As governments build coronavirus-tracking smartphone tech, who is making sure their apps live up to privacy promises?
A new analysis of one of the first if a handful of U.S. contact-tracing apps, North and South Dakota's Care19, finds it violates its own privacy policy by sharing location and other personal data with an outside company. The review was published Thursday by privacy-software maker Jumbo.
The study suggests that state officials and Apple, both of which were responsible for vetting the app before it became available April 7, were asleep at the wheel. Americans are especially wary of location and health data, and privacy violations of any degree will hamper efforts to use smartphones both to trace contact and to provide exposure notifications.
The states turned to North Dakota app maker ProudCrowd to make Care19. ProudCrowd, which did not charge the states for the app development, confirmed to The Washington Post that some data from its iPhone app goes to Foursquare, a prominent location-data provider for marketers - but says it is not used for commercial purposes. (The Google Android version of Care19 uses Foursquare in a way that obscures the data, ProudCrowd said.) Still, ProudCrowd says it plans to change Care19's privacy policy and will share less data in the future.
"Should this have been vetted? Yes. We are following up on that as we speak," said Vern Dosch, North Dakota's contact-tracing facilitator. "We know that people are very sensitive." Health officials in South Daoka did not immediately reply to requests for comment.
Apple said it was investigating the report, and if it finds that an app is out of compliance it works with the developer to get it into compliance.
Foursquare does not "use the data in any way, and it is promptly discarded," said spokeswoman Jennifer Yu.
Health authorities are moving fast to build coronavirus apps, often with limited technical resources. They're relying on commercial tracking companies and murky privacy protections - and under those conditions, it's not clear whether consumers should trust them.
The Care19 app is upfront that its main purpose is to voluntarily collect location data. (It's different from a new set of apps that use Bluetooth technology from Apple and Google to provide anonymous exposure alerts without collecting location data.) Care19 calls itself a "digital diary" to help people remember where they've been over the previous 14 days so that they can retrace their steps and the people they've been in contact with, should they contract the novel coronavirus, which causes the disease covid-19.
If users do test positive, the app lets them volunteer to share their location data with the state's health department to assist in its efforts to slow the spread of the virus.
But Care19's privacy policy says the location data is "private to you" and is "stored securely" on servers belonging to ProudCrowd. Location "will not be shared with anyone including government entities or third parties," it says.
That's where the privacy review by Jumbo finds the app falling short. Tracing the flow of data from the app, it found Care19 sends data to Foursquare, including a user's location, his advertising identifier (a unique code representing a specific phone) and the unique "citizen code" generated by the app.
Care19's maker Tim Brookins of ProudCrowd told The Post that the app uses a Foursquare service called Pilgrim SDK to convert the location data it collects as latitude and longitude into the names of recognizable places.
"The Care19 application user interface clearly calls out the usage of Foursquare on our 'Nearby Places' screen, per the terms of our Foursquare agreement," Brookins wrote in an email. "We will be working with our state partners to be more explicit in our privacy policy." (He also said it would clarify privacy policy language about how it shares data to conduct diagnostics.)
Brookins said his app would stop sharing the users' code with Foursquare. "It is important to note that our agreement with Foursquare does not allow them to collect Care19 data or use it in any form, beyond simply determining nearby businesses and returning that to us," he said.
Foursquare does "not financially benefit from free users like Care19," said Yu, the spokeswoman. "Essentially, any data we might receive is immediately discarded."
Foursquare does have a significant business in marketing tech. Other apps use Pilgrim SDK to help send targeted notifications and put users into marketing audience segments, such as "fitness fanatic" and "beauty enthusiast," based on where they go.
Jumbo chief executive Pierre Valade said Apple and Google have more-explicit rules for the new category of virus-tracking apps that use special access to a phone's Bluetooth signals to help anonymously notify people that they may have been exposed to people who have covid-19. The rules for these "exposure" apps say they're not allowed to collect any location data or the user's advertising identifier.
Brookins says he's making a second version of the Care19 app that will do exposure notification and comply with Apple and Google's rules.
The Care19 oversight exposes a common privacy hole in apps: They contain code from hidden third-party tracking companies. A study of the data flowing out of a Washington Post iPhone encountered more than 5,400 trackers in a week. Some of them were gathering personal information while the user was asleep and the phone's screen was turned off.
Third-party software makes it easier for app companies to code quickly. But it also often feeds the personal data economy, used to target us for marketing and political messaging.
As governments develop these apps, they're going to need the resources to develop their own technology that doesn't rely on commercial surveillance companies - or more help from Apple and Google.
Last week, a group of Democrats in the House and Senate introduced the Public Health Emergency Privacy Act, which includes new provisions for enforcing the use of citizen data in apps to fight the coronavirus.
Sen. Maria Cantwell of Washington state, the top Democrat on a key tech-focused committee, said apps need strong privacy protections in the fight against the coronavirus. "If it doesn't have a strong privacy framework, it will undermine consumer confidence," she said.