Truth: Who actually reads the permissions for every app before agreeing to them?

Turns out that, unlike every other entity that collects your health information and makes you read privacy policies ad nauseum, apps do not generally have to abide by federal health privacy laws. And many health apps are taking advantage of that to share sensitive health information with advertisers and other third parties, according to a new study in The Journal of the American Medical Association.

The study found it was rare that people who downloaded any of the diabetes apps studied could exert control over how it used their private health information. Only four of 211 apps said they would ask users for permission to share data. And 81 percent of the apps had no privacy policy at all.

“It’s very troubling.” says lead author and lawyer Sarah Blenner, a project manager at the UCLA Fielding School of Public Health.

Blenner led the project when she was at the Illinois Institute of Technology’s Chicago-Kent College of Law, and focused on diabetes apps because diabetes and consumer privacy were the two major areas of concern for her team.

The researchers found even the apps that had privacy policies didn’t do much to safeguard privacy. Eighty percent of the privacy policies authorized the app to collect sensitive health information, and nearly half the policies authorized the app to share personal health data with third parties.

To find out whether the apps actually shared all this information, Blenner and her colleagues conducted a sort of covert op.

After they examined permissions and privacy policies for all 211 diabetes apps available on Android over a period of six months, researchers chose a random subset of 65 apps they monitored surreptitiously to find how they used people’s personal health information.

More than 75 percent of the apps in the subset — both those with privacy policies and those without — routinely collected and shared the sensitive health data, such as blood glucose and insulin levels. Once the app shared the information, Blenner and her colleagues couldn’t follow where it went next, but she says at that point, it could continue to be shared and sold multiple times.

Further, the apps could have been sweeping up wide swaths of personal information, depending on what the user was tracking: food and exercise, perhaps, or useful websites and doctors.

“All of that can be shared or leaked with third parties,” Blenner says. “Once your health information gets leaked, anyone can access it and you no longer have control.”

Equally startling was the range of activities the apps were authorized to conduct inside the user’s phone. These activities were embedded in the permissions users have to agree to in order to download the app. Of the 211 apps, 64 precent were authorized to modify or delete any of the content stored on your phone.

And a creepy fraction of the apps — 11 percent or less — were authorized to turn on your phone’s camera and take pictures and videos, call and modify your contacts, read or write your call log, and record your phone calls. One of the apps using these creepy permissions sounds otherwise bland; Blenner says it offered recipes as its only content.

While the study looked at a limited subset of health apps, it points to glaring deficiencies in privacy law and troubling practices that any health app can legally participate in.

As the study summed it up, health professionals should consider privacy implications before they recommend a health app, and patients cannot generally assume their health information is private once they enter it into an app.

If you do want to find a health app’s privacy policy, fair warning that it’s apparently not always easy. Blenner says some privacy policies were included in the description of the app, others made you click on a link to read the policy, and still others the researchers found only by figuring out who developed the app and going to the developer’s website.

In other words, while your doctors and other health professionals are generating reams of paperwork to protect your sensitive health information, that same information on your phone could be streaming off to who knows where.

Author

Kat Snow

Kat is a 25-year veteran of public broadcasting and an award-winning reporter and editor. She's been at KQED since 2002, and before that was a reporter and news director at KUER in Salt Lake City, and a freelance reporter in Oregon. She's written for Newsweek and The Atlantic, in addition to her public radio credits. She also coaches reporters and others in embodied narration and public speaking. Outside of radio, Kat loves conscious dance and is a Certified Teacher of Soul MotionTM.

Sponsored by

Become a KQED sponsor