Beth Givens, director, Privacy Rights Clearinghouse
Craig Michael Lie Nijie, CEO, Kismet Worldwide Consulting
Related Story: The Privacy Risks Of Some Health And Fitness Apps
ST. JOHN: Maybe you're determined to do something for your health. There are numerous apps out there to help you monitor your diet, your exercise, your blood pressure, even your mental state. But how secure is your personal information on these apps? A new study shows just how common it is for third parties to access your private data from your mobile phone apps and use it for purposes that you never sanctioned. So our guest in-studio is Beth Givens, director of the nonprofit Privacy Rights Clearinghouse. Thank you so much for joining us.
GIVENS: Thank you.
ST. JOHN: And on the phone, Craig Michael Lie Nijie an app developer and a consultant of Kismet Worldwide who worked on the study.
NIJIE: Thank you.
ST. JOHN: Beth, you decided to research how people's personal information is compromised when using some phone apps. And the question could be asked about any mobile phone app, tell us which apps you decided to study and why.
ST. JOHN: Now, you are an app developer. Can you give us an example of some of these apps? How do they work?
NIJIE: The apps generally work by providing some sort of service under a particular action or activity. So maybe you're searching for drugs or symptoms on a particular health issue that you might have, maybe you're using an app that helps you monitor and manage your pregnancy or perhaps your running and takes look at how long you run and what distance you go to. Usually the app will collect information from you, either directly by you typing it in or also commonly by using some of the technologies on the device. For instance the GPS. Often we saw if you were to do a search say for AIDS support groups nearby you, the app would send your location from the GPS on your device to the service that would check whether or not those services are available near you. And then the data is generally stored on the device and also transmitted over the network. Obviously people assume that the data would get transmitted to the developer. But we were amazed at how much data was getting sent to third parties.
ST. JOHN: Right.
NIJIE: Typically advertisers and analytics were the two biggest privacy risks.
ST. JOHN: Right. Beth, you were shocked at that. We always see these windows pop up saying do you mind if we tell somebody about where you are. But what other kinds of information did you find?
GIVENS: We actually like it when it's called "just in time notice." And it would be great if that also includes consent, and many do. But we're not seeing a lot of that in this area. He mentioned a few categories. There's weight loss, quitting smoking, blood glucose monitoring. And just think of yourself, how do you view this type of information? Do you think that it's sensitive? Many people don't.
ST. JOHN: There's so much controversy about how health plans are sharing information, and here we are putting it on the web.
GIVENS: Yeah, other topics, pregnancy tracking, sleep and relaxation. The health symptom, looking for possible conditions, and you can imagine the interests by the pharmacies in that one or pharmaceutical companies. Sexually transmitted diseases. Another practice is some of these apps will ask you do you want to share your information with your social media, with your Facebook, with your Twitter? They want to make it more clubby. And that's great. We aren't pushing for people to not use these apps. We just think they need to use them in a more informed way.
GIVENS: Not necessarily. Not all apps have privacy policies. In fact some, maybe around half -- and I should say we studied a representative sampling of apps.
ST. JOHN: You're actually doing 43, which is not very many. How representative do you think it is?
GIVENS: Well, we actually did a lot of research and just thinking about the best ways to come up with the best example. So we came up with an array of apps that we thought covered the range of topics. So we picked that kind of an array. Then we did research on the most popular in those categories. This was a modest budget. It's not a big budget study at all. And we only had nine months to do the work. So we had to put limits on our research.
ST. JOHN: Right.
GIVENS: We feel like it was a representative sampling of the sorts of apps that are really popular and that a lot of people are using.
ST. JOHN: Lie, can you pick up on that?
NIJIE: Sure. There's three things I want to touch. The first is how representative. I was worried this sample sized would be too small for us to figure out trends or or high-level disclosures representative of what's going on. And I found the opposite to be true. Very quickly through a small number of apps, we found there are small numbers of privacy risk practices that are commonly employed. The top being not using encrypted kecks or using third-party advertisers or analytics.
ST. JOHN: And how can a consumer know if that's happening?
NIJIE: The only way is to actually go down and look at what's being sent over the wire, and it's very technically complex. We describe it in our technical document how we did it through TCP monitoring to watch the packets. But it's very technically complex. And the big takeaway for me on that one is it's nearly impossible for non-technologists to know what's actually being sent.
ST. JOHN: Right.
NIJIE: So consumers should just generally assume any data collected by the app will be shared not only by the developer but third-parties.
ST. JOHN: That's a pretty sweeping statement. So they should always assume their information is out there?
ST. JOHN: Okay, thank you for giving us some specific examples. That's making it a little bit more real. And can you describe what a third party is?
GIVENS: Especially for the free apps, because their trying to make money through the apps and sharing information to the ad networks, they want to know what your interests are so they can feed back to you a highly targeted ad. For the paid apps, because their business model is different, they're having the user pay, what we found is that they're less likely to be collecting and sharing your personal information because their business model doesn't require it. So there is a slight advantage from a privacy standpoint for using a paid app over a free app. Although we still found plenty of privacy problems with the free apps.
ST. JOHN: And Lie, there are things that you are saying in this report that are tips to developers. Why should they be motivated to care about a user's privacy?
NIJIE: Sure. The motivation is that if you violate somebody's privacy and their information gets sent out there, you'll get a bad reputation and lose all of your sales.
ST. JOHN: And how would you get a bad reputation?
NIJIE: If somebody figures it out and posts a comment on the individual store or goes on social media and says this app is sending my data to a third party and I didn't know that it was doing that, that is a public relations nightmare for the app company.
ST. JOHN: Since as you say, very few people have the ability to do that, many of them feel safe it's not going to happen.
NIJIE: Well, that's one of the reasons why it hasn't happened the why but we're hoping this report inspires people to take a look under the hood and do those disclosures.
ST. JOHN: Is there any way you can tell your information is being accessed?
NIJIE: There's no way to tell for certain what information is being sent over unless you look at the wire. And there's absolutely no way to tell after the information is sent to a third party what the third party is doing with it and how they're targeting. You might have some insight if you're in a diabetes app that the advertisements are diabetes-related or geographically related to your location. But there's no way to know for certain. Once the information is out, you can never have access or control of that information, and there's no way to find out through the third parties what they're doing with it.
ST. JOHN: Beth, is there some tips you can give to users? This is painting a picture of a bit of what seems like a hopeless situation. If you're going to be using these apps, your information is up for grabs in many cases.
ST. JOHN: And Lie, there any tips that you would like to add?
NIJIE: I think the most important thing is for developers to be encrypting their connections. And for users, they need to understand the privacy policies are written by lawyers and do not provide full disclosure. And the reality of the state right now is if you are using an app, you should just assume any data you put in that app is being sent to third parties.
ST. JOHN: And Beth?
GIVENS: Also looking for the contact information. If an app or its website includes the contact information for the app developer or the publisher, go ahead and contact them. And if you get a reply a live human being, that's a good indicator that they stand behind what they're doing and they're accountable.
ST. JOHN: I'd like to thank my guests.
GIVENS: Thank you.
NIJIE: Thank you, Alison.