How we built screenshot privacy controls

When we shipped Huble screenshots in early 2024, the first feature request was an off-switch. The second was field-level redaction. We shipped both, but the second was the interesting engineering problem.

Why this is hard

macOS and Windows don't expose UI elements uniformly across applications. Native apps expose accessibility trees; web apps in Chrome expose a different tree; some apps (looking at you, anything built in Electron) expose neither well. A redaction system that only works for native apps misses most of where sensitive data actually lives.

What we shipped

The current approach combines accessibility-tree introspection where available with a heuristic OCR pass that looks for credit-card-shaped strings, password fields by input attribute, and a list of regex patterns the customer can extend. We blur identified regions on the device before the image is uploaded — so even our own infrastructure never sees the redacted bytes.

It's not perfect. The OCR pass adds latency. The accessibility-tree story is uneven across operating systems. But it's enough that we feel comfortable having the feature on by default, which is the test that actually matters.