COVID-19 apps on the rise, but new investigation shows questionable privacy practices

An International Digital Accountability Council report is the latest suggesting that a number of COVID-19 apps are missing key security measures.
By Laura Lovett
03:12 pm

(Photo by Sean Gallup/Getty Images)

Scores of startups, health systems and even governments have scrambled to address COVID-19 by creating new digital tools for patients. However, these tools may have some gaps when it comes to securing users' privacy data, according to a report by newly formed group the International Digital Accountability Council (IDAC)

The organization, which is made up of lawyers, technologists and privacy professionals, zeroed in on 108 apps from across the globe. The investigation dug into four areas of digital health: contact tracing tools, telehealth, symptom checkers and quarantine administration. 

Researchers looked at 23 contact-tracing apps and found that only 20% of those apps had an explicit mention of whether personal data is anonymized. While a few apps used a Software Development Kit, the report said that it was unclear if the data from these was shared with a third party without consent. 

“Smartphone apps offer promising tools for collecting data about users’ contacts and sharing that information with public health authorities,” Quentin Palfrey, president of IDAC, said in a statement about the findings. “Our analysis shows that many of these tools employ good privacy and security measures, but that some apps did not follow best practices relating to transparency, security and data-sharing with third parties.”

In terms of telehealth, overall the report found that these apps didn’t collect a significant amount of personal data. However, it did report that big names in the field, including 98point6 and Kinsa, are sharing their users’ data with affiliates.

98point6 clarified with MobiHealthNews that the their medical affiliate is who they share data with not a third party. 

On the whole, the report found symptom checkers to be in line with their users' privacy expectations. However, there was a lack of transparency regarding third-party sharing practices. The report also indicated that several apps, including the CDC’s app, sent insecure transmissions that could lead to malicious cybersecurity attacks. 

The report found no major misuse related to quarantine apps, which are employed when a government is enforcing strict coronavirus-related lockdown measures. However, researchers did note the potential for surveillance abuse in the future. 


Digital technologies have been used to tackle everything from low-contact patient treatment to hot spot tracking. But this isn’t the first source to bring up potential pitfalls in these technologies.

In particular, tracing apps have been under the microscope. In May, a review published by the Ada Lovelace Institute in the United Kingdom pointed to significant technical limitations and social risk in employing such tools. Another analysis published in Nature Medicine found that only 16 of 50 COVID-19 apps from around the world promisted to anonymize, encrypt and secure the data they collect.

These topics have also been debated across the pond in the U.S.

“Contact tracing apps collect and combine two highly sensitive categories of information: location and health status,” Ryan Cale, a professor of law at the University of Washington, and Kinsa CEO Inder Singh, said during a U.S. Senate committee hearing on big data and privacy protections. “It seems fair to wonder whether these apps, developed by small teams, will be able to keep such sensitive information private and secure. To the extent digital contact tracing – or any private, technology-driven response to the pandemic – involves the sharing of healthcare data with private parties, there is also the specter of inadequate transparency or consent.”


While digital health was gaining steam in medical community, the coronavirus has propelled new technologies to be adopted with record speed. Telemedicine visits are rapidly growing during this time. According to new data from FAIR Health's Monthly Telehealth Regional Tracker, telehealth claims have increased by 4,347% nationally from March 2019 to March 2020

Contact-tracing efforts have been rolled out by Apple and Google, as well as by a number of countries, including the UK, France, China and India. The World Health Organization is even helping under resourced countries develop their own contact-tracing apps.


“Our investigation did not reveal intentional or malicious misconduct. In many cases, we found that governments, developers, and their partners took great care to protect the privacy of users and adopted best practices in the design of the apps,” researchers wrote in the report. “However, our investigation did uncover several instances in which apps fell short of best practices related to privacy and security, and potentially exposed the public to avoidable risks and potential harms.” 


Security in the COVID-19 Era

This month we look at how the COVID-19 pandemic is fundamentally changing healthcare organizations' approaches to security, now and in the future.


The latest news in digital health delivered daily to your inbox.

Thank you for subscribing!
Error! Something went wrong!