The official COVID-19 contact-tracing app for the state of North Dakota, designed to detect whether people have potentially been exposed to the coronavirus, sends location data and a unique user identifier to Foursquare—and other data to Google and a bug-tracking company—according to a new report from smartphone privacy company Jumbo Privacy.
The app, called Care19, and produced by a company called ProudCrowd that also makes a location-based social networking app for North Dakota State sports fans, generates a random ID number for each person who uses it. Then, it can “anonymously cache the individual’s locations throughout the day,” storing information about where people spent at least 10 minutes at a time, according to the state website. If users test positive for the coronavirus, they can provide that information to the North Dakota Department of Health for contact-tracing purposes so that other people who spent time near virus patients can potentially be notified.
In a statement, ProudCrowd confirmed the use of Bugfender and Foursquare services and said it plans to update its privacy policies and the app in the future.
In an email to Fast Company, ProudCrowd founder Tim Brookins wrote that the random ID was included in the messages to Foursquare unintentionally, and that the company will remove it as soon as possible.
The transmission of information to Foursquare is “fairly benign, as Foursquare doesn’t actually collect our sent data,” Brookins wrote. “But easy enough for us to remove. Good catch by the security firm.”
Jennifer Skjod, a public information officer for North Dakota, says the state stands behind ProudCrowd’s statement.
“We’re confident whatever he responded [with] is exactly what we would say,” she says of Brookins’s response.
Foursquare has expanded beyond its namesake city guide app to provide location tracking for other software companies. “Foursquare receives some data from Care19, a free user of our SDK, but we do not use the data in any way and it is promptly discarded,” a company spokesperson wrote in an email to Fast Company. “For free users of our SDK, Foursquare does not use, repackage, or resell the data. Essentially, any data we might receive is immediately discarded.”
ProudCrowd also plans to make “diagnostic data collection” via Bugfender opt-in in future versions of the app, according to the company’s statement.
“This will enable users to opt in to send diagnostics when they need technical support and avoid overcollection of unneeded data on our part,” according to the statement.
In an email to Fast Company, Bugfender cofounder and CEO Jordi Giménez said he wasn’t able to confirm whether or not ProudCrowd’s app used Bugfender’s software. In general, he wrote, data sent by apps to its servers is stored securely and not shared with third parties or used for user profiling or advertising.
“We make money by charging the app makers a fee for using the tool, and their data belongs to them,” he wrote. “We don’t mess with it.”
Google Analytics for Firebase has rules about what information can be sent to the service, a Google spokesperson wrote in an email to Fast Company.
“Any developer that chooses to use Google Analytics for Firebase is prohibited from passing information, like an email address or phone number, that could personally identify someone to Google, and we use a combination of machine learning and human review to identify health apps and mark them ineligible for ads usage,” the spokesperson wrote.
“I think they are taking the appropriate steps,” he says.
The complications of contact tracing
Contact tracing, where people potentially exposed to a disease are notified so they can be tested and potentially treated or quarantined, has been seen as a potential way to reduce the spread of COVID-19. Apple and Google have developed software toolkits to let public health agencies build iOS and Android apps to enable automated phone proximity detection via Bluetooth, and many state and local agencies have begun hiring people to manually trace contacts of those infected with the virus. North Dakota officials have indicated future versions of Care19 will incorporate the new Apple-Google technology. A Google spokesperson indicated the app isn’t currently using that system.
“This app does not use Google’s Exposure Notification API, which strictly prohibits apps from collecting or using Android’s Advertising ID,” the spokesperson wrote in an email to Fast Company.
How well such apps will work, and whether people will install them in sufficient numbers to be useful, remains an open question, with some surveys indicating people are skeptical of the technology. Experts and activists have also expressed concerns about erroneous results and privacy concerns. A bill introduced in Congress last week would limit how such data could be used.
“Data collected in connection with contact tracing should not be used for any secondary purpose, let alone a commercial one,” wrote Ryan Calo, an associate professor at the University of Washington School of Law and a backer of the proposed law, in an email to Fast Company.
This story was updated on May 22 to include information from Google.