Sharing of user data by popular mobile health apps is routine, yet far from transparent, according to new research published in The BMJ.
App developers routinely, and legally, share user data. But new evidence suggests that many health apps fail to provide privacy assurances around data sharing practices, and pose unprecedented risk to consumers' privacy, given their ability to collect sensitive and personal health information, according to researchers.
This led researchers, led by Assistant Professor Quinn Grundy at the University of Toronto, to examine whether and how user data are shared by popular medicines related mobile apps and to characterize privacy risks to app users, both clinicians and consumers.
For the study, researchers identified 24 top rated medicine-related apps for the Android mobile platform in the U.S, U.K., Canada, and Australia. All apps were available to the public, provided information about medicines dispensing, administration, prescribing, or use, and were interactive.
After downloading each app onto a smartphone, while using four “dummy” user profiles to simulate real-world use, researchers found that 19 of the 24 (79 percent) sampled apps shared user data outside of the app.
A total of 55 unique entities, owned by 46 parent companies, received or processed app user data, including developers and parent companies (first parties) and service providers (third parties).
Network analysis revealed that first and third parties received an average of three unique transmissions of user data. Both Amazon.com and Alphabet (the parent company of Google) received the highest volume of user data (24 unique transmissions), followed by Microsoft (14).
As such, the researchers noted that regulators “should emphasize the accountabilities of those who control and process user data, and health app developers should disclose all data sharing practices and allow users to choose precisely what data are shared and with whom.”