Fact Sheet 39:
Mobile Health and Fitness Apps:
What Are the Privacy Risks?


Send to PrinterSend to Printer


Copyright © 2013 - 2014
Privacy Rights Clearinghouse
Posted July 2013
Revised July 2013

Table of Contents

1.Introduction

2.What are health and fitness apps?

3.What are the risks to consumers of using mobile health and fitness applications?

4.PRC's analysis of mobile health and fitness app developers' information practices

5.What were the major consumer-level and technical-level findings of PRC's study of mobile health and fitness applications?

6.Tips

7.Additional reports produced from this study

8.Resources

1. Introduction

Mobile applications (apps) are entering the market for smartphones and tablets at such a pace that numbers become outdated almost as soon as they are published. To put it in perspective:

  • In June 2009, the Apple App Store offered 50,000 apps; by June 2013, there were 900,000 apps available, with 375,000 of them native to the iPad.
  • Google Play is expected to pass the 1 million mark as of June 2013. In March 2009, as Android Market, it had 2,300 applications.
  • Just over 50% of U.S. cell phone users now have smartphones, and that number is expected to rise to 79% by 2017.
  • As of December 2012, about 50 million people in the U.S. owned a tablet.

Mobile is the consumer technology of the moment. The number of applications available to mobile device users appears set to continue its exponential growth. The Privacy Rights Clearinghouse decided to look at the information practices of one category of mobile apps in which the sensitivity of personal information is particularly significant—those that fall under the broad heading of health and fitness. Most of the information in this fact sheet comes from that study, which was funded by a grant from the California Consumer Protection Foundation.

We analyzed 43 health and fitness apps (23 free and 20 paid) on the Apple iOS and Android platforms, and highlight the major consumer privacy risks in this guide. This guide also provides tips for users deciding whether to download an app and how best to take advantage of health and fitness apps while protecting your personal privacy.

2. What are health and fitness apps?

Mobile health and fitness apps comprise a significant segment of the app universe.  In fact, there are so many different types of applications in the health and fitness space that it’s difficult to categorize them. This Fact Sheet focuses on what we consider “wellness” apps, for consumer use.  It does not focus on applications that integrate with medical treatment or are intended for health professionals.

Wellness apps include those that support diet and exercise programs; pregnancy trackers; behavioral and mental health coaches; symptom checkers that can link users to local health services; sleep and relaxation aids; and personal disease or chronic condition managers.

Some apps are interactive, and others are informational. Consumers use some to participate in a program, and others to look up information about diseases or medications, nutritional values of restaurant food, horoscopes or baby names, to highlight just a few examples. A number of apps are simply mobile magazine subscriptions for health and lifestyle publications.

There are several options for downloading health and fitness applications. Many developers have websites where you can download their apps, and Amazon has a large selection. However, it’s probably easiest and most common to use the App Store for iOS applications and Google Play for Android. You can search both by app name or type and can read about an app before you download it. You can find out what the app does (although not necessarily the information it collects), see sample screens—and sometimes videos of how an app operates--read user reviews, link to the developer’s website and link to other comparable apps.   

If the app has a privacy policy—and many do not—it is increasingly common to find it (or a link to it) prior to download.  In Google Play you can also see what permissions an app requires of your mobile device before you download it. If you are unable to find a privacy policy through either app store, you may be able to find one on the developer's website.  If there is no website, there may not be a privacy policy either.

3. What are the risks to consumers of using mobile health and fitness applications?

Mobile health and fitness applications pose a number of privacy risks—both general and specific—that consumers who use them should consider.

General concerns with using mobile devices and applications:

  • Mobile devices—smartphones and tablets—are ideal tracking tools. They are Internet- and geo-location-enabled, people carry them almost everywhere they go, and users rarely turn them off.  They offer great consumer benefits, such as continuous Internet access and apps for finding directions and services.  But at the same time, mobile devices and the apps people download can be highly privacy invasive. 
  • The mobile applications ecosystem is largely unregulated. This is a particular concern with health and fitness apps, which often collect both demographic and medical (or medical-like) information. None of this data is covered by existing regulations that protect the privacy and security of personal health information; it has only whatever protections the developer’s privacy policy affords—if there is a privacy policy at all. Also, many health and fitness apps allow and encourage users to share what you might consider sensitive information via social media.  Once information is public you have little to no control over it.

Specific risks of using mobile health and fitness applications:

  • Many health and fitness applications collect a great deal of personal information. Apps may prompt users to enter a name, email address, age, gender, height, weight, and photo.  They may also ask for lifestyle information. For example, the app may ask questions about food consumption and exercise habits.

