Privacy Rights Clearinghouse Releases Study:
Mobile Health and Fitness Apps:
What Are the Privacy Risks?


Send to PrinterSend to Printer


Copyright © 2013-2014
Privacy Rights Clearinghouse
Posted July 15, 2013

Many individuals use mobile apps to monitor their health, learn about specific medical conditions, and help them achieve personal fitness goals.  Apps in the “wellness” space include those that support diet and exercise programs; pregnancy trackers; behavioral and mental health coaches; symptom checkers that can link users to local health services; sleep and relaxation aids; and personal disease or chronic condition managers.   

After studying 43 popular health and fitness apps (both free and paid) from both a consumer and technical perspective, it is clear that there are considerable privacy risks for users – and that the privacy policies for those apps that have policies do not describe those risks. However, these apps appeal to a wide range of consumers because they can be beneficial, convenient, and are often free to use. 

Consumers should not assume any of their data is private in the mobile app environment—even health data that they consider sensitive.  Users must weigh the benefits of the service with the realistic possibility that they are revealing information about their health not only to the app developer or publisher but also to third parties.

Of the free apps we reviewed, just under half (43%) provided a link to a website privacy policy. Of the sites that posted a privacy policy, only about half were accurate in describing the app's technical processes.

We performed a technical risk assessment to determine what data the apps collected, stored, and transmitted over the network. In other words, we “looked under the hood” to view the actual flow of personal information back to the app developer and to third parties.

Our findings:

  • Many apps send data in the clear – unencrypted -- without user knowledge.
  • Many apps connect to several third-party sites without user knowledge.
  • Unencrypted connections potentially expose sensitive and embarrassing data to everyone on a network.
  • Nearly three-fourths, or 72%, of the apps we assessed presented medium (32%) to high (40%) risk regarding personal privacy.
  • The apps which presented the lowest privacy risk to users were paid apps.  This is primarily due to the fact that they don't rely solely on advertising to make money, which means the data is less likely to be available to other parties.

Our tips for consumers:

  • Research the app before you download it.
  • Consider using paid apps over free apps if they offer better privacy protections.
  • Make your own assessment of the app's intrusiveness based on the personal information it asks for in order to use the app.
  • Assume any information you provide to an app may be distributed to the developer, third-party sites the developer uses for functionality, and unidentified third-party marketers and advertisers.
  • Try to limit the personal information you provide, and exercise caution when you share it.  If the app allows it, try the features first without entering personal information.
  • Ask a tech savvy friend to help you determine what information an app is asking for, help you navigate settings, and potentially help you restrict the information an app gathers.
  • If you stop using an app, delete it.  If you have the option, also delete your personal profile and any data archive you've created while using the app.

We encourage mobile app developers to create products with privacy in mind and implement responsible information privacy and security practices.  Most consumers lack the tools and knowledge to analyze data flows and security, so they have no way of knowing what is happening behind the scenes.  Even if privacy and security practices are accurately detailed in a privacy policy, the average user has no way to decipher them. 

For more information about the PRC’s mobile medical apps study: 

Our mobile apps privacy project was funded by the California Consumer Protection Foundation. We are grateful for its support.

Copyright © Privacy Rights Clearinghouse. This copyrighted document may be copied and distributed for nonprofit, educational purposes only. For distribution, see our copyright and reprint guidelines. The text of this document may not be altered without express authorization of the Privacy Rights Clearinghouse.


X

Sign In!

Loading