This appeared a few days ago:
Researchers Create Fake Profiles On 24 Health Apps And Learn Most Are Sharing Your Data
Mar 22, 2019, 10:00am
Using apps to keep track of your medication or look up the symptoms of your latest mysterious illness might be convenient.
But a new study out this week highlights the hidden privacy risks of plugging sensitive health information into your smartphone.
Namely, that medical apps love to collect your data, but are only sometimes upfront about what they’re doing with it and with whom they’re sharing it.
Researchers in Canada, the U.S., and Australia teamed up for the study, published Wednesday in the BMJ. They tested 24 popular health-related apps used by patients and doctors in those three countries on an Android smartphone (the Google Pixel 1).
Among the more popular apps were medical reference site Medscape, symptom-checker Ada, and the drug guide Drugs.com. Some of the apps reminded users when to take their prescriptions, while others provided information on drugs or symptoms of illness.
They then created four fake profiles that used each of the apps as intended. To establish a baseline of where network traffic related to user data was relayed during the use of the app, they used each app 14 times with the same profile information.
Then, prior to the 15th use, they made a subtle change to this user information. On this final use, they looked for differences in network traffic, which would indicate that user data obtained by the app was being shared with third parties, and where exactly it was going to.
Overall, they found 79 per cent of apps, including the three listed above, shared at least some user data outside of the app itself.
While some of the unique entities that had access to the data used it to improve the app’s functions, like maintaining the cloud where data could be uploaded by users or handling error reports, others were likely using it to create tailored advertisements for other companies.
When looking at some of these third parties, the researchers also found that many marketed their ability to bundle together user data and share it with fourth-party companies even further removed from the health industry, such as credit reporting agencies.
And while this data is said to be made completely anonymous and de-identified, the authors found that certain companies were given enough data to easily piece together the identity of users if they wanted to.
The study is far from the first to show apps are sharing our data with little worry about our privacy. But the authors said theirs is the first to look at health apps directly.
And there’s seemingly little people can do about their data being seen by outside companies or leaked by nefarious actors in data breaches.
“The big issue here is that we didn’t find anything that was illegal. And these data-sharing practices are highly routine,” lead author Quinn Grundy, assistant professor at Lawrence S. Bloomberg Faculty of Nursing at the University of Toronto, told Gizmodo.
“But if you look at surveys, people feel that our health data is particularly sensitive and personal, and should therefore be protected.”
Grundy and her team also found that while some apps did disclose the possibility of data-sharing in their privacy policies, they rarely laid out where this data might end up. And no data-sharing apps gave people the ability to simply opt out.
How useful these privacy policies are at even telling people what they’re signing up for is debatable, too. Just last year, Grundy and her co-authors noted in the paper, an Australian app that booked doctors’ appointments was revealed to be sharing patient data with personal injury law firms.
More here:
Here is the abstract (full text is freely available):
Data sharing practices of medicines related apps and the mobile ecosystem: traffic, content, and network analysis
BMJ 2019; 364 doi: https://doi.org/10.1136/bmj.l920 (Published 20 March 2019) Cite this as: BMJ 2019;364:l920
- Quinn Grundy, assistant professor and honorary senior lecturer12,
- Kellia Chiu, PhD candidate2,
- Fabian Held, senior research fellow2,
- Andrea Continella, postdoctoral fellow3,
- Lisa Bero, professor2,
- Ralph Holz, lecturer in networks and security4
- Correspondence to: Q Grundy quinn.grundy@utoronto.ca (or @quinngrundy on Twitter)
- Accepted 25 February 2019
Abstract
Objectives To investigate whether and how user data are shared by top rated medicines related mobile applications (apps) and to characterise privacy risks to app users, both clinicians and consumers.
Design Traffic, content, and network analysis.
Setting Top rated medicines related apps for the Android mobile platform available in the Medical store category of Google Play in the United Kingdom, United States, Canada, and Australia.
Participants 24 of 821 apps identified by an app store crawling program. Included apps pertained to medicines information, dispensing, administration, prescribing, or use, and were interactive.
Interventions Laboratory based traffic analysis of each app downloaded onto a smartphone, simulating real world use with four dummy scripts. The app’s baseline traffic related to 28 different types of user data was observed. To identify privacy leaks, one source of user data was modified and deviations in the resulting traffic observed.
Main outcome measures Identities and characterisation of entities directly receiving user data from sampled apps. Secondary content analysis of company websites and privacy policies identified data recipients’ main activities; network analysis characterised their data sharing relations.
Results 19/24 (79%) of sampled apps shared user data. 55 unique entities, owned by 46 parent companies, received or processed app user data, including developers and parent companies (first parties) and service providers (third parties). 18 (33%) provided infrastructure related services such as cloud services. 37 (67%) provided services related to the collection and analysis of user data, including analytics or advertising, suggesting heightened privacy risks. Network analysis revealed that first and third parties received a median of 3 (interquartile range 1-6, range 1-24) unique transmissions of user data. Third parties advertised the ability to share user data with 216 “fourth parties”; within this network (n=237), entities had access to a median of 3 (interquartile range 1-11, range 1-140) unique transmissions of user data. Several companies occupied central positions within the network with the ability to aggregate and re-identify user data.
Conclusions Sharing of user data is routine, yet far from transparent. Clinicians should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent. Privacy regulation should emphasise the accountabilities of those who control and process user data. Developers should disclose all data sharing practices and allow users to choose precisely what data are shared and with whom.
Here is the link:
The opening of a linked editorial says it all:
Commercial health apps: in the user’s interest?
BMJ 2019; 364 doi: https://doi.org/10.1136/bmj.l1280 (Published 21 March 2019) Cite this as: BMJ 2019;364:l1280
- Claudia Pagliari, senior lecturer in primary care
Study shows how sensitive data from health apps is finding its way to corporations
Excitement about digital health is at an all time high, with innovations in mobile personal computing, robotics, genomics, artificial intelligence, cloud based infrastructure, and more, promising to revolutionise the organisation, quality, cost effectiveness, inclusivity, and personalisation of patient care. Amid this celebration, the shadow of privacy risks continues to lurk, like an unwelcome guest at a party.
In a linked paper, Grundy and colleagues (doi:10.1136/bmj.l920) examine the surreptitious tracking and profiling of people using medicines related apps, which can generate sensitive health data.
More here:
Well done to this team for exposing the sneakiness and skullduggery.
You really do have to get up very early to catch this mob and their nefarious ways!
David.
4 comments:
The well known Australian Booking app has still after 7-8 months not removed my account although thy have confirmed several times it would be and permanently erased after 90 days.
I think the next big innovation will be data seek and destroy tools. Anything tagged to me can be sort out and destroyed like a digital eraser.
Great article David, the closing para sums it up well
Excitement about digital health is at an all time high, with innovations in mobile personal computing, robotics, genomics, artificial intelligence, cloud based infrastructure, and more, promising to revolutionise the organisation, quality, cost effectiveness, inclusivity, and personalisation of patient care. Amid this celebration, the shadow of privacy risks continues to lurk, like an unwelcome guest at a party.
Just what catastrophe needs to occur before we put the breaks on all this?
This might also add some additional perspective. https://www.healthaffairs.org/do/10.1377/hblog20181218.956406/full/
Software vendors and any other manufacturer will always do whatever they need to in order to get to market quicker than the competition. If the products meet the regulatory requirements and the products are questionable then is it the fault of the vendor?
Post a Comment