Focused on privacy, the spot is visually cued, with no dialog and a simple tagline: Privacy. That’s iPhone.

In a series of humorous vignettes, the message is driven home that sometimes you just want a little privacy. The spot has only one line of text otherwise, and it’s in keeping with Apple’s messaging on privacy over the long and short term. “If privacy matters in your life, it should matter to the phone your life is on.”

The spot will air tonight in primetime in the U.S. and extend through March Madness. It will then air in select other countries.

You’d have to be hiding under a rock not to have noticed Apple positioning privacy as a differentiating factor between itself and other companies. Beginning a few years ago, CEO Tim Cook began taking more and more public stances on what the company felt to be your “rights” to privacy on their platform and how that differed from other companies. The undercurrent being that Apple was able to take this stance because its first-party business relies on a relatively direct relationship with customers who purchase its hardware and, increasingly, its services.

This stands in contrast to the model of other tech giants like Google or Facebook that insert an interstitial layer of monetization strategy on top of that relationship in the forms of application of personal information about you (in somewhat anonymized fashion) to sell their platform to advertisers that in turn can sell to you better.

Turning the ethical high ground into a marketing strategy is not without its pitfalls, though, as Apple has discovered recently with a (now patched) high-profile FaceTime bug that allowed people to turn your phone into a listening device, Facebook’s manipulation of App Store permissions and the revelation that there was some long overdue house cleaning needed in its Enterprise Certificate program.

I did find it interesting that the iconography of the “Private Side” spot very, very closely associates the concepts of privacy and security. They are separate, but interrelated, obviously. This spot says these are one and the same. It’s hard to enforce privacy without security, of course, but in the mind of the public I think there is very little difference between the two.

The App Store itself, of course, still hosts apps from Google and Facebook among thousands of others that use personal data of yours in one form or another. Apple’s argument is that it protects the data you give to your phone aggressively by processing on the device, collecting minimal data, disconnecting that data from the user as much as possible and giving users as transparent a control interface as possible. All true. All far, far better efforts than the competition.

Still, there is room to run, I feel, when it comes to Apple adjudicating what should be considered a societal norm when it comes to the use of personal data on its platform. If it’s going to be the absolute arbiter of what flies on the world’s most profitable application marketplace, it might as well use that power to get a little more feisty with the bigcos (and littlecos) that make their living on our data.

I mention the issues Apple has had above not as a dig, though some might be inclined to view Apple integrating privacy with marketing as boldness bordering on hubris. I, personally, think there’s still a major difference between a company that has situational loss of privacy while having a systemic dedication to privacy and, well, most of the rest of the ecosystem which exists because they operate an “invasion of privacy as a service” business.

Basically, I think stating privacy is your mission is still supportable, even if you have bugs. But attempting to ignore that you host the data platforms that thrive on it is a tasty bit of prestidigitation.

But that might be a little too verbose as a tagline.

Powered by WPeMatico

Many popular iPhone apps secretly record your screen without asking

Many major companies, like Air Canada, Hollister and Expedia, are recording every tap and swipe you make on their iPhone apps. In most cases you won’t even realize it. And they don’t need to ask for permission.

You can assume that most apps are collecting data on you. Some even monetize your data without your knowledge. But TechCrunch has found several popular iPhone apps, from hoteliers, travel sites, airlines, cell phone carriers, banks and financiers, that don’t ask or make it clear — if at all — that they know exactly how you’re using their apps.

Worse, even though these apps are meant to mask certain fields, some inadvertently expose sensitive data.

Apps like Abercrombie & Fitch, Hotels.com and Singapore Airlines also use Glassbox, a customer experience analytics firm, one of a handful of companies that allows developers to embed “session replay” technology into their apps. These session replays let app developers record the screen and play them back to see how its users interacted with the app to figure out if something didn’t work or if there was an error. Every tap, button push and keyboard entry is recorded — effectively screenshotted — and sent back to the app developers.

Or, as Glassbox said in a recent tweet: “Imagine if your website or mobile app could see exactly what your customers do in real time, and why they did it?”

The App Analyst, a mobile expert who writes about his analyses of popular apps on his eponymous blog, recently found Air Canada’s iPhone app wasn’t properly masking the session replays when they were sent, exposing passport numbers and credit card data in each replay session. Just weeks earlier, Air Canada said its app had a data breach, exposing 20,000 profiles.

“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he told TechCrunch.

