Patients should be informed
Media release from BMJ
An in-depth analysis of more than 20,000 health related mobile applications (mHealth apps) published by The BMJ today (16 June 2021) finds “serious problems with privacy and inconsistent privacy practices.”
The researchers say the collection of personal user information is “a pervasive practice” and that patients “should be informed on the privacy practices of these apps and the associated privacy risks before installation and use.”
Of the 2.8 million apps on Google Play and the 1.96 million apps on Apple Store, an estimated 99,366 belong to medical and health and fitness categories (known collectively as mobile health or mHealth apps).
They include the management of health conditions and symptom checking to step and calorie counters and menstruation trackers and often contain sensitive health information.
App developers routinely, and legally, share user data, but inadequate privacy disclosures have been repeatedly found for many mHealth apps, preventing users from making informed choices around the data.
To explore this further, researchers at Macquarie University, which leads the CRE in Digital Health, identified more than 15,000 free mHealth apps in the Google Play store and compared their privacy practices with a random sample of more than 8,000 non-health apps.
They found that while mHealth apps collected less user data than other types of mobile apps, 88% could access and potentially share personal data.
For example, about two thirds could collect advert identifiers or cookies, one third could collect a user’s email address, and about a quarter could identify the mobile phone tower to which a user’s device is connected, potentially providing information on the user’s geolocation.
Only 4% of mHealth apps actually transmitted data (mostly user’s name and location information). However, the researchers say this percentage is substantial and should be taken as a lower bound for the real data transmissions performed by the apps.
What’s more, 87.5% of data collection operations and 56% of user data transmissions were on behalf of third party services, such as external advertisers, analytics, and tracking providers, and 23% of user data transmissions occurred on insecure communication channels.
The top 50 third parties were responsible for most (68%) of the data collection operations, which most commonly were a small number of tech corporations, including Google, Facebook, and Yahoo!
The researchers also found that 28% (5,903) of the mHealth apps did not offer any privacy policy text, and at least 25% (15,480) of user data transmissions violated what was stated in the privacy policies. Yet only 1.3% (3,609) of user reviews raised concerns about privacy.
They conclude: “This analysis found serious problems with privacy and inconsistent privacy practices in mHealth apps. Clinicians should be aware of these and articulate them to patients when determining the benefits and risks of mHealth apps.”
Co-author Associate Professor Shlomo Berkovsky from the Australian Institute of Health Innovation, Macquarie University and Associate Investigator on the CRE in Digital Health, is available for comment. Please contact chrissy.clay@mq.edu.au
Read the journal article here: https://www.bmj.com/content/373/bmj.n1248
This story was covered in the media including by The Guardian, the Daily Mail UK and Bloomberg.
The Guardian: Nine out of 10 health apps harvest user data, global study shows
Funding: Optus Macquarie University Cyber Security Hub; National Health and Medical Research Council (NHMRC)
This was a joint work with the following researchers from Optus Macquarie University Cyber Security Hub and the Australian Institute of Health Innovation, Macquarie University:
- Gioacchino Tangari – Postdoctoral Research Fellow, Optus Macquarie University Cyber Security Hub
- Muhammad Ikram – Lecturer, Optus Macquarie University Cyber Security Hub
- Kiran Ijaz – Postdoctoral Research Fellow, Australian Institute of Health Innovation, Macquarie University
- Mohamed Ali Kaafar – Professor, Optus Macquarie University Cyber Security Hub
- Shlomo Berkovsky – Associate Professor, Australian Institute of Health Innovation, Macquarie University