Truth: Who actually reads the permissions for every app before agreeing to them?
Turns out that, unlike every other entity that collects your health information and makes you read privacy policies ad nauseum, apps do not generally have to abide by federal health privacy laws. And many health apps are taking advantage of that to share sensitive health information with advertisers and other third parties, according to a new study in The Journal of the American Medical Association.
“It’s very troubling.” says lead author and lawyer Sarah Blenner, a project manager at the UCLA Fielding School of Public Health.
Blenner led the project when she was at the Illinois Institute of Technology’s Chicago-Kent College of Law, and focused on diabetes apps because diabetes and consumer privacy were the two major areas of concern for her team.
The researchers found even the apps that had privacy policies didn’t do much to safeguard privacy. Eighty percent of the privacy policies authorized the app to collect sensitive health information, and nearly half the policies authorized the app to share personal health data with third parties.
To find out whether the apps actually shared all this information, Blenner and her colleagues conducted a sort of covert op.
After they examined permissions and privacy policies for all 211 diabetes apps available on Android over a period of six months, researchers chose a random subset of 65 apps they monitored surreptitiously to find how they used people’s personal health information.
More than 75 percent of the apps in the subset — both those with privacy policies and those without — routinely collected and shared the sensitive health data, such as blood glucose and insulin levels. Once the app shared the information, Blenner and her colleagues couldn’t follow where it went next, but she says at that point, it could continue to be shared and sold multiple times.
Further, the apps could have been sweeping up wide swaths of personal information, depending on what the user was tracking: food and exercise, perhaps, or useful websites and doctors.
“All of that can be shared or leaked with third parties,” Blenner says. “Once your health information gets leaked, anyone can access it and you no longer have control.”
Equally startling was the range of activities the apps were authorized to conduct inside the user’s phone. These activities were embedded in the permissions users have to agree to in order to download the app. Of the 211 apps, 64 precent were authorized to modify or delete any of the content stored on your phone.
And a creepy fraction of the apps — 11 percent or less — were authorized to turn on your phone’s camera and take pictures and videos, call and modify your contacts, read or write your call log, and record your phone calls. One of the apps using these creepy permissions sounds otherwise bland; Blenner says it offered recipes as its only content.
While the study looked at a limited subset of health apps, it points to glaring deficiencies in privacy law and troubling practices that any health app can legally participate in.
As the study summed it up, health professionals should consider privacy implications before they recommend a health app, and patients cannot generally assume their health information is private once they enter it into an app.
In other words, while your doctors and other health professionals are generating reams of paperwork to protect your sensitive health information, that same information on your phone could be streaming off to who knows where.