How private is data on health and fitness apps?

By Aditi Pai

Mobile Security

Recently, MobiHealthNews wrote about the number of fitness app installs expected to grow to 248 million in 2017 from 156 million in 2012, a 60 percent rise. While more consumers are downloading health apps, one research firm suggests app users should be cautious about what personal information they're volunteering when they use those apps.

This week, Privacy Rights Clearinghouse released a study funded by the California Consumer Protection Foundation addressing the privacy risks of mobile health and fitness apps. The study analyzed privacy policies from December 2012 to June 2013 for 43 apps from the top 200 lists of Apple and Android app stores; 23 were free and 20 were paid.

The health and fitness apps in the report included mood apps, diabetes management apps, prescription medication shopping apps and pregnancy apps. All apps' privacy settings were analyzed from two vantage points, a consumer's perspective and technical perspective.

When the report analyzed the privacy policies of the apps, they found 74 percent of free apps and 60 percent of paid apps had a privacy policy in the app or on the developer's website, while the remaining percentage of apps had no privacy policy at all. For the apps that had a privacy policy on the developer's website, 43 percent of the free apps and 25 percent of the paid apps provided a link in the app to find it. The others required a user to search independently for the policy.

The report's authors identify their strong bias in favor of personal privacy, but do not intend to persuade consumers not to use the applications. Rather the company intends to give consumers more information about what data apps collect and what they do with it.

"What we recommend is that users should just assume at the outset that in using a mobile application, everything they enter, both personal information and usage information, is going to the developer and also very likely to a number of unidentified third parties," Project Manager Linda Ackerman said in a webinar about the report. "So use cautiously and just be aware of your own comfort level about sharing the kind of information that an app is asking you to enter."

After studying where the data within apps went, the Clearinghouse found 39 percent of free apps and 30 percent of paid apps sent information to someone not disclosed by the developer in the app or the app's privacy policy. Further, only 13 percent of free apps and 10 percent of paid apps encrypted all data connections between the app and developer's website(s). One of the most stark contrasts between free and paid apps was whether apps shared user-generated personally identifiable information (PII) with advertisers -- 43 percent of free apps shared this information in contrast to only 5 percent of paid apps. Widespread dissemination of a user's PII can lead to identity theft, embarrassment or harm to the user's reputation, according to the report.

"If you are concerned about privacy, particularly avoid applications with embedded advertising and use only paid applications," Ackerman said. "If you can, some applications let you test the app first without entering PII, your personally identifiable information, so if you have that option you can try the app out and see how it feels to your first."

Due to price constraints, the Clearinghouse only analyzed paid apps that ranged from $1.50 to $20 and didn't include apps that required additional measuring devices like pedometers, weight scales or glucose meters.

Nike Air Force 1 '07 LV8 Crocodile Leather Black Dark Grey 718152-018