Health app developers should allow users to choose precisely what data are shared and with whom, researchers at the BMJ say
Sharing of user data by popular mobile health apps is routine, yet far from transparent, according to experts in a study published in The BMJ.
They say regulators should emphasise the accountabilities of those who control and process user data, and health app developers should disclose all data sharing practices and allow users to choose precisely what data are shared and with whom.
App developers routinely – and legally – share user data. However, evidence suggests that many health apps fail to provide privacy assurances around data sharing practices, and pose risk to consumers’ privacy, given their ability to collect sensitive and personal health information.
Researchers, led by assistant professor Quinn Grundy at the University of Toronto, set out to investigate whether and how user data are shared by popular medicines related mobile apps and to characterise privacy risks to app users, both clinicians and consumers.
They identified 24 top rated medicines related apps for the Android mobile platform in the UK, US, Canada and Australia.
All apps were available to the public, provided information about medicines dispensing, administration, prescribing, or use and were interactive.
First, each app was downloaded onto a smartphone and used four dummy user profiles to simulate real world use.
They ran each app 14 times and found baseline traffic relating to 28 different types of user data. They then altered one source of user information and ran the app again to detect any privacy leaks (sensitive information sent to a remote server, outside of the app).
Companies receiving sensitive user data were then identified by their IP address, and their websites and privacy policies were analysed.
Most (79%) of the sampled apps shared user data outside of the app.
A total of 55 unique entities, owned by 46 parent companies, received or processed app user data, including developers and parent companies (first parties) and service providers (third parties).
Of these, 18 (33%) provided infrastructure related services such as cloud services and 37 (67%) provided services related to the collection and analysis of user data, including analytics or advertising, suggesting heightened privacy risks.
Network analysis revealed that first and third parties received an average of three unique transmissions of user data. Both Amazon.com and Alphabet (the parent company of Google) received the highest volume of user data (24 unique transmissions), followed by Microsoft (14).
Third parties also advertised the ability to share user data with 216 “fourth parties” including multinational technology companies, digital advertising companies, telecommunications corporations, and a consumer credit reporting agency.
Only three of these fourth parties could be characterised predominantly as belonging to the health sector.
Several companies, including Alphabet, Facebook, and Oracle, occupied central positions within the network with the ability to aggregate and re-identify user data
The researchers point to some limitations that may have influenced the results – for example, it is unknown whether iOS apps share user data and whether these apps share user data more or less than other health apps, or apps in general.
Nevertheless, they say their findings suggest that health professionals “should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent.”