February 7, 2019
I was so, so happy to see this story breaking last night. This very common practice needs to be called out for what it is, an invasive tracking package that promises insight on users, collects data that may or may not be useful, and does the absolute bare minimum to protect user privacy. Actually, now that I think of it, I’m still waiting on a comparable ‘expose’ article on the rest of the analytics industry, but I’ll take what I can get.
I’ve had friends reach out in the past to show things like this as a helpful tool their company uses, and we used to use something similar when I worked on a React Native app, although rather than recording the screen it tracked state changes and could play them back in time.
Look, I get it. You want to be able to see what users are doing, how they’re using the app, where they’re getting confused, what triggers crashes. That’s can be useful information. The problem comes when packages like this make it super easy to just turn on for all users, all the time. Most of those sessions are not uniquely insightful. Most of them will never be reviewed. And yet they’re tracked and stored, creating a potential attack vector for the users.
I see this same attitude at work with the analytics packages we use, in particular Firebase. At any time we can head to that website and take a peak at our users as they use the app. We can see what actions they’re taking and get all sorts of information about them that we don’t need, like interests & hobbies, other apps they use, etc. I assume this profile is built from information Google knows about the user, but is augmented by the data that other apps are reporting to Firebase as well. Worst of all is that we get a map showing where in the world the user is as they use our app, which doesn’t require location permission. The fact that the app I work on contributes to this awful behavior is a source of great shame.
There are people who will defend this behavior. At the worst they’ll suggest that the issue blocking fields can be fixed, and that then there will be nothing wrong with these packages. At the best, there will certainly be an army of people saying that every large-scale app or service does this, and that users understand and expect this tracking as they use apps. To be honest that was also my thinking, despite this practice being abhorrent I thought most people dealt with it knowingly like they deal with ads. The fact that this story is blowing up right now gives me some hope that this may be a reckoning, that consumers (or Apple) will get upset, and these packages will start to be much more tightly controlled. Hopefully iOS will require users to opt in before it allows arbitrary screen capture, although I imagine this will be tricky to implement.
Here’s a tip to companies, like mine, that want to continue using these aggressive, immoral tracking practices.
If you want some piece of data from the user, ask them for it.
If they user gets creeped out by this request, let them say no.
If they do say no, respect that decision.
‘Users might say no’ is never a reason to collect data from or about them without asking them for it.