An analysis of 20, 000 health-related mobile applications has found "serious problems with privacy" from sharing private information to tracking user location.
Health App. Image Credit: DenPhotos/Shutterstock.com
A “pervasive practice” across mobile health applications
The study published in the journal The BMJ has found "serious problems with privacy and inconsistent privacy practices" after analyzing 20,000 mobile health applications.
An estimated 99,366 apps across the Google Play and Apple Store belong to the medical and health and fitness categories (referred to as mobile health or mHealth apps). These apps include a range of functionalities from tracking calories and menstruation cycles to the management of health conditions and chronic symptoms.
Researchers from Macquarie University in Australia have now more than 15,000 free mHealth apps in the Google Play store and compared their privacy practices with a random sample of non-health apps. They found that while mHealth apps collected fewer user data than other types of mobile apps, 88% could access and potentially share personal data.
This ability to collect and share data is not referred to across the terms and conditions of medical apps, preventing users from making informed choices around the data. Authors from the study note that users "should be informed on the privacy practices of these apps and the associated privacy risks before installation and use."
Such exploitation of private data is an emerging trend among electronic applications across platforms as app developers routinely, and legally, share user data, but frequently do not disclose the privacy terms, as found in many mHealth apps.
Undisclosed data gathering and data sharing with third-parties
Overall, researchers found that 88% of the mobile apps considered could access and potentially share personal data. More concerning is that 87.5% of data collection operations and 56% of user data transmissions were on behalf of third-party services that include external advertisers, analytics, and tracking providers, and 23% of user data transmissions occurred on insecure communication channels.
Such data sharing was rarely disclosed in any privacy statement on behalf of the application developers. The researchers found that 5,903 of the mHealth apps did not offer any privacy policy text at all, and 15,480 of user data transmissions violated what was stated in the privacy policies.
This sharing remained under the radar for the vast majority of app users, as only 1.3% (3,609) of user reviews raised privacy concerns.
From the data shared with third-parties, the most common third parties were responsible for most (68%) of the data collection operations, which most commonly were a small number of tech corporations, including Google, Facebook, and Yahoo! These companies often accumulate data on users and assemble profiles to then inform advertisements and offers related to consumer information, yet it occurs often to the detriment of privacy policies.
A complex picture but an alarming concern for the privacy of medical application users
Despite the study raising key concerns on the privacy of users, the data collected remains observational and requires further data to determine how privacy is breached, how the data is being used, and whether apps requiring purchases also gather data. This would extend the analysis further as the present study only considered free applications, introducing a potential bias as developers may seek to sell users' data as an alternative source of remuneration.
Further research could therefore provide better insight into the underlying reasoning and potential biases of data collection.
Nevertheless, researchers are confident their study encompasses a broad assessment of mHealth apps compared with previous studies, and they conclude:
This analysis found serious problems with privacy and inconsistent privacy practices in mHealth apps. Clinicians should be aware of these and articulate them to patients when determining the benefits and risks of mHealth apps."
The research team also indicates that the consumers can make it more difficult to be tracked by disabling advert identifiers, adjusting app permissions, and using advert blockers. However, even despite such measures, applications can easily gather and send data.
Researchers echoed the general sentiment regarding privacy policies, affirming that "we must also advocate for greater scrutiny, regulation, and accountability on the part of key players behind the scenes - the app stores, digital advertisers, and data brokers - to address whether these data should exist and how they should be used, and to ensure accountability for harms that arise."
Journal reference:
- BMJ 2021;373:n1429 http://dx.doi.org/10.1136/bmj.n1429