When you use the app, you create a record—of your diet, daily exercise, glucose readings, pregnancy, menstrual cycle. As noted above, this information has no regulatory protection.Legal note for California residents: California’s Confidentiality of Medical Information Act (CMIA) may apply to mobile applications that collect what the federal HIPAA regulations define as “protected health information” (PHI).  However, CMIA's applicability is unclear. Under the CMIA, the question is whether a mobile health and fitness or wellness application developer’s business is organized for the purpose "… of maintaining medical information in order to make the information available to an individual or to a provider of health care at the request of the individual or a provider of health care, for purposes of allowing the individual to manage his or her information, or for the diagnosis and treatment of the individual shall be deemed  to be a provider of health care. . . .” Cal. Civ. Code § 56.06(a).

  • Mobile applications, especially apps that you download for free, depend on advertising to make money. They may share personally identifiable information with advertisers, or allow ad networks to track you. Almost all applications send de-identified (non-personal) data about how you use an application to data analytics services. If an application collects your UDID (universal device ID) or embeds a unique ID in the application you download, de-identified analytics data can be tracked back to you personally.
  • Many mobile applications have poor security. Although they may have a privacy policy that says they protect the privacy and confidentiality of your information, more often than not, they transmit it unencrypted and over insecure network connections—HTTP, rather than HTTPS. They may also transmit information that includes your disease or pharmaceutical search terms—for sexually transmitted diseases or anti-psychotic drugs, for example—in the clear and viewable by anyone watching on the network.

4. PRC’s analysis of mobile health and fitness app developers’ information practices.

The PRC study of mobile health and fitness apps looked at developers’ information practices from two vantage points: the consumer-user experience and a computer scientist’s analysis of what was going on behind the user interface – “under the hood”, so to speak. The goals of the project were to discover as much as possible about:

  • What information a range of health and fitness applications collect.
  • Whether apps have privacy policies and how thorough and technically accurate they are.
  • What privacy policies acknowledge doing with personal and non-personal information they collect.
  • How developers’ actual information practices correlate with their privacy policies, through technical analysis of the apps.
  • The extent to which users have access to and control over the information an app collects, both when installing the app and after using it.

5. What were the major consumer-level and technical-level findings of PRC’s study of mobile health and fitness applications?

Our mobile medical apps project has resulted in several reports: consumer-level findings, a technologist’s report, tips for app developers, a webinar, and the evaluation criteria for our app analysis.  The major findings are summarized below in this section. For more detailed information, you can link to the additional documents in Section 7.  

If you want to learn how to minimize risk to your health privacy when using mobile medical apps, skip the following discussion of project findings, and read our consumer tips

5.1      Consumer-level findings

The main things we looked for at the consumer level were:  

  • How much notice did developers give users about their information practices? Was there a privacy policy? How complete is it in terms of including recognized Fair Information Practices? How accessible is the policy? How readable is it to someone with a high school education?
  • How much access and control over personal information did an application give users? Are they able to update and correct their personal profiles? Can they delete any personal information entirely? What choices do users have about sharing both personal and de-identified information?

The table summarizes the highlights of our consumer-level findings about the quality of notice in the privacy policies of free and paid health and fitness applications, along with the availability of some user controls of information.

The acronym PII stands for “personally identifiable information.”

 

Free apps

Paid apps

App has link to website privacy policy

43%

25%

Notifies user that privacy policy does not apply to 3rd party links

48%

25%

Notifies user that personal information made public is not protected

57%

15%

Shares user-generated PII data with advertisers

43%

5%

Shares aggregate (non-PII) data with marketers

52%

55%

Uses anonymized (non-PII) data for analytics

70%

70%

Contact info: developer’s email address listed in policy

57%

100%

Can opt out of developer/vendor sharing data with 3rd parties

57%

30%

Can opt in to data sharing with 3rd parties

35%

30%

Most recent date of analysis: May 7, 2013

5.2      Technical findings

The technical analysis assigned risk levels to the applications tested based on the amount of personal information they collected, along with our judgment as to the sensitivity of that information. We assigned risk based on the criteria below, on a scale of 0-9. For the sake of convenience, this numerical rating scale was converted to “high,” “medium,” “low,” “none”:

  • High risk (7-9)—includes address, financial info, full name, health information, geo-location, date of birth (DOB), ZIP code
  • Medium risk (4-6)—enhanced privacy risk to PII; email, first name, friends, interests, weight, potentially embarrassing/sensitive info
  • Low risk (1-3) —moderately low risk; anonymous tracking, device information, a third party knows the individual is using a mobile medical app
  • No risk (0) — no PII or health-related information

Based on these criteria, we determined the following:

  • 40% of the apps were high risk (17 of the 43 apps)
  • 32% of the apps (14 of 43) were medium to high risk
  • 28% of the apps (12 of 43) were low to medium risk
  • none of the apps were evaluated to be no risk

The technical analysis identified the three main technical causes of informational privacy risks in mobile health and fitness apps to be the following:

