This article is more than 1 year old
'Sharing of user data is routine, yet far from transparent' is not what you want to hear about medical apps. But 2019 is gonna 2019
Study finds Android software slinging deets all over the place
Folks using healthcare-related Android apps: after you've handed over your private details to that software, do you know where it is sending your data? If you don't, nobody should blame you. It turns out it can be a complicated and obfuscated affair.
So much so, eggheads probing the data-sharing practices of mobile health applications have urged software developers to be more transparent regarding how they're handling people's personal info, after observing all sorts of records being passed on to third parties. Parent companies, adverting networks, analytics platforms, data brokers, and more, are seemingly getting their hands on at least some part of the pile, directly or indirectly.
Furthermore, even if the information is anonymized prior to sharing, the data tends to flow through the usual few suspects – Google, Facebook, etc – which could, in theory, piece together the identity of individual netizens using these apps, seeing as they capture so many data points.
Academics hailing from universities in Canada, Australia, and the US, together studied 24 popular Android health and medicine-related apps, and found that nearly 80 per cent were passing on at least some of their users' data to third parties. Their findings were published this week in the British Medical Journal. Check it out for the full details; we'll summarize them here.
"Sharing of user data is routine, yet far from transparent," the group concluded in their paper. "Clinicians should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent. Privacy regulation should emphasise the accountabilities of those who control and process user data. Developers should disclose all data sharing practices and allow users to choose precisely what data are shared and with whom."
We're told that 38 per cent of the studied apps shared browser activities, such as medicines looked up and pharmacy websites visited, with third parties; the same again passed on users' email addresses; 25 per cent handed over the list of drugs people are taking; 21 per cent the users' first and last names; 17 per cent the users' medical conditions; and so on.
These stats were produced by studying the network traffic of the applications, which range in install bases of 500 devices to 10 million and are among the top 100 most-used in their sector. "Although most (20/24, 83%) appeared free to download, 30% (6/20) of the 'free' apps offered in-app purchases, and 30% (6/20) contained advertising as identified in the Google Play store," the academics noted. "Of the for-profit companies (n=19), 13 had a Crunchbase profile (68%)."
The types of details leaked by medical app, according to traffic analysis ... Click to enlarge, or see page six of this PDF. Source: Grundy et al
One silver lining is that most of the programs encrypted this data while in transit, leaving six per cent that did not and broadcast private information in clear text. "Network analysis revealed that first and third parties received a median of 3 unique transmissions of user data," the paper stated. "Third parties advertised the ability to share user data with 216 'fourth parties' within this network."
And where is this data going? The list should not surprise you:
Organizations receiving app data ... Click to enlarge, or see page nine of this PDF. Source: Grundy et al
The obvious concern is whether or not people's personal information is being properly scrubbed of any identifying info before it is offered to other organizations and advertisers. Unlike other types of user information, medical records are subject to strict regulations, and limits on how data can be disclosed, so you'd hope that stays within the app or its backend. What exactly is going where is still a bit of a black box mystery, which is kinda worrying given the sensitivity of the info we're talking about here.
The researchers said developers need to be aware of these regulations, and should do a better job of informing everyone how they collect, scrub, and share patient information with outside groups. They also called on doctors and care providers to step up, and take a closer look at the apps they use.
"Most health apps fail to provide privacy assurances or transparency around data sharing practices. User data collected from apps providing medicines information or support may also be particularly attractive to cybercriminals or commercial data brokers," said Quinn Grundy, an assistant professor and lead author of the study.
"Health professionals need to be aware of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent." ®