Privacy issues widespread with digital health apps, says BMJ

News
Multicultural friends group using smartphone with coffee at university college break - People hands addicted by mobile smart phone - Technology concept with connected trendy millennials - Filter image

Developers of mobile health apps are comprehensively failing to safeguard the privacy of users, according to a study by researchers in Australia.

The team from Macquarie University compared 15,000 free mobile health (mHealth) apps available on the Google Play store and compared their privacy practices to those found in 8,000 non-health apps, finding "serious problems with privacy and inconsistent privacy practices."

The range of apps put under scrutiny included tools for managing health conditions, symptom checkers, step and calorie counters, and menstruation trackers – many of which can contain sensitive health information.

Harvesting of personal data was pervasive, they write in the British Medical Journal, and patients "should be informed on the privacy practices of these apps and the associated privacy risks before installation and use."

App developers often legally share user data, but inadequate privacy disclosures have been repeatedly found for many digital health apps, preventing users from making informed choices around the data, according to the researchers.

The study found that 88% of mobile health apps included code that could potentially collect user data, and while just under 4% were transmitting information, the authors say that is still substantial and should be taken as the considered as a lower bound for the real data transmissions performed by them.

Furthermore, 87.5% of data collection operations and 56% of user data transmissions were on behalf of third party services, such as external advertisers, analytics, and tracking providers, and 665 different third parties were identified in the study.

The top 50 third parties were responsible two-thirds of the data collection operations, which most commonly were a small number of tech corporations, including Google, Facebook, and Yahoo!.

About two thirds of the mHealth apps could collect advert identifiers or cookies, one third could collect a user's email address, and about a quarter could identify the mobile phone tower to which a device was connected, potentially providing information on the user's geolocation.

Almost a quarter of those transmissions occurred on insecure communication channels so could potentially be intercepted.

"Mobile apps are fast becoming sources of information and decision support tools for both clinicians and patients," write the authors.

"Clinicians should be aware of these and articulate them to patients when determining the benefits and risks of mHealth apps," they add.

In an editorial accompanying the study, Canadian researchers say the prevalent privacy concerns mean that it is difficult – and perhaps irresponsible – to offer tips to busy clinicians or consumers about how to choose a health app that protects their privacy.

They point out that consumers can make it more difficult to be tracked by disabling advert identifiers, adjusting app permissions, and using advert blockers.

However, the editorial calls for "greater scrutiny, regulation, and accountability on the part of key players behind the scenes – the app stores, digital advertisers, and data brokers – to address whether these data should exist and how they should be used, and to ensure accountability for harms that arise."