Health Apps Can Share Your Data Everywhere, New Study Shows
A study tested two dozen medicine apps to find out how and where they're sharing your personal data.
I probably give health apps way too much of my personal data. Fitness trackers know what running routes I take, pharmacy apps know what ails me, diagnosis apps know how I’m feeling, and period trackers know what birth control methods I use.
And because these apps often leak user data to third parties and beyond, Amazon, Google, and Facebook, know these things, too. Health apps can’t keep a secret.
A new study out of the University of Toronto, published in The BMJ on Wednesday, highlights privacy issues around health apps by examining how medicine management apps share personal user data. The researchers found that most of the apps they tested shared sensitive information like medical history and demographics with third parties.
The researchers examined 24 of the top-rated Android apps for health medicine management in the US, UK, Canada, and Australia, including Ada, Lexicomp, Medscape, and Medicinewise. They found that 19 out of the 24 tested apps shared user data outside of the app, frequently to third-parties like Amazon Web Services, Facebook, Google, and AT&T. An app called “Pill Identifier and Drug List” shares data with the Department of Health and Human Services.
These entities could, in turn, share data to digital advertising companies, and a consumer credit reporting agency, the researchers found. While users often must agree to this type of data-sharing, it’s typically buried in legalese in apps’ terms of service.
Of the apps examined, 33 percent of the third-parties receiving app data “provided infrastructure related services such as cloud services,” that the apps relied on to store or process user data. Sixty-seven percent “provided services related to the collection and analysis of user data, including analytics or advertising, suggesting heightened privacy risks.”
For example, Flurry is a “freemium” service that Yahoo! offers to developers in order to track user sessions and app performance. “In exchange,” the study authors note, “developers grant Flurry ‘the right for any purpose, to collect, retain, use, and publish in an aggregate manner . . . characteristics and activities of end users of your applications.’”
Amazon and Google’s parent company, Alphabet, received the highest volume of user data, followed by Microsoft.
“We quickly realized that data is the currency for mobile health,” Quinn Grundy, assistant professor at the University of Toronto nursing program, told me over the phone. “This information is really valuable to commercial interests like drug companies, insurance companies, or anyone that wants to market products that have anything to do with health.”
It’s not a new finding that many apps share user data with third parties, but the data given to health-related apps is particularly sensitive. In some cases, you’re handing over your medical history and current ailments in addition to your payment info, location, and demographics like age and gender. These can be combined to create a matrix of datapoints about you, which can be used to advertise to you. There’s also the ever-present threat of a leak if the apps or companies experience a data breach.
“I think we’re starting to see that people are discriminated against because of health conditions, or an algorithm making decisions, or they’re getting targeted with very personal marketing related to their health condition that’s quite invasive,” Grundy said. “We still have a right as a society to push back and say that this matters, and these sorts of [health] apps should not behave like a weather app or a sports app.”
Grundy told me that while not every app they tested shared data, and it is possible to find health apps that protect your privacy, app developers should do better.
“Developers really need to build mechanisms for users to be able to control their data into the app—start putting some controls over how that data can be shared and used,” she said. “I think transparency is not enough here, and it’s time to say that it’s not appropriate to commercialize certain types of data.”
This article originally appeared on Motherboard.