Data sharing in health apps ‘far from transparent’, BMJ research warns

  • 28 March 2019
Data sharing in health apps ‘far from transparent’, BMJ research warns

Data sharing in popular health apps is “far from transparent” and developers need to allow users to choose precisely what data is shared, experts have warned.

Out of 24 apps tested 19 shared data with outside companies, such as Google and Amazon, research published in the BMJ found.

Researchers warned the data could then be passed onto other parties, like advertising and credit agencies.

Regulators should emphasise the accountabilities of those who control and process user data, and developers should disclose all data sharing practices, they wrote in the journal.

App developers legally and routinely share data but evidence suggest many fail to provide privacy assurances around how they share the data.

This poses unprecedented risk to a users privacy, given the sensitive personal information the apps usually collect.

Researchers led by assistant professor Quinn Grundy, of the University of Toronto, investigated how user data is shared by health apps and the privacy risks to users and clinicians.

They identified the 24 top rated apps for Android in the United Kingdom, United States, Canada and Australia.

All were available to the public, provided information about medicines dispensing, administration, prescribing, or use, and were interactive.

Researchers downloaded each app and used four dummy user profiles to simulate real-world use.

They ran each app 14 times and found baseline traffic relating to 28 different types of user data.

They then altered one source of user information and ran the app again to detect if any sensitive information was sent to a remote server outside of the app.

Companies receiving sensitive user data were then identified by their IP address, and their websites and privacy policies were analysed.

Some 79% (19) of the sampled apps shared data outside of the app.

A total of 55 unique entities, owned by 46 parent companies, received or processed app user data, including developers and parent companies – first parties – and service providers – third parties.

Of these, 33% provided infrastructure services like cloud and 67% provided services related to the collection and analysis of user data, including analytics or advertising, suggesting heightened privacy risks.

Both Amazon.com and Alphabet – the parent company of Google, received the highest volume of user data, followed by Microsoft.

Third parties also advertised the ability to share user data with 216 “fourth parties” including multinational technology companies, digital advertising companies, telecommunications corporations and a consumer credit reporting agency.

Only three of these fourth parties could be characterised predominantly as belonging to the health sector.

Several companies, including Alphabet, Facebook, and Oracle, occupied central positions within the network with the ability to aggregate and re-identify user data

But it is unknown whether iOS apps share user data, like the Android apps tested, and whether those tested share user data more or less than other health apps.

Researchers say their findings still suggest that health professionals “should be conscious of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent”.

Privacy regulators should also consider that loss of privacy is not a fair cost for the use of digital health services, they concluded.

Subscribe to our newsletter

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Sign up

Related News

ORCHA reports significant and sustained interest in digital health products

ORCHA reports significant and sustained interest in digital health products

Demand for digital health products soared during the pandemic as patients looked to manage their own care – and interest remains strong in post-lockdown Britain.
Industry news in brief

Industry news in brief

The latest industry news round up from Digital Health features news of a collaboration to export innovative UK health tech companies.
NHSX launches criteria to streamline assessment of digital health tools

NHSX launches criteria to streamline assessment of digital health tools

NHSX's Digital Technology Assessment Criteria applies to all digital health technologies and aims to streamline the selection of tools for patients.