Coronavirus: US contact tracing app shares private data with outside firm

Passing information breaches app's own privacy policy

Geoffrey A. Fowler
Friday 22 May 2020 10:08 BST
Care19, the contact tracing app which the governors of North Dakota and South Dakota asked residents to download, has been found to breach its own privacy rules
Care19, the contact tracing app which the governors of North Dakota and South Dakota asked residents to download, has been found to breach its own privacy rules (Reuters)

As governments build coronavirus-tracking smartphone tech, who is making sure their apps live up to privacy promises?

A new analysis of one of the first US contact-tracing apps, North and South Dakota's Care19, found that it violates its own privacy policy by sharing location and other personal data with an outside company. The review was published on Thursday by privacy-software maker Jumbo.

The analysis suggests that state officials and Apple, both of which were responsible for vetting the app before it became available on 7 April, were asleep at the wheel. Americans are especially wary of location and health data, and privacy violations of any degree will hamper efforts to use smartphones both to trace contact and to provide exposure notifications.

The states turned to North Dakota app maker ProudCrowd to make Care19. ProudCrowd, which did not charge the states for the app development, confirmed that some data from its iPhone app goes to Foursquare, a prominent location-data provider for marketers - but says it is not used for commercial purposes (the Google Android version of Care19 uses Foursquare in a way that obscures the data, ProudCrowd said). Still, ProudCrowd says it plans to change Care19's privacy policy and will share less data in the future.

“Should this have been vetted? Yes. We are following up on that as we speak,” said Vern Dosch, North Dakota's contact-tracing facilitator. “We know that people are very sensitive.” Health officials in South Dakota did not immediately reply to requests for comment.

Apple said it was investigating the report, and if it finds that an app is out of compliance it works with the developer to get it into compliance.

Foursquare does not “use the data in any way, and it is promptly discarded”, said spokesperson Jennifer Yu.

Health authorities are moving fast to build coronavirus apps, often with limited technical resources. They are relying on commercial tracking companies and murky privacy protections - and under those conditions, it is not clear whether consumers should trust them.

The Care19 app is upfront that its main purpose is to voluntarily collect location data, which differs from a new set of apps that use Bluetooth technology from Apple and Google to provide anonymous exposure alerts without collecting location data. Care19 calls itself a “digital diary” to help people remember where they have been over the previous 14 days so that they can retrace their steps and the people they have been in contact with, should they contract the coronavirus.

If users do test positive, the app lets them volunteer to share their location data with the state's health department to assist in its efforts to slow the spread of the virus.

But Care19's privacy policy says the location data is “private to you” and is “stored securely” on servers belonging to ProudCrowd. Location “will not be shared with anyone including government entities or third parties”, it says.

That is where the privacy review by Jumbo finds the app falling short. Tracing the flow of data from the app, it found Care19 sends data to Foursquare, including a user's location, their advertising identifier (a unique code representing a specific phone) and the unique “citizen code” generated by the app.

Care19's maker, Tim Brookins of ProudCrowd, told The Washington Post that the app uses a Foursquare service called Pilgrim SDK to convert the location data it collects as latitude and longitude into the names of recognisable places.

“The Care19 application user interface clearly calls out the usage of Foursquare on our 'Nearby Places' screen, per the terms of our Foursquare agreement,” Mr Brookins wrote in an email. “We will be working with our state partners to be more explicit in our privacy policy.” (He also said it would clarify privacy policy language about how it shares data to conduct diagnostics.)

Mr Brookins said his app would stop sharing the users' code with Foursquare. “It is important to note that our agreement with Foursquare does not allow them to collect Care19 data or use it in any form, beyond simply determining nearby businesses and returning that to us,” he said.

Foursquare does “not financially benefit from free users like Care19”, said Ms Yu, the spokesperson. “Essentially, any data we might receive is immediately discarded.”

Foursquare does have a significant business in marketing tech. Other apps use Pilgrim SDK to help send targeted notifications and put users into marketing audience segments, such as “fitness fanatic” and “beauty enthusiast”, based on where they go.

Pierre Valade, chief-executive of Jumbo, said Apple and Google have more-explicit rules for the new category of virus-tracking apps that use special access to a phone's Bluetooth signals to help anonymously notify people that they may have been exposed to people who have Covid-19. The rules for these “exposure” apps say they are not allowed to collect any location data or the user's advertising identifier.

Mr Brookins says he's making a second version of the Care19 app that will do exposure notification and comply with Apple and Google's rules.

The Care19 oversight exposes a common privacy hole in apps: They contain code from hidden third-party tracking companies.

A study of the data flowing out of a iPhone encountered more than 5,400 trackers in a week. Some of them were gathering personal information while the user was asleep and the phone's screen was turned off.

Third-party software makes it easier for app companies to code quickly. But it also often feeds the personal data economy, used to target us for marketing and political messaging.

As governments develop these apps, they are going to need the resources to develop their own technology that doesn't rely on commercial surveillance companies - or more help from Apple and Google.

Last week, a group of Democrats in the House and Senate introduced the Public Health Emergency Privacy Act, which includes new provisions for enforcing the use of citizen data in apps to fight the coronavirus.

Senator Maria Cantwell of Washington state, the top Democrat on a key tech-focused committee, said apps need strong privacy protections in the fight against the coronavirus. “If it doesn't have a strong privacy framework, it will undermine consumer confidence,” she said.

The Washington Post

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in