Data sharing by popular health apps found to be 'routine', prompting calls for more transparency
Originally posted by Olivia Willis @ abc.net.au
It is the type of information a doctor might need: your age, sex, medical conditions, current symptoms, and a list of any drugs you take.
Health apps are routinely sharing user data, new research shows
Amazon and Google among third parties receiving highest volume of data
Experts are calling for greater regulation and transparency
It is also the type of sensitive health data being handed over to app developers, their parent companies, and potentially dozens of third-party entities — posing an "unprecedented risk" to consumer privacy.
That is according to a new study, published today in the British Medical Journal, which found the sharing of user data from health-related mobile apps on the Android platform was routine and yet far from transparent.
Lead author Dr Quinn Grundy said health apps were a "booming market", but one with many privacy failings.
The study follows a recent report from the Wall Street Journal which found several apps, including period tracker Flo Health, were sending sensitive user data — including weight, blood pressure and ovulation status — to Facebook.
"I think many of us would expect that this kind of data should be treated differently," said Dr Grundy, an assistant professor at the University of Toronto.
"Unfortunately, our study shows that that's not the case. These apps behave in much the same way as your fitness app, weather app or music app."
While many health apps do disclose data sharing arrangements in their terms and conditions, the disclosures are often buried in the fine print with little detail about who information is being shared with and for what purpose.
And for something as personal and potentially sensitive as medical data, not to mention valuable, Dr Grundy suggested privacy regulators should recognise that loss of privacy is not a fair cost for the use of digital health services.
Dr Grundy and colleagues at the University of Sydney examined 24 medicine-related Android apps popular in Australia, North America and the United Kingdom. Apps that might remind you when to take a prescription, for example.
The researchers ran an analysis tool multiple times using different user profiles to examine what data leaked when the app was in use, and who it leaked to.
They found 19 of the 24 apps shared data outside of the app to a total of 55 entities, owned by 46 parent companies.
The information ranged from users' emails and device ID to medical conditions and drug lists.
While some data was sent to the apps' parent companies, third party data was sent to error reporting tools, for instance, which are common and help the product function.
Others offered analytics to track users and how the app was performing.
They found Amazon and Alphabet, the parent company of Google, received the highest volume of user data, followed by Microsoft.
"They wouldn't name specific third parties or why data was shared with them. But would say, 'we never sell your data, but we may shared anonymised, aggregated reports with third parties for legitimate business purposes'," she explained.
Data sharing is pervasive in the app ecosystem, with no end in sight, said Peter Hannay, an adjunct lecturer and security researcher at Edith Cowan University, who has previously studied security vulnerabilities in Android apps.
For those who want to use these services, there aren't many choices if you don't like the situation: "It's not a matter of 'swap to a different app'," he said.
"It would be a matter of just not using those sorts of services at all."
Sharing, and sharing again
The apps' information sharing did not stop at third parties.
The researchers also found that some of the third parties they identified advertised the ability to share user data with 216 "fourth parties", including multinational technology companies, digital advertising companies, telecommunications corporations, and a consumer credit reporting agency. It's not clear whether, or to what extent, the data is in fact being shared.
However, this large ecosystem means the customer, and even the app developer, may have very little visibility of what was being done with the data.
"Even the developers are quite unaware of how these are working on the back-end and what implications they may have for their users," Dr Hannay commented.
So, what could be done with that "fourth party" information?
Dr Grundy said that although data might be shared in an anonymous or aggregated format, because it changed hands so many times, it could run the risk of being aggregated within broader data networks — and help build a pretty detailed profile of a user, even if it's not labelled with their name.
The more sets of anonymised data you can put together, the more risk there is that individuals can be re-identified, said Dr Trent Yarwood, an infectious diseases physician who represents the digital advocacy group, Future Wise.
For Dr Hannay, the overwhelming risk when data is collected on this scale is one of hacking.
As we saw after the high-profile Ashley Madison and Equifax hacks, he said, the more places your data is in, the more the "threat surface" increases.
Should you use health apps?
Dr Yarwood said the study demonstrated a welcome increase in awareness that off-the-shelf health apps may not always be entirely in the interest of patients.
However, the study does not give a complete picture of the health app ecosystem, particularly because it doesn't examine Apple's app store.
Dr Hannay said he would expect similar issues to affect iOS products, but added that technology manufacturer had traditionally been much stricter about what data could be collected.
And he said the study's methodology, while sound, could have gone deeper by reverse engineering the apps' functionality.
While both iOS and Android apps sometimes allow users to give specific permissions to an app — the ability to turn off location tracking, for example — Dr Hannay said developers needed to start working with the mindset that their end users may wish to deny certain permissions outright and in more specific ways.
"If the application is reminding you to take medication, I would try to find one that doesn't require permission to connect to the internet," he said.
"If it's able to work offline, that's something I would consider to be desirable."
The ABC has requested a response from Google.