In 2013, Facebook offered to buy Snapchat, whose messaging app was just two years old, for a cool $3 billion. After Snapchat founder Evan Spiegel rejected the offer, Facebook turned to Instagram, a photo-sharing service it acquired in 2012 for $1 billion, to play Snapchat’s game.
Instagram introduced features such as filters and Instagram Stories aimed at the Snapchat demographic, made possible by the technology Facebook acquired when it bought Israeli startup Onavo for $150 million in 2013 and turned into its Israeli research and development center.
Onavo was critical to Facebook’s strategy because the Israeli company’s Insights service anonymously collected data on smartphone usage patterns from users who installed the applications on their devices.
But the Facebook-Onavo partnership is just the tip of the iceberg: All over the world, companies are using similar technology that was developed in Israel — and they don’t always use it appropriately.
In recent years, several Israeli startups that specialize in collecting and analyzing user data have been ensnared in cases involving invasion of privacy, security problems and a lack of transparency regarding how companies used data they collected on users.
In a few cases, Israeli companies have found themselves clashing with the giants of global high-tech.
Public awareness of the problem has grown especially acute since the Cambridge Analytica affair surfaced last year, revealing that the British political consulting firm had illicitly acquired data on some 87 million Facebook users.
At about the same time Europe and Israel introduced tougher privacy protection rules that sets red lines for how businesses make use of the personal data they collect on users. Governments have finally taken it upon themselves to protect their citizens’ privacy.
Last week the technology website TechCrunch revealed how several popular iPhone apps offered by hotels, travel websites, airlines, cellphone companies and banks record and amass data without clearly informing users. That includes every tap, button push and keyboard entry sent back to the app developers.
TechCrunch found that Abercrombie & Fitch, Hotels.com and Singapore Airlines use Glassbox, an Israeli startup that is one of a small number of companies that allows developers to embed so-called session replay technology into their apps. In Israel, Glassbox tools are used by Bank Hapoalim, Bank Leumi and Israel Discount Bank.
The technology developed by Glassbox, which is based in Petah Tikva and has annual revenue of tens of millions of dollars, enables developers to record a user’s interaction with an app or a website and replay it. The idea is to enable companies to improve the user experience. The catch is that monitoring and recording users’ actions without their knowledge violates Apple’s strict privacy rules for companies that make their apps available for download at its App Store.
Glassbox does not appear to be monitoring the use of its technology. According to the TechCrunch report, Air Canada’s application had collected sensitive information, including users’ passport numbers and credit card details, that it failed to mask when recorded sessions were transmitted to its central database. In August, the airline said 20,000 user profiles were exposed in a data breach.
In the wake of the TechCrunch article, Apple told app developers to either remove the Glassbox technology or clearly notify users that their data was being collected: If not, the apps would be removed from the App Store.
In response, a Glassbox spokesperson said: “Glassbox is committed to maintain the highest standards for security and data security and has dedicated considerable resources to achieve this goal. At no stage are user data gathered and recorded by a Glassbox server or by any third party. They are held and managed at all times by the website owners only. The data is encrypted and secured to the highest standard.”
Regarding joint operations with customers, Glassbox said it enables them to define the recording features and intensity as well authorization for customer employees to access the data.
Other Israeli startups in the same space at Glassbox include Clicktale and Appsee.
The latter found itself in hot water in the past year when researchers at Boston’s Northeastern University discovered that among more than 17,000 Android apps they looked at, 12 were sending screen shots of what the user did on the app along to either the app developers or a third party.
One app, used for ordering snacks for delivery, sent the information to Appsee for data analysis.
At Onavo, which continues to offer apps under its own name, originally developed applications for compressing data and ensuring security, but Facebook used the technology for other purposes.
According to media reports, the Onavo Protect app has been used by Facebook to track app usage trends and enable it to identify popular apps, such as Whatsapp, which it acquired in 2014 for $19 billion, before rivals were on to them.
Onavo Protect was offered an app that protects users but in practice was gathering data from them. As a result, it has often been called spyware. Last August it was pulled from Apple’s App Store, saying it violated data-collection restrictions and Apple’s developer agreement on customer data usage.
Superfish was an Israeli startup success story with its technology for its visual search engine for finding images online. The personal computer maker Lenovo even installed Superfish’s software starting in 2014 into its laptops so it could insert its own ads into webpages users were viewing.
A year later, however, security experts identified a vulnerability they said allowed hackers to track users and steal confidential information via Superfish’s software. That set off a huge reaction, with the U.S. Federal Trade Commission and attorneys general in 32 states going to court and Lenovo eventually paying a penalty.
Lenovo dropped the Superfish software and has released a tool to remove it. Superfish claimed that software presented no security threat, but the damage was done. The company changed its name, but in 2016 it shut down.
SimilarWeb, another Israeli startup, offers a popular service used by businesses to measure traffic on websites and apps. However, to gather such information, SimilarWeb collects information from browser such as extensions, apps, toolbars and software installed on users’ devices to monitor and collect statistics on their browsing.
Users are not always aware that this is happening. Last year, the company became earned the wrath of Google and Mozilla (which is behind the open-source web browser Firefox) after it was discover that SimilarWeb’s Stylish browser extension had been secretly recorded users’ internet histories.
SimilarWeb denied the allegations, saying it only aggregated information and kept it anonymous. Nevertheless, Google and Mozilla temporarily removed the plug-in from their stores.