Among health-related apps, the practice of sharing user data is “routine” and legal -- however, the lack of transparency about the practice puts consumers’ privacy at risk, the authors of a new study claim.
The study looked at 24 popular, interactive medicine-related apps for Android devices. Of the apps sampled, 19 (or 79 percent) shared user data with third parties, which then shared it with "fourth parties."
"Most health apps fail to provide privacy assurances or transparency around data sharing practices," said lead author Quinn Grundy.
Lack of informed consent
First and third parties shared the most user information with Amazon and Alphabet (the parent company of Google), with 24 unique transmissions.
“Fourth parties” -- which included multinational technology companies, digital advertising companies, telecommunications corporations, and a consumer credit reporting agency -- received the most unique user data. Only three of the 216 fourth parties were identified as belonging to the health sector.
The researchers point out that the identify of a user could be uncovered by looking at certain pieces of data, such as their device’s unique address.
"The semi-persistent Android ID will uniquely identify a user within the Google universe, which has considerable scope and ability to aggregate highly diverse information about the user," the study authors wrote.
The findings suggest a need on the part of privacy regulators to “consider that loss of privacy is not a fair cost for the use of digital health services," Grundy said.
Health professionals "should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent,” the researchers concluded.
The full study has been published online in the BMJ.