Health Apps Share User Data but Lack Transparency About the Practice

Mobile health apps are commonly used to track health metrics and promote healthier lifestyles, and as such, they record a range of sensitive health information. What consumers may be unaware of is how that data is used and with whom the information is shared.

Information entered into an app is commonly shared with multiple third parties and the data is often monetized, but consumers are left in the dark about the practice.

A study of data sharing practices by medicines-related apps, published in the BMJ, revealed that out of 24 apps that were studied, 19 (79%) shared user data with third parties.

The types of apps that were assessed pertained to dispensing, administration, prescribing or use of medicines. Each app was subjected to simulated real world use with four dummy scripts.

The researchers found user data was shared with 55 different entities, from 46 parent companies, which either received or processed the data. Those entities included app developers, parent companies, and third-party service providers. 67% of the third parties provided services related to the collection or analysis of data, including analytics and advertising, and 33% provided infrastructure related services.

71% of apps transmitted user data outside of the app, including information such as the name of the device, the operating system, email address, and browsing behavior. Some of the apps transmitted sensitive information such as the user’s drug list and location.

While some of the data that was shared was not particularly sensitive, such as the Android ID or device name, the information could be aggregated with other information that could allow a user to be identified. Several companies within the network had the ability to aggregate and re-identify user data.

104 transmissions were detected in the study, 94% of which were encrypted and 6% were sent in cleartext. 13% of tested aps leaked at least some user data in cleartext.

A network analysis was also performed which revealed that first and third parties received a median of three unique transmissions of user data and third parties were discovered to advertise the ability to share user data with 216 fourth parties.

Many of the apps also requested permissions which the researchers rated as dangerous. On average, the apps requested four ‘dangerous’ permissions, including permissions to read and write to device storage (79%), view Wi-Fi connections (46%), read accounts listed on the device (29%), access phone status data, including network information, phone number, and when the user received a phone call (29%), and the location of the user (25%).

While the apps were legitimate and data sharing is legal, the researchers noted that there was a lack of transparency about the use of user data. “The lack of transparency, inadequate efforts to secure users’ consent, and dominance of companies who use these data for the purposes of marketing, suggests that this practice is not for the benefit of the consumer.”

The researchers also issued a warning about medicine related apps, saying “Clinicians should be conscious about the choices they make in relation to their app use and, when recommending apps to consumers, explain the potential for loss of personal privacy as part of informed consent. Privacy regulators should consider that loss of privacy is not a fair cost for the use of digital health services.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.