Data sharing in health apps ‘far from transparent’, BMJ research warns

Data sharing in popular health apps is “far from transparent” and developers need to allow users to choose precisely what data is shared, experts have warned.

Out of 24 apps tested 19 shared data with outside companies, such as Google and Amazon, research published in the BMJ found.

Researchers warned the data could then be passed onto other parties, like advertising and credit agencies.

Regulators should emphasise the accountabilities of those who control and process user data, and developers should disclose all data sharing practices, they wrote in the journal.

App developers legally and routinely share data but evidence suggest many fail to provide privacy assurances around how they share the data.

This poses unprecedented risk to a users privacy, given the sensitive personal information the apps usually collect.

Researchers led by assistant professor Quinn Grundy, of the University of Toronto, investigated how user data is shared by health apps and the privacy risks to users and clinicians.

They identified the 24 top rated apps for Android in the United Kingdom, United States, Canada and Australia.

All were available to the public, provided information about medicines dispensing, administration, prescribing, or use, and were interactive.

Researchers downloaded each app and used four dummy user profiles to simulate real-world use.

They ran each app 14 times and found baseline traffic relating to 28 different types of user data.

They then altered one source of user information and ran the app again to detect if any sensitive information was sent to a remote server outside of the app.

Companies receiving sensitive user data were then identified by their IP address, and their websites and privacy policies were analysed.

Some 79% (19) of the sampled apps shared data outside of the app.

A total of 55 unique entities, owned by 46 parent companies, received or processed app user data, including developers and parent companies – first parties – and service providers – third parties.

Of these, 33% provided infrastructure services like cloud and 67% provided services related to the collection and analysis of user data, including analytics or advertising, suggesting heightened privacy risks.

Both Amazon.com and Alphabet – the parent company of Google, received the highest volume of user data, followed by Microsoft.

Third parties also advertised the ability to share user data with 216 “fourth parties” including multinational technology companies, digital advertising companies, telecommunications corporations and a consumer credit reporting agency.

Only three of these fourth parties could be characterised predominantly as belonging to the health sector.

Several companies, including Alphabet, Facebook, and Oracle, occupied central positions within the network with the ability to aggregate and re-identify user data

But it is unknown whether iOS apps share user data, like the Android apps tested, and whether those tested share user data more or less than other health apps.

Researchers say their findings still suggest that health professionals “should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent”.

Privacy regulators should also consider that loss of privacy is not a fair cost for the use of digital health services, they concluded.