- Mobile health applications have "serious problems" with privacy, according to a new analysis of more than 20,000 health-related mobile apps published Wednesday in the BMJ.
- Researchers found though mobile health apps collected less user data than other types of apps, 88% still had access to and could potentially share user data. About two-thirds could collect advertising identifiers or cookies, one-third could collect a user's email address and a quarter could identify the phone tower connected to a user's device, yielding information on the user's location.
- Only 4% of mobile health apps analyzed actually transmitted data to third parties, but the study authors said that percentage is still substantial, and is likely a lower bound of how much data is actually shared in the real world. Collection of personal user information is "a pervasive practice," and patients "should be informed on the privacy practices of these apps and the associated privacy risks before installation and use," researchers concluded.
Of the 2.8 million apps on Google Play and the 1.96 million apps on Apple Store, roughly 100,000 are estimated to belong in the medical, health and fitness categories. Such apps, which has seen utilization steadily rise, can help users manage health conditions or track symptoms, among other tasks.
As such, they often contain highly sensitive medical information — and, as the new study shows, share it with others for business purposes. The practice with informed consent is generally legal, but inadequate or confusing privacy disclosures may be making it tricky for users to know the implications that use could have on their data.
In the study, researchers at Macquarie University in Australia identified more than 20,000 free mobile health apps and compared their privacy practices with a random sample of more than 8,000 non-health-related apps.
They found the large majority of apps were basically designed to track user information, though just a handful shared it. But the data transmitted was mostly sent to external parties, not shared internally: Almost 88% of data collection operations and 56% of user data transmission was on behalf of a third party, like advertisers. The top 50 third parties were responsible for the majority (68%) of data collections, and were most commonly tech companies like Google and Facebook.
Almost a quarter of user data transmissions took place over insecure communication channels.
Though just 4% of apps actually transmitted data, researchers noted they only measured transmission for three minutes while automatically running the app.
That could be why the study resulted in a lower prevalence of data sharing than other smaller, more in-depth analyses, such as one from 2019 finding 92% of apps for depression and smoking cessation transmitted data to a third party; and another from the same year finding 79% of the top-rated health apps for Android devices shared user data with third parties.
"This analysis found serious problems with privacy and inconsistent privacy practices in mHealth apps," researchers said. "Clinicians should be aware of these and articulate them to patients when determining the benefits and risks of mHealth apps."
However, the status quo for privacy in health apps means it's almost impossible to inform clinicians or consumers about choosing one that protects their privacy, Canadian researchers wrote in an editorial on the study. Consumers can make it more difficult to be tracked by disabling advert identifiers or adjusting app permissions, but the apps themselves likely need more oversight.
"We must also advocate for greater scrutiny, regulation, and accountability on the part of key players behind the scenes — the app stores, digital advertisers, and data brokers — to address whether these data should exist and how they should be used, and to ensure accountability for harms that arise," they said.