Mobile health apps can help consumers track important health data such as heart rate to blood sugar levels, but users need to “be informed on the associated privacy risks before installation,” according to the authors of a study published Wednesday by The BMJ.
Although health apps collect less user data than other types of mobile apps, nearly 90 percent of the more than 20,000 evaluated in the study still had access and to users’ personal data and potentially could share such data.
Just under 90 percent of the apps’ data collection operations and 56 percent of user data transmissions were on behalf of third-party services, such as external advertisers, analytics and tracking providers, the data showed.
In addition, nearly one-fourth of all data transmissions performed by the apps in the analysis occurred on insecure communication channels.
“Clinicians and patients alike should be very careful when deciding to use [mobile health] apps, whether it is for management of health conditions and symptom checking or other purposes,” study co-author Muhammad Ikram said in an email.
“The vast majority of these apps could not only access but also would potentially share personal data with other parties [and] a large fraction of them also access some data that is not necessarily useful for their original purpose,” including location data, said Ikram, a lecturer in cybersecurity and computing at Macquarie University in Australia.
Up to 90 percent of smartphone owners in the United States have used mobile health and fitness apps in the past year, according to data from EMarketer.
Apps used range from step counters for personal fitness to blood sugar and blood pressure monitors, as well as those designed track women’s menstrual cycles.
Of the 2.8 million apps available on Google Play and the 1.96 million apps in the Apple Store, nearly 100,000 are listed in medical and health and fitness categories, the researchers said.
SHARING USER DATA
App developers routinely, and legally, share user data, but often employ inadequate privacy disclosures that prevent consumers from making informed choices, they said.
For this study, the researchers identified more than 15,000 free mobile health apps in the Google Play store and compared their privacy practices with a random sample of more than 8,000 non-health apps.
About two-thirds of the apps included in the study collect advertising identifiers or “cookies,” while one-third capture a users’ email addresses, the data showed.
In addition, about one in four identifies the mobile phone tower to which a user’s device is connected, potentially providing information on their location.
Although only 4 percent of apps in the study actually transmitted data such as user names and location information, the researchers called this percentage substantial and said it should be taken as a baseline for the number of transmissions actually performed by the apps.
Just under 88 percent of data collection operations and 56 percent of user data transmissions by these apps were done on behalf of third-party services and 23 percent occurred on insecure communication channels, the data showed.
Large companies, including Google, Facebook, and Yahoo!, were responsible for nearly 70 percent of the third-party data collection.
Only 1.3 percent of user reviews, however, raised concerns about privacy, they said.
Based on their findings, the researchers describe apps’ collection of personal user information as “a pervasive practice” that requires “greater scrutiny, regulation and accountability.”
“Overall, data collection practices of health apps were far from transparent and secure, and its scope was beyond what is publicly disclosed by app developers in their privacy policies,” Ikram said.
“The key issue is that it is unclear how this data is being used and whether or not it is protected as it should be,” he said.