Ah, the wonderful world of apps. One might help you track your daily exercise routine by logging the calories you burn, the protein-conscious meals you consume, and perhaps your running route. You might share that data with Facebook to brag about all that weight you’re losing, or you might keep it between yourself and your iPhone. But regardless of how private you think you are, your running route could be transmitted over unprotected cyber-space while you’re unaware. And once those details are on the wire, who knows who’s looking at them?
A new report out from the Privacy Rights Clearinghouse, a consumer advocacy nonprofit, shows that much of our health data is vulnerable to third party trackers and other interested parties through mobile apps. Outside of voluntarily sharing your data through social media, PRC found that much of a representative sample of 43 health and fitness apps share that information unencrypted with third party trackers, marketers, and advertisers.
“In general, neither free nor paid has very good privacy and security practices, but paid are better from the advertising standpoint,” said PRC director Beth Givens. She also pointed out that all of this information is transmitted through unencrypted networks, which essentially leaves your health data up for grabs in cyber space. “Just the fact that the URLs included information like latitude and longitude, and then specific information about very sensitive health conditions surprised me a lot,” she added.
PRC’s technical report included samples of these URLs, which would be visible to third party trackers or anyone else who can see your web request to the server. If you’ll notice, the second sample URL below not only shows that you were researching STD-related bleeding, but also includes your geo-coordinates:
“None of these are visible to the viewer,” Craig Michael Lie Njie, CEO of Kismet Worldwide Consulting, and author of the PRC technical report tells me. Instead, these URLs are embedded, but some people can watch packets of this data go by on the network wire. “You can see what information is being sent to unencrypted URLs very easily. If you’re a technical person who can do this, you probably already know how to do this,” he added.
That doesn’t even take into account what could happen to the data once it arrives at the third party trackers, or how it could loop back to you. “Let’s say that you were a heavy recreational drug user,” Njie says. “And you downloaded a free app that has analytics and advertising embedded, and you went in there and were looking for information about meth recovery. That information could get sent into a third party who could turn around and start targeting you with new meth ads.”
Givens said that PRC had made a decision not to share which apps they analyzed, the dazzling array of health apps available means that phones can collect everything from the fine points of your menstrual flow to symptoms of some salacious disease. Earlier this month, TechCrunch’s Gregory Ferenstein wrote about how his friends were able to tell when he was having sex just by monitoring his health tracking watch. “Were I married, my wife might like to know why I burned 100 calories between 1:07 to 2:00 a.m., without taking a single step, and fell asleep right afterwards,” he writes.
“Because our phones are so personal, I think people forget that our communication with our apps is going out to quite a number of third parties. It’s not just going out to the website for the app,” Givens added. “You need to ask yourself how comfortable you are with that.”