  • Unencrypted network connections:  Insecure network communications posed the greatest risk to privacy. Only a single paid application used HTTPS (SSL) exclusively for all of its network connections. None of the apps used additional encryption (such as PGP), for secure transmission of personal information.
  • Advertising: The next greatest risk to the privacy of users’ personal information was apps that sent personal information to advertisers to use for serving personally targeted ads. This occurred far more often with free applications (43% of 23 apps analyzed) than with paid apps (only one of 20 analyzed). This should be expected, because free apps often rely on advertising as their only source of revenue, while paid apps depend on app sales to generate most of their revenue and rarely include advertising.
  •  Analytics:  Data that apps transmit to third-party analytics services also present a serious privacy risk. Almost all applications collect and send non-personally identifiable usage data to third parties for analysis, in order to “improve the user experience” and for developers’ own marketing purposes. We observed that data with privacy-invasive details of usage behavior is generally sent over HTTP, not HTTPS (for example, What information did you access to deal with PTSD symptoms? What store products’ bar codes did you scan with your phone for enhanced nutrition and calorie information? Which STDs did you research in an app’s symptom checker?). This data can potentially be collected in a central database that links an individual’s usage of other apps that employ the same analytics services. We found that 55% of paid and 60% of free apps which we investigated use third-party analytics services.

6. Tips

Mobile health and fitness apps offer many benefits and are very convenient to use. Because they collect a great deal of personal information in ways that are not currently regulated and have generally poor information security practices, balancing the risks versus benefits of using them before jumping in is a reasonable thing to do.

  • Make your own assessment of an app’s creepiness or intrusiveness based on the personal information it asks for in order to use the app. For example, what information are you putting into a personal profile that you might not want advertisers to have or to become public? Are you giving away information about a disease or mental condition or a pregnancy problem that could have negative repercussions for you if it ends up with data brokers? Consider, too, the possibility of negative emotional repercussions of discussing private matters—such as your weight or a miscarriage—in an application-based chat group.
  • Assume that any information you provide to an app may be distributed to the developer, to third-party sites the developer may use for functionality, and to unidentified third-party marketers and advertisers.  Only provide information you are comfortable with the app sharing with those third parties.
  • Try to limit your input of personal information and exercise caution  when you share it. Widespread sharing may have as much impact on personal safety as it does on privacy. This is particularly true of location sharing, for example, of your running or bicycling route in a time-and-distance competition with other app users.
  • Ask a tech savvy friend to help you figure out what permissions an app asks for, and help you turn off the ones that appear to be unnecessary for the app to function. For example, you may want to disable location services, or the always-on setting, which eats up battery charge.
  • Research the app before you download it. Although it’s difficult to evaluate the validity of a great deal of information on the Internet, try to assess how credible the app developer is.  Look for user reviews either through the app store or online.  If you do not find a privacy policy through the app store, you can look for the developer's website on your home computer or larger mobile device (such as a tablet) so you are not limited by screen size.  Assess the quality and content of information on the website, including the privacy policy. Find any relevant contact information and contact the developer with questions. And finally, you can often learn about the app or the developer in the media.
 
  • For maximum privacy, consider only using paid health and fitness apps.  If you’re sensitive about your information privacy, avoid applications that embed advertising or that seem to be primarily about selling products related in some way to the purpose of the app.
  • If an app allows you, try the features first without entering personal information. Some apps give you the option of trying out the features without entering personal information. Take advantage of this opportunity when it’s offered to decide whether you want to proceed with using the app at all.
  • If you stop using an app, delete it.  You will free up some memory to download other apps, and it won't continue to do things like broadcast your location or interact with other apps on your device—or remain in “always on” mode, draining your battery.
  • If you have the option, also delete your personal profile and the data archive you’ve created by using the app—of your food intake, exercise routines, pregnancy stages, etc. You can’t recall what’s already been shared or that you’ve made public, but you may be able to prevent continuing use of stored data after you’re no longer using the app.

7. Additional reports produced from this study

Mobile Health and Fitness Applications and Information Privacy: Report to California Consumer Protection Foundation (the consumer-level report)

Technical Analysis of the Data Practices and Privacy Risks of 43 Popular Mobile Health and Fitness Applications  

HOW TO: Privacy-Aware Checklist for Mobile Application Developers 

Webinar summarizing the project methodology, findings, and tips (one hour) 

Evaluation of the mobile apps: data elements examined and questions asked of each app

8. Resources

California Attorney General:

Privacy on the Go: Recommendations for the Mobile Ecosystem (January 2013)

Federal Trade Commission:

Mobile Privacy Disclosures: Building Trust Through Transparency: A Federal Trade Commission Staff Report (February 2013)

Understanding Mobile Apps

The Pew Internet & American Life Project:

 Privacy and Data Management on Mobile Devices (September 2012)

NTIA (National Telecommunications and Information Administration)

Privacy Multistakeholder Process: Mobile Application Transparency

Privacy Rights Clearinghouse:

Privacy in the Age of the Smartphone

Slides: Mobile Health & Fitness Apps: What Are The Privacy Risks? (October 29, 2013)

Webinar: Mobile Health & Fitness Apps: What Are the Privacy Risks? (October 29, 2013)

Media:

New York Times: A Guide to Mobile Apps (index to the NY Times archive of mobile app reporting)

 

Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.


X

Sign In!

Loading