The Privacy Risks Of Some Health And Fitness Apps

[[[NEW SEGMENT]]]. ST. JOHN: Maybe you're determined to do something for your health. There are numerous apps out there to help you monitor your diet, your exercise, your blood pressure, even your mental state. But how secure is your personal information on these apps? A new study shows just how common it is for third parties to access your private data from your mobile phone apps and use it for purposes that you never sanctioned. So our guest in-studio is Beth Givens, director of the nonprofit Privacy Rights Clearinghouse. Thank you so much for joining us. GIVENS: Thank you. ST. JOHN: And on the phone, Craig Michael Lie Nijie an app developer and a consultant of Kismet Worldwide who worked on the study. NIJIE: Thank you. ST. JOHN: Beth, you decided to research how people's personal information is compromised when using some phone apps. And the question could be asked about any mobile phone app, tell us which apps you decided to study and why. GIVENS: Well, we chose the category health and fitness apps. And if you go to the two main app stores, the Google Play android store, and the apple IOS store, they each have a category called health and fitness. And there are tens of thousands, and I've heard even millions of apps all together. There were at least a thousand just in the health and fitness categories. And most people consider their health information to be probably the most sensitive information about them. I think financial would be a close second. And we started with absolutely no knowledge. We just had a hunch that there could be some unwise information practices going on for lack of a better term. And we wanted to see if indeed personal information was being, No.1, collected, No.2, disseminated in ways that individuals were not told in the privacy policy. ST. JOHN: Now, you are an app developer. Can you give us an example of some of these apps? How do they work? NIJIE: The apps generally work by providing some sort of service under a particular action or activity. So maybe you're searching for drugs or symptoms on a particular health issue that you might have, maybe you're using an app that helps you monitor and manage your pregnancy or perhaps your running and takes look at how long you run and what distance you go to. Usually the app will collect information from you, either directly by you typing it in or also commonly by using some of the technologies on the device. For instance the GPS. Often we saw if you were to do a search say for AIDS support groups nearby you, the app would send your location from the GPS on your device to the service that would check whether or not those services are available near you. And then the data is generally stored on the device and also transmitted over the network. Obviously people assume that the data would get transmitted to the developer. But we were amazed at how much data was getting sent to third parties. ST. JOHN: Right. NIJIE: Typically advertisers and analytics were the two biggest privacy risks. ST. JOHN: Right. Beth, you were shocked at that. We always see these windows pop up saying do you mind if we tell somebody about where you are. But what other kinds of information did you find? GIVENS: We actually like it when it's called "just in time notice." And it would be great if that also includes consent, and many do. But we're not seeing a lot of that in this area. He mentioned a few categories. There's weight loss, quitting smoking, blood glucose monitoring. And just think of yourself, how do you view this type of information? Do you think that it's sensitive? Many people don't. ST. JOHN: There's so much controversy about how health plans are sharing information, and here we are putting it on the web. GIVENS: Yeah, other topics, pregnancy tracking, sleep and relaxation. The health symptom, looking for possible conditions, and you can imagine the interests by the pharmacies in that one or pharmaceutical companies. Sexually transmitted diseases. Another practice is some of these apps will ask you do you want to share your information with your social media, with your Facebook, with your Twitter? They want to make it more clubby. And that's great. We aren't pushing for people to not use these apps. We just think they need to use them in a more informed way. ST. JOHN: I think we need to make that point. We're not just slamming all apps by any means. And we might talk more about the distinctions and tips for people to distinguish between apps that might be sharing information with third parties. Isn't there a privacy policy that you sign up for when you sign up for an app? GIVENS: Not necessarily. Not all apps have privacy policies. In fact some, maybe around half -- and I should say we studied a representative sampling of apps. ST. JOHN: You're actually doing 43, which is not very many. How representative do you think it is? GIVENS: Well, we actually did a lot of research and just thinking about the best ways to come up with the best example. So we came up with an array of apps that we thought covered the range of topics. So we picked that kind of an array. Then we did research on the most popular in those categories. This was a modest budget. It's not a big budget study at all. And we only had nine months to do the work. So we had to put limits on our research. ST. JOHN: Right. GIVENS: We feel like it was a representative sampling of the sorts of apps that are really popular and that a lot of people are using. ST. JOHN: Let's go back to the privacy policy. What is it that we should be looking for? First if they have one. GIVENS: Yeah, look to see if they have one. And about 3/4 do. Either in the app itself or they'll send you to a website that has the privacy policy. Sometimes they didn't make it easy to find the policy. Then for those that have it, and this is where we used Lie and his work as a technologist, does the policy fully explain what is being done to personal data? And we realized this is all done quite invisibly. If you're really tech-savvy and have a technologist background, you can use skills that enable you to follow the bits and the bites where they go. But the vast majority of people don't have that skill. ST. JOHN: Lie, can you pick up on that? NIJIE: Sure. There's three things I want to touch. The first is how representative. I was worried this sample sized would be too small for