A recent editorial (March 2019) and article (Jan 2019) in the British Medical Journal have focused on how medical mobile apps, currently a booming market, routinely share users’ data. Given the purpose of these mobile applications and the fact that their use is sometimes suggested to patients by their doctors, the research sought to better understand what, if any data, was being shared and with whom. The research raises concerns that data on the user’s device, and in some cases special categories of data (health data), is in fact routinely shared. This is a concern especially since this sort of data is particularly attractive to cybercriminals and commercial data brokers. Organisations developing these sorts of apps or using similar data for research or other purposes should ensure that privacy by design in incorporated from the beginning of such development.
The Apps researched
The researches chose 24 publicly available Android apps out of 821 apps listed as pertaining to medicines information, dispensing, administration and prescribing. They were chosen because they were frequently downloaded, rated in the top 100 or endorsed by credible organisations. They also had to be interactive. The apps were available from different jurisdictions including Australia, the UK, Canada and the US.
Using traffic analysis, via a tool called Agrigento, researchers monitored the data traffic from a Google smartphone onto which each app was downloaded. This was carried out between December 2017 and January 2018. Each app was run 14 times to set a baseline and then individual fields were altered and resulting change to traffic examined. This also provided domain names and IP addresses for those organisations receiving the data which were further identified using a public WHOIS service. Each identified recipient was then researched to see with whom they might in turn share acquired personal data as stated in their data privacy policies, terms and conditions or investor prospectus. This type of recipient is referred to as Fourth Parties within the report.
Apps requested, on average, 4 types of ‘dangerous permissions’ – meaning access to data resources that involve user’s private information or can affect the operation of other apps. These included WiFi connections, email, birth date, phone ID, phone number and approximate or precise location.
- 19 of the 24 apps shared user data.
- 55 unique entities were recipients of such data owned by 46 parent companies.
- Of these 55, 37 are involved in the collection, collation, analysis and commercialisation of user data in some capacity.
- 6 of the 20 ‘free’ apps contained advertising.
- 13 of the 19 for-profit apps had a Crunchbase profile (which processes web-traffic information and mobile app analytics, number of Android application downloads, app store rating growth, and app revenue data.)
- Amazon.com and Alphabet (parent company of Google) received the highest volume of user data.
- From these 24 apps, 237 Fourth Parties were identified. Each had access, potentially, to on average 3 unique transmissions of user data from the apps researched.
Concerns of the authors and editor of the BMJ
The value of health information to both insurance and financial sectors is mentioned as a particular concern. While previous studies have shown the ‘leaking’ of data from Android apps, this study focused, particularly on medical data. Given the time we spend online and our reliance on our devices, the shadowy role of commercial data brokers should be a concern for us all. Given the cooperation of the public sector with these brokers to better “understand society” this surreptitious sharing of our data may form threats not only to our privacy but our self-determination. The authors believe privacy regulators should consider the loss of privacy as not being a fair cost for the use of digital health services. Given the dominance of the key players, more transparency and better efforts at securing users’ consent should also be required of those developing such apps.
Transparency is key for developers of such apps. While well-designed medical apps can do much to assist medical practitioners and their patients achieve a better standard of care, privacy risks to users need to be clearly mapped out. This should be done by developers through a well thought through Data Privacy Impact Assessment (DPIA). They should also ensure that the average user can easily understand how their personal data will be processed. This includes 1) how it will be used and 2) with whom it may be shared. Such communication can be achieved with clearer and more robust Data Sharing Statements and well-written Privacy Notices. Medical professionals who may be using these apps, or recommending them to patients, also have an obligation to help protect the confidentiality of their patients by better understanding how these apps operate. Failure to do so may expose a practice at least to reputational damage.
For more information visit Trilateral Data Protection Officer page and contact our team: