Advertisement

Data sharing by popular health apps found to be ‘routine’, prompting calls for more transparency

Researchers have found health apps share user data as part of a complex network of third parties.

Researchers have found health apps share user data as part of a complex network of third parties. Photo: Getty/Westend61

It is the type of information a doctor might need: Your age, sex, medical conditions, current symptoms, and a list of any drugs you take.

It is also the type of sensitive health data being handed over to app developers, their parent companies, and potentially dozens of third-party entities – posing an “unprecedented risk” to consumer privacy.

That is according to a new study, published on Thursday in the British Medical Journal, which found the sharing of user data from health-related mobile apps on the Android platform was routine and yet far from transparent.

Lead author Dr Quinn Grundy said health apps were a “booming market”, but one with many privacy failings.

The study follows a recent report from the Wall Street Journal which found several apps, including period tracker Flo Health, were sending sensitive user data – including weight, blood pressure and ovulation status – to Facebook.

“I think many of us would expect that this kind of data should be treated differently,” said Dr Grundy, an assistant professor at the University of Toronto.

“Unfortunately, our study shows that that’s not the case. These apps behave in much the same way as your fitness app, weather app or music app.”

While many health apps do disclose data sharing arrangements in their terms and conditions, the disclosures are often buried in the fine print with little detail about who information is being shared with and for what purpose.

And for something as personal and potentially sensitive as medical data, not to mention valuable, Dr Grundy suggested privacy regulators should recognise that loss of privacy is not a fair cost for the use of digital health services.

Third-party sharing

Dr Grundy and colleagues at the University of Sydney examined 24 medicine-related Android apps popular in Australia, North America and the United Kingdom. Apps that might remind you when to take a prescription, for example.

The researchers ran an analysis tool multiple times using different user profiles to examine what data leaked when the app was in use, and who it leaked to.

They found 19 of the 24 apps shared data outside of the app to a total of 55 entities, owned by 46 parent companies.

The information ranged from users’ emails and device ID to medical conditions and drug lists.

While some data was sent to the apps’ parent companies, third-party data was sent to error reporting tools, for instance, which are common and help the product function.

Others offered analytics to track users and how the app was performing.

They found Amazon and Alphabet, the parent company of Google, received the highest volume of user data, followed by Microsoft.

While most apps had a privacy policy and often stated the data was stripped of identifiers, Dr Grundy said that they described what was collected and shared in very general terms.

“They wouldn’t name specific third parties or why data was shared with them. But would say, ‘We never sell your data, but we may shared anonymised, aggregated reports with third parties for legitimate business purposes’,” she explained.

Data sharing is pervasive in the app ecosystem, with no end in sight, said Peter Hannay, an adjunct lecturer and security researcher at Edith Cowan University, who has previously studied security vulnerabilities in Android apps.

For those who want to use these services, there aren’t many choices if you don’t like the situation: “It’s not a matter of ‘swap to a different app’,” he said.

“It would be a matter of just not using those sorts of services at all.”

Sharing, and sharing again

Graphic: University of Sydney

The apps’ information sharing did not stop at third parties.

The researchers also found that some of the third parties they identified advertised the ability to share user data with 216 “fourth parties”, including multinational technology companies, digital advertising companies, telecommunications corporations, and a consumer credit reporting agency.

It’s not clear whether, or to what extent, the data is being shared.

However, this large ecosystem means the customer, and even the app developer, may have very little visibility of what was being done with the data.

So, what could be done with that “fourth party” information?

Dr Grundy said that although data might be shared in an anonymous or aggregated format, because it changed hands so many times, it could run the risk of being aggregated within broader data networks – and help build a pretty detailed profile of a user, even if it’s not labelled with their name.

The more sets of anonymised data you can put together, the more risk there is that individuals can be re-identified, said Dr Trent Yarwood, an infectious diseases physician who represents the digital advocacy group, Future Wise.

For Dr Hannay, the overwhelming risk when data is collected on this scale is one of hacking.

As we saw after the high-profile Ashley Madison and Equifax hacks, he said, the more places your data is in, the more the “threat surface” increases.

Should you use health apps?

Dr Yarwood said the study demonstrated a welcome increase in awareness that off-the-shelf health apps may not always be entirely in the interest of patients.

However, the study does not give a complete picture of the health app ecosystem, particularly because it doesn’t examine Apple’s app store.

Dr Hannay said he would expect similar issues to affect iOS products, but added that technology manufacturer had traditionally been much stricter about what data could be collected.

He said the study’s methodology, while sound, could have gone deeper by reverse engineering the apps’ functionality.

While both iOS and Android apps sometimes allow users to give specific permissions to an app – the ability to turn off location tracking, for example – Dr Hannay said developers needed to start working with the mindset that their end users may wish to deny certain permissions outright and in more specific ways.

“If the application is reminding you to take medication, I would try to find one that doesn’t require permission to connect to the internet,” he said.

“If it’s able to work offline, that’s something I would consider to be desirable.”

The ABC has requested a response from Google.

ABC

Stay informed, daily
A FREE subscription to The New Daily arrives every morning and evening.
The New Daily is a trusted source of national news and information and is provided free for all Australians. Read our editorial charter
Copyright © 2024 The New Daily.
All rights reserved.