In addition, TC explained that while the tool is supposed to mask sensitive data recorded from a user's screen, some information such as passport and credit card numbers are getting out. The spokesperson said the company has already reached out to developers whose apps are violating that policy, and Apple will "take immediate action if necessary." In one instance, Cupertino told the developer they have less than a day to remove the code and resubmit their app. If they fail to address the issue within that timeframe, their application would be removed from the App Store.
A company called Glassbox provides the screen recording technology the companies in question, which include Air Canada, Abercrombie & Fitch, Expedia and Hotels.com, are using. Its technology allows those clients to replay a user's actions, giving them concrete examples of how customers are using their apps. In a statement sent to Engadget, Glassbox denied that its clients are "spying" on consumers, stressing that it "provides its customers with the tools to mask every element of personal data." Further, the company said it doesn't share information with third parties and that the data it captures is "highly secured and encrypted."
Here is Glassbox's statement in full:
"TechCrunch's piece raised valid concerns. Yet we believe it is partial and doesn't adequately convey the many benefits for our customers and their users; or reflect the security and privacy capabilities inherent in Glassbox.
Glassbox and its customers are not interested in "spying" on consumers. Our goals are to improve online customer experiences and to protect consumers from a compliance perspective. Since its inception, Glassbox has helped organizations improve millions of customer experiences by providing tools that record and analyze user activity on web sites and apps. This information helps companies better understand how consumers are using their services, and where and why they are struggling.
We are strong supporters of user privacy and security. Glassbox provides its customers with the tools to mask every element of personal data. We firmly believe that our customers should have clear policies in place so that consumers are aware that their data is being recorded -- just as contact centers inform users that their calls are being recorded.
No data collected by Glassbox customers is shared with third parties, nor enriched through other external sources.
Glassbox meets the highest security and data privacy standards and regulations (e.g. SOC2, GDPR), and all data captured via our solution is highly secured and encrypted. We provide our customers with the ability to mask every piece of data entered by a consumer, restrict access to authorized users, and maintain a full audit log of every user accessing the system.
We don't simply record data and provide customers with session replay. Brands come to us because Glassbox means source-proof, tamper-proof, encrypted records of digital activity. These characteristics make Glassbox invaluable, not to 'spy' on customers, but to (a) aid in creating the best and easiest digital journey, and (b) protect both brands and customers with evidential truth that allows for safe and compliant digital experiences."