February 7, 2019 7:11 pm
Updated: February 7, 2019 8:31 pm

Air Canada app records your personal information — and you may have no clue

ABOVE: Air Canada data breach affected 1.7-million users in August 2018.

A A

Air Canada’s mobile app records your phone screen when you book flights, change your password and enter your credit card information.

Many iPhone apps, such as Air Canada, are using an analytics service, called “session replay” that captures information on how you interact with your phone while using the app.

Story continues below

READ MORE: Air Canada says 20,000 mobile app users affected by data breach

For example, when you use the Air Canada app, the application may record how you tap, swipe and enter personal information, like passwords and credit card numbers.

These apps are meant to mask certain fields with a blackout box, but some sensitive information may still be exposed, according to the tech media outlet, TechCrunch.

Zack Whittaker for TechCrunch, claims that his investigation found that Air Canada appeared to cover some private information with block boxes, but other fields, like credit card number and password, were not covered

“Air Canada is unsuccessful in obfuscating credit card and password information. As a result, sensitive data is being captured as images and potentially stored,” Whittaker said.

“This gives Air Canada employees — and anyone else capable of accessing the screenshot database — to see unencrypted credit card and password information,” he said.

Air Canada, however, denies this and says they do black out the information.

WATCH: Air Canada customers hacked in cyberattack

Air Canada served 48-million customers in 2017, and around 1.7-million users have registered with the app.

Global News reached out to Air Canada about the analytics tool and a spokesperson said:

“Air Canada uses customer provided information to ensure we can support their travel needs and to ensure we can resolve any issues that may affect their trips. This includes user information entered in, and collected on, the Air Canada mobile app. However, Air Canada does not — and cannot — capture phone screens outside of the Air Canada app.”

The spokesperson also said Air Canada masks sensitive data like passwords and credit card information.

The use of the analytic tool comes months after Air Canada announced 20,000 of its mobile users may have been affected by a data breach.

READ MORE: Companies will now have to tell Canadian consumers when their privacy is breached — and do it quickly

In August, the airline said there was an “unusual login activity” between Aug. 22-24 and the company “immediately took action.”

The information that could have been breached included: passport and NEXUS card numbers, gender, birth date, nationality and credit card numbers.

“I think it’s very creepy that companies are using this to figure out things about us, and personally I will boycott this,”

Thomas Keenan, a University of Calgary computer science professor and the author of book Technocreep, said.

He said the fact that a user’s passport information is in there is worrisome and he has concerns about the information being breached.

If you don’t like the idea of a company recording your information, Keenan suggests deleting the app.

Who provides the service?

The service is provided by a digital analytics company called Glassbox.

Air Canada signed a deal with Glassbox on Jan. 30, in order to use its “industry-leading digital record, replay and analytics technology,” according to a media release.

Global News reached out to Glassbox for a comment, who said, “the data collected by Glassbox customers is only captured via their apps, and is neither shared with any third parties, nor enriched through other external sources.”

The spokesperson also said all the information that is captured is highly secured and encrypted.

Does Air Canada let its users know about the tool?

Air Canada’s terms and conditions do not specifically let the user know their mobile screen is being recorded when using the app.

The company’s terms and conditions do state, “by downloading or updating this app, you understand that we may: collect data about your device in order to serve you the correct software, as well as maintain and develop its services, require that you change some of your device settings to use specific features and collect personal information as detailed in our privacy policy.”

WATCH: How to protect yourself from ransomware attacks

In Air Canada’s privacy policy, it details its tracking technologies, saying it tracks “users’ movements” around its website.

However, there was no mention in the terms and conditions or the privacy policies that suggests the app sends screen data back to the airline.

Glassbox said it is up to its customers to mention that the app captures data.

What is session replay?

Session replay is a data tool that allows companies to track how customers are using their site, according to the Glassdoor website. It allows companies to record every session on their website or app, exactly as seen by the customer.

The point of the “deep” analytics tool is to allow companies, like Air Canada, to see how customers use the app, how far they scroll down and when they abandon a transaction.

© 2019 Global News, a division of Corus Entertainment Inc.

Report an error

Comments

Want to discuss? Please read our Commenting Policy first.