
Mobile health applications (apps) commonly share user data without consent, according to researchers from the University of Sydney, the University of Toronto, and the University of California, who published their findings in BMJ.
In this traffic, content, and network analysis, researchers evaluated 24 medicine-related apps that were considered prominent and often downloaded, and that were rated or endorsed by credible organizations. From October to November 2017, researchers used two strategies for identifying apps. The first strategy involved a crawling program that interacted directly with the app store’s programming interface and systematically sampled the metadata of the top 100 ranked free and paid apps in the Medical store category on Google Play across four countries (United Kingdom, United States, Australia, and Canada) on a weekly basis. In the researcher’s second strategy, they screened for recommended or endorsed apps on the website of an Australian medicine-related non-profit organization, a curated health app library, a published systematic review, and personal networks of practicing pharmacists.
Researchers discerned privacy leaks using a technique called Differential Traffic Analysis. “The idea is to capture a baseline of the normal network data that an app causes, and then change privacy-related settings in the app,” said Dr. Ralph Holz from the University of Sydney’s School of Computer Science, and co-author of this study, in a press release. “The places where the new settings turn up in any fresh network data shows us where and to whom the app is leaking it.”
🗨 https://t.co/FAQEPz0hyw Data sharing by popular health apps is “routine”, research finds – News – The University of Sydney https://t.co/VT0kDXpsvQ pic.twitter.com/hDd4FnD4Hp
— Blockchain Decoders (@b_decoders) March 21, 2019
Results Suggest High Privacy Risks
According to the study’s results, 79% (n=19) of the sampled apps shared user data. Moreover, 55 unique entities, owned by 46 parent companies, received or processed app user data, including parent companies (first party) and service providers (third party), while 33% (n=18) supplied infrastructure-related resources such as cloud services. Additionally, 67% (n=37) entities provided services related to the aggregation of user data, including analytics or advertising, suggesting elevated privacy risks.
Furthermore, network analysis revealed that first and third parties received an average of three unique transmissions of user data. Third parties advertised having the capability of sharing user data with 216 “fourth parties,” and within this network, 237 entities had access to a median of three unique transmissions of user data. Several companies occupied central positions within the network and possessed the ability to collect and re-identify user data.
Unregulated, non-transparent data sharing by popular health apps is “routine”, research finds https://t.co/0d5IJVTNI8 #privacy #security #hipaa #GDPR #Health pic.twitter.com/k47wX05iRe
— Joel Selanikio (@jselanikio) March 21, 2019
Increased Vigilance Is Needed
“Privacy regulators should consider that loss of privacy is not a fair cost for the use of digital health services,” said assistant professor Quinn Grundy of the University of Toronto and University of Sydney School of Pharmacy, Charles Perkins Centre, and lead author of the study. “Most health apps fail to provide privacy assurances or transparency around data sharing practices.”
While it’s inconclusive if iOS apps share user data, and if medicines-related apps share data at a rate more or less than other health apps, these findings remain troubling, according to Grundy, who added, “user data collected from apps providing medicines information or support may also be particularly attractive to cybercriminals or commercial data brokers.”
Grundy implores health care professionals to be vigilant when using these apps and said that they “need to be aware of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent.”
Data sharing by popular health apps is 'routine,' research finds #DigitalHealth #Healthcare #PrecisionMedicine #BigDATA #Privacy #cybersecurity https://t.co/sIJ0VXyw6X pic.twitter.com/hqEBSO0QAt
— Dr. Thomas Wilckens (@Thomas_Wilckens) March 22, 2019