A study appeared last Wednesday in BMJ describes a disturbing scenario regarding health apps and their data management. Users’ privacy is at risk!
Analyzing the traffic generated, researchers noted that four out of five of the apps tested share data with external subjects. Moreover, many of those subjects who receive user information would probably be able to aggregate the data and use it to identify a specific individual.
Mobile health apps can be useful but pose an unprecedented risk to consumers’ privacy giben their ability to collect user data, including sensitive information. The authors of the study wrote: “Health app developers routinely, and legally, share consumer data with third parties in exchange for services that enhance the user’s experience (eg, connecting to social media) or to monetise the app (eg, hosted advertisements). Little transparency exists around third-party data sharing, and health apps routinely fail to provide privacy assurances, despite collecting and transmitting multiple forms of personal and identifying information”.
Researchers identified 821 applications. Of these, 754 were discarded as not relevant to the research. The remaining 67 were examined to see if they fell within the defined inclusion criteria (availability in the Australian store, cost in excess of $100, specific apps from health care companies, etc.). Forty-three apps were discarded, resulting in a sample of 24.
Among the 24 apps selected from the top of the Google Play store, researchers found that 19 (79 percent) shared users’ data with 55 different first-party and third-party entities. All but three of these apps transmitted data such as device name, browsing behaviour and email address outside of the app, and two-thirds of the entities receiving the data are affiliated with collection for advertising or other analytics services.
Six percent of the 104 transmissions identified and analyzed by the researchers were sent in plain text, with at least three of the health apps leaking some kind of user data in clear text. In some cases, the researchers noted transmissions of specific sensitive data, such as a user’s drug list, that could feasibly be repurposed and sold to companies looking to commercialize these data. Also of note, 19 of the apps (79 percent) requested permission to read or write from the device, 11 (46 percent) to view WiFi connections, seven (29 percent) to read the device’s cellular status and identity, and 25 percent to access the user’s approximate or precise location.
The analysis raises many doubts and concerns. The lack of transparency undermines the right of users to know how their data is used and thus understand all the implications of the consents they provide. In any case, it should be noted that the loss of privacy is not a fair cost for the use of digital health services, even if apparently free.