Vote 2020 graphic
Everything you need to know about and expect during
the most important election of our lifetimes

Apple’s Health Experiment Is Riddled With Privacy Problems [UPDATED]

Pharmaceutical giant GlaxoSmithKline (GSK) has partnered with Apple on a new clinical study on rheumatoid arthritis. The study relies on an iPhone app to collect data about arthritic symptoms from users as they go about their daily lives. That sounds great at first glance, but how well will it protect your privacy?


The app was built by the London-based GSK using Apple’s ResearchKit, an open source software framework to transform your iPhone into a handy diagnostic tool for clinical studies. Launched last year, ResearchKit is designed to make it easier for medical researchers to access data about millions of potential subjects. As Lifehacker’s Alan Henry wrote at the time, “The platform aims to give anyone with an iOS device the opportunity to participate in medical research, join programs that can help them track their symptoms, or share information with their doctors.”

So far there are just a handful of ResearchKit apps tied to clinical studies, but the GSK partnership is the first time Apple has joined forces with a major drug company. The Patient Rheumatoid Arthritis Data from the Real World (PARADE) study will use its app to track the mobility of over 300 participants suffering from rheumatoid arthritis, including information on their level of joint pain, fatigue, and changing moods. No drugs are being tested. Rather, the app guides users through a simple wrist exercise, with the iPhone’s built-in sensors recording data from that motion. That data may help Glaxo design better clinical trials in the future.


There are plenty of potential benefits to using the ResearchKit platform. It’s a huge boon to recruiting viable participants for medical studies—which can take months or years, depending on the study—and it’s cost effective, potentially saving millions of dollars. “Certainly you’ve also taken out the site costs, and the costs of having nurses and physicians explaining the studies to them and recording information,” Rob DiCicco, head of Glaxo’s clinical innovation and digital platforms group, told Bloomberg News.

Illustration for article titled Apple’s Health Experiment Is Riddled With Privacy Problems [UPDATED]

But from the start, ResearchKit raised a host of ethical questions, particularly about protecting consumer privacy, and getting informed consent from all study participants.

Apple insists it never sees the data you provide through ResearchKit. But who the research institutions, hospitals, and doctors share that data with is up to them (within the constraints of laws like HIPAA.) And collected data is typically “anonymized” by companies like Sage Bionetwork, removing any possible identifiable information before sending the data to the institution conducting the study.


That may not be sufficient to protect users’ privacy in this age of powerful big data informatics. There’s something called the “mosaic effect,” whereby it is possible to reconstruct someone’s identity from a relatively small amount of data, even after that data has technically been made anonymous. “We can’t promise perfect anonymity,” John Wilbanks, chief commons officer for Sage Bionetwork, told The Verge last year. “We’re going to de-identify it, but because we’re going to make it available for lots of research, there exists the chance that someone could re-identify you.”

The first few ResearchKit apps seemed to improve on the usual one-on-one process for informed consent. With an asthma app designed by Mount Sinai Hospital, for instance, users must flick through 12 separate pages, each with big graphics, large 18-point font print, and simple words describing every possible risk and benefit of the study. Then users take a quiz to demonstrate they at least have a rudimentary understanding of just what they’re agreeing to.


So how does the GSK PARADE app-based study address those concerns? We asked bioethicist Nicholas Evans of the University of Massachusetts Lowell to weigh in, based on his own cursory exploration of the app.

The biggest issue, according to Evans, is the app’s approach to informed consent. Tapping the button to launch the consent process takes the user to a nine-page PDF document in 12-point font—the kind of thing that’s really difficult to read on your iPhone. Then the user taps the “Agree” button in the bottom right hand corner. Voila! Instant informed consent. It’s similar to those End User License Agreements that everybody agrees to without even reading them, because come on, we just want to use the damn app already.


UPDATE 7/21 6:45 PM: According to Mary Ann Rhyme, director of external communications for GSK in the U.S., the PARADE app does walk the user through several explanatory screens before prompting them with the PDF consent document. Users also have the option of emailing that document to themselves if they’re having trouble reading it on the iPhone screen, and of contacting an independent support center if they have questions. Whether this is sufficient to overcome the cultural conditioning of users to just click “agree” will likely remain a point of contention for bioethicists.


“A nine-page letter in PDF format is not a great way to structure informed consent on an iPhone,” Evans said. “I don’t see that there’s any incentive for someone to read this.”

In response to concerns about informed consent, the folks at Apple ResearchKit changed its terms of use to require an ethics review when creating an app—that is, the app must pass muster with what’s known as an Institutional Review Board (IRB). GSK did so before launching their app-based study.


According to Evans, the app didn’t work with the usual university-based IRBs, but with a Seattle-based, private, for-profit IRB called Quorum Review.

UPDATE: Rhyme confirmed to Gizmodo via email that GSK used Quorum Review for its IRB review. “The study design and informed consent documents all underwent two comprehensive reviews (one and three weeks, respectively), as well as through multiple internal legal and compliance reviews,” she wrote. On the issue of privacy, Rhyme said GSK is taking great care to protect the personal information of PARADE app users: “We take the obligation to protect participants’ data as seriously with this app as we do with data from studies performed in the traditional clinic setting.”


It’s great that Apple put an IRB requirement in place, but according to Evans, that has led to an increased market for private IRBs, and a greater potential risk of “rubber stamping” proposed studies. “It’s going to become an increasing problem as more tech companies get into the biomedical space to do research that have really promising results,” Evans said, “but don’t go about crossing all their T’s and dotting all their I’s when it comes to their human subject research ethics.”

Part of that is linked to the “fail early, fail often” mantra associated with the Silicon Valley start-up culture, which is at odds with the slow and incremental steps required for biomedical research. “It’s great to fail early and often when the worst that can happen is someone losing their Instagram account,” Evans said. “It’s a lot more serious when failing early involves giving someone an incorrect diagnosis for a congenital condition for which there isn’t a cure. So validation has to be done.”


[Bloomberg News]

Correction, 7/26/16, 5:00 PM ET: Corrects earlier version of this article to state that the GSK app, and not the Apple ResearchKit platform, worked with a private IRB.


Update, 7/26/16, 5:00 PM ET: This article has been updated to clarify the role of a private IRB in the development of the GSK app.

Share This Story

Get our newsletter



“We’re going to de-identify it, but because we’re going to make it available for lots of research, there exists the change that someone could re-identify you.”

While I’m convinced that, at some point in the future, this type of medical research will be both commonplace and invaluable, we ain’t there yet.