us to figure out trends or or high-level disclosures representative of what's going on. And I found the opposite to be true. Very quickly through a small number of apps, we found there are small numbers of privacy risk practices that are commonly employed. The top being not using encrypted kecks or using third-party advertisers or analytics. ST. JOHN: And how can a consumer know if that's happening? NIJIE: The only way is to actually go down and look at what's being sent over the wire, and it's very technically complex. We describe it in our technical document how we did it through TCP monitoring to watch the packets. But it's very technically complex. And the big takeaway for me on that one is it's nearly impossible for non-technologists to know what's actually being sent. ST. JOHN: Right. NIJIE: So consumers should just generally assume any data collected by the app will be shared not only by the developer but third-parties. ST. JOHN: That's a pretty sweeping statement. So they should always assume their information is out there? NIJIE: What we found is that it's exactly the opposite of what you'd expect. If there was no privacy policy or the policy was thin or badly written, the actual practices of those apps were more privacy aware or privacy secure or the developers just hadn't put in third-party analytics or advertising. It was the apps that had the detailed privacy policies that were the most worrisome because the policies are written by lawyers to make sure that the app developer is covered in all cases. And they'll use blanket statements like for testing the app we might use a third-party analytic service, and that'll be the entire statement. And they won't tell you that every place that you click and every search term that you search for is sent to a third-party, exposing the search term. So if you're searching for sexual dysfunction or AIDS support group, that information is sent directly to the third party. ST. JOHN: Okay, thank you for giving us some specific examples. That's making it a little bit more real. And can you describe what a third party is? GIVENS: Especially for the free apps, because their trying to make money through the apps and sharing information to the ad networks, they want to know what your interests are so they can feed back to you a highly targeted ad. For the paid apps, because their business model is different, they're having the user pay, what we found is that they're less likely to be collecting and sharing your personal information because their business model doesn't require it. So there is a slight advantage from a privacy standpoint for using a paid app over a free app. Although we still found plenty of privacy problems with the free apps. ST. JOHN: And Lie, there are things that you are saying in this report that are tips to developers. Why should they be motivated to care about a user's privacy? NIJIE: Sure. The motivation is that if you violate somebody's privacy and their information gets sent out there, you'll get a bad reputation and lose all of your sales. ST. JOHN: And how would you get a bad reputation? NIJIE: If somebody figures it out and posts a comment on the individual store or goes on social media and says this app is sending my data to a third party and I didn't know that it was doing that, that is a public relations nightmare for the app company. ST. JOHN: Since as you say, very few people have the ability to do that, many of them feel safe it's not going to happen. NIJIE: Well, that's one of the reasons why it hasn't happened the why but we're hoping this report inspires people to take a look under the hood and do those disclosures. ST. JOHN: Is there any way you can tell your information is being accessed? NIJIE: There's no way to tell for certain what information is being sent over unless you look at the wire. And there's absolutely no way to tell after the information is sent to a third party what the third party is doing with it and how they're targeting. You might have some insight if you're in a diabetes app that the advertisements are diabetes-related or geographically related to your location. But there's no way to know for certain. Once the information is out, you can never have access or control of that information, and there's no way to find out through the third parties what they're doing with it. ST. JOHN: Beth, is there some tips you can give to users? This is painting a picture of a bit of what seems like a hopeless situation. If you're going to be using these apps, your information is up for grabs in many cases. GIVENS: Yes. You can do some research on the app. One of the pieces of advice that we give in general to consumers wanting to protect their privacy is use your favorite search engine and put in the name of the app followed by the word reviews, and just see what's being said. Oftentimes in some of the more technically oriented magazines and publications, there will be reviews. Of then do the same thing in your favorite search engine. Put in the name of the app plus the word complaints. And see if anything comes up that way. I mentioned that paid apps are slightly more privacy friendly than free. So of course look to see if this issue that you're dealing with regarding your health or wellness might have some paid apps, then take a look at them. And always look for the privacy policy, if it has, and then just see if you can determine from the privacy policy what's going on. But unfortunately as Lie has described so well, it's not -- the privacy policy is not always giving you a super clear picture. ST. JOHN: And Lie, there any tips that you would like to add? NIJIE: I think the most important thing is for developers to be encrypting their connections. And for users, they need to understand the privacy policies are written by lawyers and do not provide full disclosure. And the reality of the state right now is if you are using an app, you should just assume any data you put in that app is being sent to third parties. ST. JOHN: And Beth? GIVENS: Also looking for the contact information. If an app or its website includes the contact information for the app developer or the publisher, go ahead and contact them. And if you get a reply a live human being, that's a good indicator that they stand behind what they're doing and they're accountable. ST. JOHN: I'd like to thank my guests. GIVENS: Thank you. NIJIE: Thank you, Alison.