Using apps to keep track of your medication or look up the symptoms of your latest mysterious illness might be convenient. But a new study out this week highlights the hidden privacy risks of plugging sensitive health information into your smartphone. Namely, that medical apps love to collect your data, but are only sometimes upfront about what they’re doing with it and with whom they’re sharing it.
Researchers in Canada, the U.S., and Australia teamed up for the study, published Wednesday in the BMJ. They tested 24 popular health-related apps used by patients and doctors in those three countries on an Android smartphone (the Google Pixel 1). Among the more popular apps were medical reference site Medscape, symptom-checker Ada, and the drug guide Drugs.com. Some of the apps reminded users when to take their prescriptions, while others provided information on drugs or symptoms of illness.
They then created four fake profiles that used each of the apps as intended. To establish a baseline of where network traffic related to user data was relayed during the use of the app, they used each app 14 times with the same profile information. Then, prior to the 15th use, they made a subtle change to this user information. On this final use, they looked for differences in network traffic, which would indicate that user data obtained by the app was being shared with third parties, and where exactly it was going to.
Overall, they found 79 percent of apps, including the three listed above, shared at least some user data outside of the app itself. While some of the unique entities that had access to the data used it to improve the app’s functions, like maintaining the cloud where data could be uploaded by users or handling error reports, others were likely using it to create tailored advertisements for other companies. When looking at these third parties, the researchers also found that many marketed their ability to bundle together user data and share it with fourth-party companies even further removed from the health industry, such as credit reporting agencies. And while this data is said to be made completely anonymous and de-identified, the authors found that certain companies were given enough data to easily piece together the identity of users if they wanted to.
The study is far from the first to show apps are sharing our data with little worry about our privacy. But the authors said theirs is the first to look at health apps directly. And there’s seemingly little people can do about their data being seen by outside companies or leaked by nefarious actors in data breaches.
“The big issue here is that we didn’t find anything that was illegal. And these data-sharing practices are highly routine,” lead author Quinn Grundy, assistant professor at Lawrence S. Bloomberg Faculty of Nursing at the University of Toronto, told Gizmodo. “But if you look at surveys, people feel that our health data is particularly sensitive and personal, and should therefore be protected.”
Grundy and her team also found that while some apps did disclose the possibility of data-sharing in their privacy policies, they rarely laid out where this data might end up. And no data-sharing apps gave people the ability to simply opt out. How useful these privacy policies are at even telling people what they’re signing up for is debatable, too. Just last year, Grundy and her co-authors noted in the paper, an Australian app that booked doctors’ appointments was revealed to be sharing patient data with personal injury law firms. Though the company said it properly informed users about the data-sharing, the government’s health ministry has since promised an investigation into the app.
There have been some governmental efforts to better protect people’s data, most notably the General Data Protection Regulation passed in the EU last May. But though Grundy’s team did notice an increase in transparency on how data was shared by some apps following the GDPR’s passage, there’s still the fundamental issue of whether this data should be shared at all, given the risks. Grundy added that while GDPR was certainly a good start, governments around the world should begin setting a global privacy standard, one that might decide that this kind of data-sharing ought to be completely off-limits.
For the time being, customers have no real say in what companies can do with their data once they choose to share it. But Grundy said there were some silver linings in their findings. A few of the apps they studied, such as My PillBox (a medication reminder) or DrugDoses (an Australian-based app that helps doctors figure the right doses for different patient groups) shared no outside data. And there are steps privacy-minded people can take to protect themselves.
“I think a consumer who’s really vigilant can go through and look for an app, particularly one that functions offline and so it’s not requesting network access. That way, they know for sure their data is not being sent somewhere else,” she said.
Grundy and her team hope to expand their research to iPhone apps, as well as to figure out the exact risks to consumers posed by these data-sharing practices.