It’s a sad fact of our late capitalist world that data is one of the hottest currencies. Every move you make online–and sometimes off, too!–is likely being tracked in some way and then sold to the highest bidder. New research shows that even health apps, which often store users’ most personal information, are also sharing the data they collect. To make matters worse, for many of these programs, it’s simply impossible to opt out.
The study was performed by a team of researchers in Australia, Canada, and the U.S., reports Gizmodo. They decided to download 24 of the most popular health-related apps on Android. For each app, the team made four fake profiles and each used the programs 14 times. On the 15th time, they slightly changed the information they provided to the apps and tracked if the network traffic changed. This way, the researchers were able to see if the apps shared the data change, as well as where they shared it.
The findings were depressing. Writes Gizmodo:
Overall, they found 79 percent of apps, including [popular apps Medscape, Ada, and Drugs.com], shared at least some user data outside of the app itself. While some of the unique entities that had access to the data used it to improve the app’s functions, like maintaining the cloud where data could be uploaded by users or handling error reports, others were likely using it to create tailored advertisements for other companies. When looking at these third parties, the researchers also found that many marketed their ability to bundle together user data and share it with fourth-party companies even further removed from the health industry, such as credit reporting agencies. And while this data is said to be made completely anonymous and de-identified, the authors found that certain companies were given enough data to easily piece together the identity of users if they wanted to.
Essentially, most of the apps were sharing the data users’ input in some capacity, and often that information was shared once again with another entity. Sometimes the data would be used for advertising, other times for something related to credit reporting. (According to the study, only one credit reporting agency had an agreement with a third party: Equifax. Of course, it’s not terribly comforting that the company had one of the largest hacks in recent memory.)
The sad part is that these findings aren’t terribly surprising, nor are they illegal. Most apps broker user data in some capacity. Usually they use it for marketing and advertising, yet, as the credit report agency example shows, the data could be shared with truly anyone for myriad purposes. While third parties claim to anonymize the data, it’s been repeatedly proven that it can easily be re-identified.
The two real lessons from studies like these are that users of digital health programs need to be vigilant with the programs they use. It’s possible to protect your data, but it takes a lot of homework. But most of all, there needs to be a heightened call to protect consumers from these predatory practices.
Today, we dig deeper into your health privacy as part of our series The Privacy Divide, and find that what you don’t know about your health data could make you sick.