In the case of Air Canada’s app, although the fields are masked, the masking didn’t always stick (Image: The App Analyst/supplied)

We asked The App Analyst to look at a sample of apps that Glassbox had listed on its website as customers. Using Charles Proxy, a man-in-the-middle tool used to intercept the data sent from the app, the researcher could examine what data was going out of the device.

Not every app was leaking masked data; none of the apps we examined said they were recording a user’s screen — let alone sending them back to each company or directly to Glassbox’s cloud.

That could be a problem if any one of Glassbox’s customers aren’t properly masking data, he said in an email. “Since this data is often sent back to Glassbox servers I wouldn’t be shocked if they have already had instances of them capturing sensitive banking information and passwords,” he said.

The App Analyst said that while Hollister and Abercrombie & Fitch sent their session replays to Glassbox, others like Expedia and Hotels.com opted to capture and send session replay data back to a server on their own domain. He said that the data was “mostly obfuscated,” but did see in some cases email addresses and postal codes. The researcher said Singapore Airlines also collected session replay data but sent it back to Glassbox’s cloud.

Without analyzing the data for each app, it’s impossible to know if an app is recording a user’s screens of how you’re using the app. We didn’t even find it in the small print of their privacy policies.

Apps that are submitted to Apple’s App Store must have a privacy policy, but none of the apps we reviewed make it clear in their policies that they record a user’s screen. Glassbox doesn’t require any special permission from Apple or from the user, so there’s no way a user would know.

Expedia’s policy makes no mention of recording your screen, nor does Hotels.com’s policy. And in Air Canada’s case, we couldn’t spot a single line in its iOS terms and conditions or privacy policy that suggests the iPhone app sends screen data back to the airline. And in Singapore Airlines’ privacy policy, there’s no mention, either.

We asked all of the companies to point us to exactly where in its privacy policies it permits each app to capture what a user does on their phone.

Only Abercombie responded, confirming that Glassbox “helps support a seamless shopping experience, enabling us to identify and address any issues customers might encounter in their digital experience.” The spokesperson pointing to Abercrombie’s privacy policy makes no mention of session replays, neither does its sister-brand Hollister’s policy.

“I think users should take an active role in how they share their data, and the first step to this is having companies be forthright in sharing how they collect their users data and who they share it with,” said The App Analyst.

When asked, Glassbox said it doesn’t enforce its customers to mention its usage in their privacy policy.

“Glassbox has a unique capability to reconstruct the mobile application view in a visual format, which is another view of analytics, Glassbox SDK can interact with our customers native app only and technically cannot break the boundary of the app,” the spokesperson said, such as when the system keyboard covers part of the native app, “Glassbox does not have access to it,” the spokesperson said.

Glassbox is one of many session replay services on the market. Appsee actively markets its “user recording” technology that lets developers “see your app through your user’s eyes,” while UXCam says it lets developers “watch recordings of your users’ sessions, including all their gestures and triggered events.” Most went under the radar until Mixpanel sparked anger for mistakenly harvesting passwords after masking safeguards failed.

It’s not an industry that’s likely to go away any time soon — companies rely on this kind of session replay data to understand why things break, which can be costly in high-revenue situations.

But for the fact that the app developers don’t publicize it just goes to show how creepy even they know it is.


Got a tip? You can send tips securely over Signal and WhatsApp to +1 646-755–8849. You can also send PGP email with the fingerprint: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Powered by WPeMatico

Matt Mitchell of CryptoHarlem is building an open source tool to help organizations prepare for data breaches

 This morning on the stage of TC Sessions: Justice, Matt Mitchell of CryptoHarlem discussed his views on the link between surveillance and minority oppression and the importance of taking a preventative approach to security and privacy. Mitchell, a specialist in digital safety and encryption, is dedicating time to creating Protect Your Org, a free, open source, tool for all organizations… Read More

Powered by WPeMatico

Pokemon Go T&Cs strip users of legal rights

The Pokemon "Pikachu" is seen at the amusement park in Tokyo, July 13, 2016. (Photo by Hitoshi Yamada/NurPhoto via Getty Images) Players of Pokemon Go are not only giving up their right to act like sane human beings in public, as they walk around, zombie-esque, reaching into the phones held in front of their faces, they are also likely to be waiving legal rights if they don’t take a very close look at Niantic Labs’ Terms of Service for the game. Read More

Powered by WPeMatico