2013-07-18

Co.Exist

While You're Cutting Calories, Health Apps Are Giving Away Your Personal Data

You can learn a lot about a person from their exercise and eating habits. Health apps know this—and so do marketers.

Ah, the wonderful world of apps. One might help you track your daily exercise routine by logging the calories you burn, the protein-conscious meals you consume, and perhaps your running route. You might share that data with Facebook to brag about all that weight you’re losing, or you might keep it between yourself and your iPhone. But regardless of how private you think you are, your running route could be transmitted over unprotected cyber-space while you’re unaware. And once those details are on the wire, who knows who’s looking at them?

A new report out from the Privacy Rights Clearinghouse, a consumer advocacy nonprofit, shows that much of our health data is vulnerable to third party trackers and other interested parties through mobile apps. Outside of voluntarily sharing your data through social media, PRC found that much of a representative sample of 43 health and fitness apps share that information unencrypted with third party trackers, marketers, and advertisers.

PRC’s findings, divided between paid and free apps, show that a minority of both had a link to their website’s privacy policy. Within that policy, protections were largely vague. Some 55% of paid apps and 52% of free apps shared aggregate data with marketers, while 43% of free and 5% of paid shared personally identifiable information (name, email address, home address, etc.) with advertisers. Meanwhile, more than 75% of free mobile health apps used behavioral tracking, compared to some 45% of the paid apps. When PRC put all the data together and ranked those apps into risk categories, they found that 17 of the 43 apps were “high risk,” meaning they collected addresses, financial information, full names, geo-location, birth date, and your health data.

Courtesy Privacy Rights Clearinghouse

“In general, neither free nor paid has very good privacy and security practices, but paid are better from the advertising standpoint,” said PRC director Beth Givens. She also pointed out that all of this information is transmitted through unencrypted networks, which essentially leaves your health data up for grabs in cyber space. “Just the fact that the URLs included information like latitude and longitude, and then specific information about very sensitive health conditions surprised me a lot,” she added.

PRC’s technical report included samples of these URLs, which would be visible to third party trackers or anyone else who can see your web request to the server. If you’ll notice, the second sample URL below not only shows that you were researching STD-related bleeding, but also includes your geo-coordinates:

“None of these are visible to the viewer,” Craig Michael Lie Njie, CEO of Kismet Worldwide Consulting, and author of the PRC technical report tells me. Instead, these URLs are embedded, but some people can watch packets of this data go by on the network wire. “You can see what information is being sent to unencrypted URLs very easily. If you’re a technical person who can do this, you probably already know how to do this,” he added.

That doesn’t even take into account what could happen to the data once it arrives at the third party trackers, or how it could loop back to you. “Let’s say that you were a heavy recreational drug user,” Njie says. “And you downloaded a free app that has analytics and advertising embedded, and you went in there and were looking for information about meth recovery. That information could get sent into a third party who could turn around and start targeting you with new meth ads.”

Givens said that PRC had made a decision not to share which apps they analyzed, the dazzling array of health apps available means that phones can collect everything from the fine points of your menstrual flow to symptoms of some salacious disease. Earlier this month, TechCrunch’s Gregory Ferenstein wrote about how his friends were able to tell when he was having sex just by monitoring his health tracking watch. “Were I married, my wife might like to know why I burned 100 calories between 1:07 to 2:00 a.m., without taking a single step, and fell asleep right afterwards,” he writes.

Luckily, there are some best practices to avoid sharing this sort of information, the best of which is not using these apps at all, according to Givens. But if you do, “research the app before you download it, look for a privacy policy,” she said. And when you stop using an app, it’s probably a good idea to delete it as well as all the information that’s been archived.

“Because our phones are so personal, I think people forget that our communication with our apps is going out to quite a number of third parties. It’s not just going out to the website for the app,” Givens added. “You need to ask yourself how comfortable you are with that.”

Add New Comment

0 Comments