Health Tech, Health IT

Study: Most health apps designed to capture personal data

About 88% of health apps are built with the ability to collect and share user data, according to a study published last week in the BMJ. Most of these codes for data collection are for third-party services, such as ads or analytics. 

Privacy concerns are nothing new to the world of mobile apps. Past research has highlighted a multitude of privacy concerns, including Covid-19 apps sharing data with advertising and analytics firms, or period-tracking apps sharing sensitive health data without users’ consent, though it’s been difficult to quantify the full scope of the problem.

An analysis of more than 20,000 health apps looks to paint a clearer picture. The vast majority of health apps, about 88% of them, were built with the ability to collect or share user data, according to a study recently published in the BMJ. 

On top of that, less than half of the apps shared user data in a manner that was consistent with their privacy policy, and about 28% of the apps didn’t provide a privacy policy at all.

Researchers wrote that they “found serious problems with privacy and inconsistent privacy practices” in mobile health apps, and advised clinicians to articulate the risks and benefits to patients.

The study was led by a group of researchers at Macquarie University in Sydney, who looked at more than 20,000 Android apps, ranging from calorie counters to symptom checkers to medical apps. They looked at each app’s code for functions and permissions that would allow them to collect users’ data. Generally, health and fitness apps were more likely to include the ability to collect and share user data than medical apps.

Still, a significant percentage of all health apps were coded with the ability to collect data that could be used to build online profiles of users. For example, more than 60% of health apps had the ability to collect MAC identifiers and cookies, which can be used to identify users across different apps and websites. Roughly a third collected users’ email addresses, and a quarter could collect their cell tower location.

The majority of these codes for data collection were related to third-party services, such as Google Analytics, Google Ads, Github or Facebook. In fact, Google services alone accounted for more than a third of data collection operations in the apps’ code, according to the study.

The researchers also analyzed nearly 16,000 apps to see what personal user data they actually transmitted. About 4% of the health apps were sending user data to the Internet, such as a user’s name or location, and most of them were health or fitness apps.

Although this percentage is much smaller than the number of apps coded with the ability to collect user data, the authors of the study cautioned that some transmissions of user data might not have been captured by their testing.

“This percentage is substantial and should be taken as a lower bound for the real data transmissions performed by the apps,” they wrote.

Another worrying number: a significant percentage of these data transmissions, roughly 23%, did not use secure communication protocols. For example, unencrypted information about a user’s password of GPS location might be shared.

“Our results show that the collection of personal user information is a pervasive practice in mHealth (mobile health) apps, and not always transparent and secure,” the researchers wrote. “Patients should be informed on the privacy practices of these apps and the associated privacy risks before installation and use.”

Photo credit: David Tran, Getty Images