The number of health and fitness apps and devices has exploded in recent years. These technologies offer the user assistance in achieving a healthier lifestyle by offering personalised guidance or helping the user track any progress made. To complete these tasks, the apps collect a vast amount of information from the user, including heart rate, sleeping patterns, weight, food consumption, and even GPS location. Despite the potentially sensitive nature of the data these apps collect, there is very little transparency between consumers and these tech companies as to how the companies use the data and with whom it is shared.
The data collected by these apps have a high market value. Therefore, it is no surprise that companies behind these fitness devices and apps often sell the data to third parties, making a considerable profit from the practice. There is very little information publicly available about the details of these transactions. Consumers have become increasingly concerned as to how their data is used. As such, questions are now being asked about the data privacy practices of the booming healthcare application and device industry.
The BMJ recently published a study investigating the data privacy practices of these companies. The study revealed that nearly 80% of the apps studied (19 of the 24 apps) shared user data with third-parties.
The study investigated apps related to dispensing, administration, prescribing or use of medicines. For each app, the researchers ran dummy scripts to simulate the real world.
The researchers found that user data was shared with 55 different entities, from 46 parent companies. These companies either received or processed the data. Those entities included app developers, parent companies, and third-party service providers. Two-thirds of third-parties provided services related to the collection or analysis of data, including analytics and advertising. The remaining third provided infrastructure-related services.
The majority of apps (71%) transmitted user data to locations outside of the app. This information included the name of the device, the operating system, the user’s email address, and browsing activities on the device. Some of the apps transmitted even more sensitive information, such as the user’s drug list and location.
When considered on its own, most of the data is not particularly sensitive, such as the Android ID or device name. However, if the information were aggregated and considered altogether, it is possible that a third-party could identify the individual user to which it pertained. Several companies within the network could aggregate and re-identify user data.
The researchers detected 104 transmissions to entities external to the app, 94% of which were encrypted and 6% were sent in cleartext. The researchers discovered that 13% of tested apps leaked at least some user data in cleartext.
The researchers performed a network analysis which revealed that first and third parties received a median of three unique transmissions of user data and third parties were discovered to advertise the ability to share user data with an additional 216 fourth-parties.
Many of the apps also requested permissions which the researchers rated as dangerous. On average, the apps requested four ‘dangerous’ permissions, including permissions to read and write to device storage (79%), view Wi-Fi connections (46%), read accounts listed on the device (29%), access phone status data, including network information, phone number, and when the user received a phone call (29%), and the location of the user (25%).
The researchers note that while the apps were legitimate, and data sharing is legal, there was a lack of transparency about the use of user data: “The lack of transparency, inadequate efforts to secure users’ consent, and dominance of companies who use these data for marketing, suggests that this practice is not for the benefit of the consumer.”
The researchers also issued a warning about medicine-related apps, saying “Clinicians should be conscious about the choices they make in relation to their app use and, when recommending apps to consumers, explain the potential for loss of personal privacy as part of informed consent. Privacy regulators should consider that loss of privacy is not a fair cost for the use of digital health services.”