Is it APPlicable: Privacy Concerns with Mobile Apps
Last October, I decided it was time to get into shape. Over the course of a year, I gained weight, going from 190 to about 225 pounds. It didn't feel good to be that big and my family has a history of diabetes, so I wanted to start shedding the extra weight. A coworker was also ready to drop some excess pounds so we have been working together to provide feedback, motivation and support. He also pointed me toward two great health apps, one that I use to count my calories and another I use to track my time and distance when I go for a run. I have been giving these apps a lot of health information while asking only for help in keeping myself disciplined enough to lose the weight I wanted.
What I didn't realize is that I might be losing a lot of my privacy in return for this help.
Recently the Federal Trade Commission's (FTC) mobile technology unit conducted a study on different health apps, including those that help with tracking exercise and dietary intake, and found that they shared information with third-party data collectors.
Does this mean I could be giving precious, private information about myself to people I don't know, in ways I wasn't aware of? That's scary to me, and the FTC is concerned as well. Jared Ho, the attorney in charge of the study, found that many of the health apps the FTC studied were collecting information on a person's Unique Device Identifier (UDID), media access control address (MAC address) and the International Mobile Station Equipment Identity (IMEI). You may not have heard of any of these parts of your mobile phone, but they are important for health information management.
Targeted data gathering
The UDID is a uniquely-generated, 40 character string of numbers and letters that identify an individual iPhone. It's very similar to the serial number that comes with products we purchase. Many app makers ask people to supply their UDID in order to be a part of beta testing. It also allows iPhone users to download apps from the App Store, receive push notifications, and post a score to the Game Center. It essentially lets people use their phones for what they need them to do.
Many apps can use this unique number to gather data on iPhone owners, allowing developers and companies to track usage and location in order to send targeted ads. While this may seem innocuous as a lot of companies gather data on us, it should be alarming because a UDID is supposed to be anonymous. Companies can use data gathered from other apps to piece together the identity of individual users.
This means that certain health apps can gather very sensitive information about someone and know who that person is, even though they should not be able to. Knowing this, what can be done to protect our health information?
Do apps offer any privacy protection?
Rohit Sethi, the VP of product development for Security Compass, a company that consults with health care companies about security, was concerned about how safe the information is when it is stored on our phones.
"The biggest risk to health care apps is improper protection of your health data. If your app stores the data on your device, for example, are you required to enter a password every time you open the app or can anybody who steals your device get access to the data? Even in the event that it is password protected, sophisticated thieves can use tools to access the internal data on the app," he said.
Be sure to check the security measures for the app you download. Sethi offers a couple of suggestions that apps can take to try and keep your information safer. "The best protection is for the app not to store any confidential data at all on the device but rather to send the data to a server over an encrypted connection. If that's not possible, the second best option is to store encrypted data on the device, although a sophisticated attacker might be able to find the keys used to decrypt it," Sethi said.
How can we protect ourselves?
Sethi also has suggestions that consumers can follow to help keep their information as safe as possible. The first is to "Become security savvy. Ask the app vendor about what controls they have in place to secure your data. For example, are they encrypting your confidential health data on their servers, or do they store it without protection on your device? Your most powerful tool is to use the feedback mechanism in Google Play/Apple's App Store: Give vendors with strong security controls positive feedback and give vendors with poor security controls negative feedback."
The second suggestion is for people to "Be weary of apps that ask for excessive permission. It's one thing when a social media app asks for permission to read all of your text messages and monitor all phone calls, it's another if your health care app is asking for sensitive data it doesn't need."
Dr. Yvette Tazeau,a licensed psychologist and the CEO and founder of a mobile technology company, pointed out the same concerns about mobile health apps that the FTC did in their report.
"Many mobile apps for health fail to consider the cornerstone of health care: confidentiality. These mobile apps often collect user data, sell the data, market to users, and track users for advertising purposes. They are also often connected to social media, and track a user's location," Dr. Tazeau explained.
She said in order to help combat this, people should do a little more digging into a company and what information they collect before downloading a health app.
Regulators mount up
As with most things in life, performing the proper due diligence when choosing a health care app can prevent a number of the dangers associated with using them. For all the convenience these apps provide, consumers should be careful that we are using them correctly, and are not sharing sensitive information we should not be sharing.
The FTC and the Food and Drug Administration currently have minimal regulatory powers over health care apps and may be looking to get a little bit more in order to help protect us from hackers and apps that sell our sensitive information. We also need to be diligent in protecting ourselves. We need to monitor the apps that are monitoring us. If we make sure the apps we use do not collect too much information or share what they collect, we can limit our exposure.
As Sethi sums it up, "Apps that ask for more permissions than they need are indicative of a development team that doesn't pay adequate attention to security, and that's particularly worrying for health care apps." For all the convenience these apps provide, consumers should be proactive and careful when deciding which apps to download and what information to share.
Interview with Dr. Yvette Tazeau, licensed psychologist and CEO/Founder of TikalBayTek, conducted by Jamar Ramos on May 23, 2014
Interview with Rohit Sethi, VP of Product Development at Security Compass, conducted by Jamar Ramos on May 26, 2014
"What Is A UDID and Why Is Apple Killing Apps That Track Them," Alex Heath, Cult of Mac, April 17, 2012, http://www.cultofmac.com/160248/what-the-hell-is-a-udid-and-why-is-apple-worried-about-them-feature/2/