COVID-19 apps want user data, but few say they'll protect it

Of 50 worldwide COVID-19 apps analyzed in Nature Medicine, only 16 promised to anonymize, encrypt and secure the data they collect.
By Dave Muoio
02:04 pm

A large portion of COVID-19 apps available in the Google Play Store ask users for advanced access permissions, but very few indicate to users that collected data will be made anonymous and secured, according to an analysis of 50 such apps published recently in Nature Medicine.

The investigation – conducted by two researchers from the University of Illinois at Urbana-Champaign's Illinois Informatics Institute – reviewed a sample of apps hailing from dozens of different countries around the world. Twenty of these offerings were issued by governments, health ministries or other official sources.

The researchers classified nearly half as informational tools, roughly a third as tracking tools, 10% as assessment tools and 8% as scientific research apps. Common features across these apps included live maps and confirmed-case updates, alert systems, direct-to-government symptom reporting and COVID-19 education. More specialized functions included device-connected vitals monitoring, contact tracing and virtual consultations.

Among these, 30 apps required some level of access to the user's phone data, camera, microphone, WiFi connection or other settings, the researchers wrote, with some explicitly stating that they would collect some level of information. However, only 16 of the apps indicated that this information would be made anonymous, encrypted, secured and reported only in aggregate.

The researchers also noted that some of the apps within the sample were released by U.S. healthcare providers, but did not make it clear whether or not the data collected was regulated under HIPAA or other laws and regulations.


The researchers warned of a slippery slope between effective digital surveillance and long-term risks to civil liberties that could result from governments or others having access to continuously updated tracking information or other sensitive and personally identifiable data. They noted that although the European Data Protection Board has outlined regulations for processing personal data during COVID-19, others like the U.S. have little to no frameworks or protective agencies in place.

In the short term, this places the onus on technology-makers and the public to push for built-in privacy protections in this new wave of mobile health tools.

"Healthcare providers must absolutely use whatever means are available to save lives and confine the spread of the virus," they wrote. "But it is up to the rest, especially those in the field of information privacy and security, to ask the questions needed to protect the right to privacy."


From big tech to government to the World Health Organization, there has been little shortage of apps released to the public throughout the pandemic. While some efforts have worked to build in user-data protections from the start, examples are cropping up of apps that put their users' personal information at risk. Last week, for instance, an Amnesty International investigation found exposures of user name, national ID numbers, health status and location data within Qatar's COVID-19 app.


"It is important to note that there may be no choice but to adopt such mass surveillance measures if this pandemic does not go away or if another one comes into existence. Thus, it is crucial to ensure that policies, mathematical models and technological measures are developed to protect the data that are being collected and used, and transparency must be promoted in how data can help contain the spread while ensuring that civil liberties will still be protected," the researchers concluded.

Security in the COVID-19 Era

This month we look at how the COVID-19 pandemic is fundamentally changing healthcare organizations' approaches to security, now and in the future.


The latest news in digital health delivered daily to your inbox.

Thank you for subscribing!
Error! Something went wrong!