An independent investigation of worldwide COVID-19 mobile apps found that several widely-used apps pose privacy risks to worldwide users.
The International Digital Accountability Council’s (IDAC) investigation, conducted over the last two months, reviewed 108 global COVID-19 mobile apps across 41 countries to understand whether consumer personal data is being used responsibly.
The investigators analyzed how apps collect personal data, what data the apps collect, what third parties receive data from these apps and other data issues, to identify concerning practices with app users’ reasonable expectations, privacy laws, and platform policies.
While IDAC’s team did not find egregious or willful developer misconduct, the investigation revealed several instances in which apps fell short of best privacy practices and posed potential risks to users.
“If responsible steps to rein in the pandemic and reopen our devastated economy require changes in how much information people share about their health and movements, the public should be able to trust that their data will be used responsibly,” said Quentin Palfrey, President of IDAC.
“Smartphone apps offer promising tools for collecting data about users’ contacts and sharing that information with public health authorities. Our analysis shows that many of these tools employ good privacy and security measures, but that some apps did not follow best practices relating to transparency, security, and data-sharing with third parties.”
With COVID-19 apps offering a range of services, IDAC divided its investigations into four categories based on the apps’ main functions and descriptions in the Google Play Store: contact tracing, telehealth, symptom checkers and quarantine administration.
The International Digital Accountability Council is an independent watchdog created to improve digital accountability through international monitoring, investigation, education and collaboration with online applications and platforms. This report was developed in partnership with the Future of Privacy Forum, Good Research, App Census, and the German Marshall Fund of the United States.
KEY FINDINGS
Below are the key findings of the investigation, broken down by the four broad subject areas.
Contact Tracing
Contact tracing is a disease control measure that public health officials deploy to help determine the spread of the virus, as well as prevent further spread. Contact tracing apps work by using location to identify and notify those that have been exposed to an infected individual.
IDAC’s investigations team analyzed 23 contact tracing apps. A few concerns IDAC’s investigation team identified:
- A significant number of these apps lack transparency around their privacy practices. Two apps in Africa (the privately-owned Kenya Covid-19 Tracker and government-issued NICD COVID-19 Case Investigation) do not have a privacy policy posted in the Google Play Store, which is a violation of Google’s Developer Policies.
- Of the 23 contact tracing apps, less than 20 percent explicitly mention or inform users if their personal data is anonymized.
- Roughly half of the contact tracing apps analyzed requested potentially intrusive permissions. However, the findings reveal that these permissions may be used for legitimate purposes (e.g., the US privately owned app, Healthy Together – COVID 19, requests “read contacts” but further research reveals this is done so users can share the app with friends). However, we remain concerned about potentially intrusive permissions having the potential for misuse.
- A few apps were using Software Development Kits (SDK). It was not always clear whether these SDKs were actively enabling data to flow to third parties without the user’s consent. It is possible that, in some cases, developers were simply using tools that have default SDKs embedded. However, we believe that the presence of SDKs is sufficient to warrant further scrutiny because of their inherent data-sharing and collection practices. Developers have a responsibility to understand how third-party SDKs function within their apps, even when the SDKs are included unintentionally.
- We found one app (privately-owned COVID-19 Tracker by Medinin in India) that had unsecure transmissions, meaning that the user’s personal data could be exposed to cyber attacks. The transmissions we found included the users’ geolocation and phone number.
You can read a full breakdown of the investigation into the 22 contact tracing apps and policy recommendations to address these issues here.
Telehealth
Telehealth apps are used by individuals who are seeking COVID-19 healthcare treatment or services via their mobile device.
IDAC’s investigations team analyzed 20 telehealth apps. Our investigation findings reinforce that these telehealth apps typically act in ways that align with user’s privacy expectations. A few concerns IDAC’s team identified:
- Three privately-owned apps, 98point6, Kinsa for Wireless Smart Thermometers and Kencor COVID-19, are sharing user data with third parties including Google, Crashlytics, and Branch.io.
- Two U.S. based apps, Kencor COVID-19 and 98point6, collect the Android Advertising ID (AAID), an identifier that is used for advertising purposes.
- We found the presence of advertising SDKs. While it was not always clear whether these SDKs were actively enabling data to flow to third parties without the user’s consent. It is possible that, in some cases, developers were simply using tools that have default SDKs embedded. However, we believe that the presence of SDKs is sufficient to warrant further scrutiny because of their inherent data-sharing and collection practices. Developers have a responsibility to understand how third-party SDKs function within their apps, even when the SDKs are included unintentionally.
You can read a full breakdown of the investigation into the 20 telehealth apps and policy recommendations to fix these issues here.
Symptom Checkers
Symptom checker apps are used by individuals to determine if they may have coronavirus. Individuals record their personal information and any symptoms they may be experiencing in hopes of gaining a preliminary diagnosis or more information about what next steps and treatment options are available.
IDAC’s investigations team analyzed 60 symptom checker apps. Our findings reveal that, while these apps typically act in ways that align with user’s privacy expectations, there is much room for improvement to data-sharing transparency, security, and the use of SDKs. A few concerns IDAC’s team identified:
- The majority of symptom checker apps analyzed were not transparent about third-party sharing practices. Most of these apps do not inform users that they share their data, nor do they make it clear exactly which information is being shared.
- Six apps, including the Centers for Disease Control and Prevention’s app developed by the United States government, were observed sending insecure transmissions leaving users open to an array of malicious cyber attacks. The Centers for Disease Control and Prevention’s transmissions did not include personal data, but we observed data about the device (e.g., mobile carrier and operating system) being transmitted.
- Only five apps disclosed that they encrypted the data and only two apps informed users that they will anonymize their data. Our investigations team anticipated seeing more transparency from this group of apps.
- We found the presence of advertising and analytics SDKs. While it was not always clear whether these SDKs were actively enabling data to flow to third parties without the user’s consent. However, we believe that the presence of SDKs is sufficient to warrant further scrutiny because of their inherent data-sharing and collection practices. Developers have a responsibility to understand how third-party SDKs function within their apps, even when the SDKs are included unintentionally.
- Roughly half of the apps we tested requested permissions that have the potential to be invasive.
You can read a full breakdown of the investigation into the 60 symptom checker apps and policy recommendations to fix these issues here.
Quarantine Administration
Quarantine apps are used in countries where governments are strictly enforcing quarantine and social distancing rules. These governments largely use these mobile apps to track the location of citizens and to ensure they are not interacting with others.
IDAC’s investigations team analyzed 11 quarantine administration apps. These apps were developed in Saudi Arabia, Russia, Poland, Colombia, India and Nepal with ninety percent being created by government entities.
Our findings reveal no harmful misconduct, but there are concerns around the potential for surveillance abuse.
You can read a full breakdown of the investigation into the 11 quarantine administration apps and policy recommendations to fix these issues here.