Implicaciones de seguridad del uso de software de captura de pantalla para monitorear la actividad de un usuario [cerrado]

1

Profundamente dentro de la Política de Privacidad de una empresa de servicios financieros puramente basada en la nube (sin software descargado en el dispositivo del usuario) se encuentra la siguiente declaración:

"Utilizamos software de captura de pantalla para ver y analizar el uso de clientes individuales ...".

¿Es técnicamente posible que la empresa que usa ese software capture cualquier parte de la pantalla de un cliente que no sea el contenido de la página que se está sirviendo? Por ejemplo, ¿puede el negocio:

(a) ver información periférica en el navegador del cliente, por ejemplo, sus marcadores, extensiones, pestañas abiertas, etc. o

(b) ver partes de la pantalla del cliente que no están relacionadas con el navegador, por ejemplo, ¿un documento o imagen de Word al costado del navegador?

privacy monitoring internet-security TechnoCat
fuente
"Cloud-based" doesn't quite mean "no software downloaded" if it uses Java or Flash... However, I suspect they're simply referring to monitoring their own webpage such as arstechnica.com/tech-policy/2017/11/…
grawity
Thanks grawity, that's a very useful link. Thanks also for the reference to Java or Flash (tho in this case neither is used, I believe, which is why I found it a mystery). Good answer.
TechnoCat
I think this suits better security.stackexchange.com. They are the experts.
cdlvcdlv
Thanks cdlvcdlv; I'll use the other site next time I have a security question.
TechnoCat

Respuestas:

1

Most likely the clause refers to analytics scripts recording the webpage itself, such as described in this Ars Technica article.

Ordinarily websites cannot see the rest of your screen, although as of recently they can request this permission via WebRTC.

grawity
fuente
-1

In regards to a “breach” of customer privacy or security, that is an opinion based or legal question. But common sense says the company probably has a terms of service to accept or decline that allows them to take certain liberties in regards to security or privacy.

The rest is simple to answer.

If you didn’t download and install software on to your computer, from this company, they can’t do any of the things you asked about.

If you did download and install software from this company on to your computer, then they can potentially do any of the things you asked about or more.

That is the choice everyone makes when they install software. Again, if it is not malware, it is probably stated on a usage agreement that has to be accepted or declined.

With no context on the policy or company, I tend to suspect the terminology is bad, you are misinterpreting the text, or reading more in to it than it says. The company can’t do anything more than track your own interaction with their website.

Note: “Installing” software can be as simple as clicking yes, or accept, to an obscure prompt on a website.

Appleoddity
fuente
Allow me to confirm several issues. First, no I did not download any software. As noted in my question, this is a strictly cloud-based financial services company. Second, I'm asking a strictly technical question, not a legal question. Third, it's clearly not a "simple question to answer", or I would not have asked it.
TechnoCat
The last sentence of your question could be read as a strictly legal question. If you didn’t install software then they can’t do what they say they do or anything that you asked if they could do. What is difficult for one person to answer may not be for another.
Appleoddity
As someone who has spent 25+ years in both tech and law (from coding to CIO and CEO), I know what's normally technically possible and what is unusual. Some of my clients - who are users of this financial trading service business (e.g. similar to an eTrade) - found this clause. The use of screen capturing software on a cloud-based business is obviously unusual, which is why I have asked the question on a technical forum, hoping to obtain an answer from someone with advanced technical knowledge in this area.
TechnoCat
I’m not sure where we have gone wrong here. As a CIO/CEO I’m sure you can appreciate concise answers. There is no reason for this to be complicated. Without screen capture software installed on your client’s computer there is absolutely no way the website can “use screen capturing software to view and analyze individual customers’ usage.” It really is that simple. The terminology is either wrong or it is being taken out of context. Anything they are doing is not “screen capturing.” It can’t possibly be anything more than tracking your own interaction with the website.
Appleoddity