Mobile health apps harvest user data, share with third parties
08 Jul 2021
byStephen Padilla
Thousands of mobile health (mHealth) apps pose serious problems with privacy and have inconsistent privacy practices, reveals a study. These apps are also not transparent when dealing with user data, with just about half complying with declared privacy policies, if at all available.
“For most of the … medical and health and fitness apps analysed, we found that most can collect and potentially share data with third parties, including advertising and tracking services,” the researchers said. “The apps collected user data on behalf of hundreds of third parties, with a small number of service providers accounting for most of the collected data.”
This cross-sectional study included users of 20,991 mHealth apps (8,074 medical and 12,917 health and fitness) developed for the Android mobile platform and available in the Google Play Store in Australia. In-depth analysis was conducted on 15,838 apps not requiring download or subscription fee compared with 8,468 baseline non-mHealth apps.
Codes that could collect user data were found in 18,472 mHealth apps (88.0 percent), and 616 (3.9 percent) transmitted user information in their traffic. [BMJ 2021;373:n1248]
External service providers or third parties were involved in most data collection operations in apps code and data transmissions. The top 50 third parties were responsible for most of the data collection operations (n=2,140, 68.0 percent).
Of the user data transmissions, 774 (23.0 percent) happened on insecure communication protocols. A total of 5,903 apps (28.1 percent) did not provide privacy policies, while 1,479 (47.0 percent) of user data transmissions complied with the privacy policy. User reviews raising concerns about privacy totaled 3,609 (1.3 percent).
“Our study analysed more than 20,000 mHealth apps on Google Play, 15,838 in detail, rather than the tens of apps assessed in previous studies,” the researchers said. “The only other study to analyse a comparable range of mHealth apps was conducted in 2015.” [JAMA Netw Open 2019;2:e192542; JAMA 2016;315:1051-1052; BMJ 2019;364:l920; BMC Med 2015;13:214; JMIR Mhealth Uhealth 2015;3:e8]
However, that one study only categorized mHealth apps into classes of potential risk and did not deliver any results on the type of user information collected, recipients of the information, and consistency of the app practices with the disclosed privacy policies.
“Our results show that the collection of personal user information is a pervasive practice in mHealth apps and not always transparent and secure,” the researchers said. “Patients should be informed on the privacy practices of these apps and the associated privacy risks before installation and use.”
Furthermore, clinicians must recognize the main privacy aspects and key functionalists of mHealth apps in their specialist area and be able to communicate these to patients in simple language.
“This is important because of the scarcity of app privacy auditing tools and the substantial lack of information on the user data flows in the apps—neither Google Play store nor the Apple store currently provide such auditing functionalities,” the researchers said.
Clinicians should do the following given such conditions: check permissions requested by the apps to access sensitive resources such as cameras, microphones, or locations; examine the app’s privacy policy; or review the app’s privacy behaviour.
Earlier studies found that mHealth users often did not read privacy policies due to their length and complicated language. However, research efforts towards using question answering systems to search for answers in long and verbose policy documents have been increasing. [J Legal Stud 2016;45:S163-190; arXiv [Preprint] 2020;2010.02557]
“We suggest that such tools, which leverage artificial intelligence for querying privacy policies in natural language, can support clinicians in identifying relevant app privacy practices and explaining them to patients,” the researchers said.