North Dakota debuted a contact-tracing app in April which uses geolocation to track the spread of COVID-19.- Analysis by privacy research firm Jumbo has found the app sends location data to data advertising firm
Foursquare , despite saying privacy policy that it won't share data with any third parties. - The app's maker admitted to sending data from iPhones to Foursquare, but said it wasn't being used for commercial purposes.
- It said it will revise the privacy policy and reduce the amount of data being sent to third parties.
One of the first US states to roll out a contact-tracing app has been caught sending user data to third parties without permission.
North Dakota launched its app "Care-19" in early April to try and curb the spread of the coronavirus inside the state. "Once the app is downloaded, individuals will be given a random ID number and the app will anonymously cache the individual's locations throughout the day," the state said in a statement when the app launched.
An analysis of the app by privacy research firm Jumbo has found that although the app says in its privacy policy that users' location data will be kept private, it sends data to third parties including
Potentially passing data on to advertisers
Specifically Jumbo found the phone's anonymous code was being transmitted to Foursquare, a company that specializes in passing location data on to advertisers.
Significantly Jumbo found the app was sending location data to Foursquare, along with something called an Advertising Identifier (commonly referred to as an IDFA). IDFAs are numbers assigned to phones that help advertisers target them. This IDFA number was also being passed along to Google.
"Sharing what is supposed to be an anonymous code along with an Advertising Identifier has serious privacy risks," privacy research firm Jumbo wrote in its analysis. "An IDFA is an identifier that is shared across all apps on your phone, and often leaked by third-party SDKs [software development kits], along with personal information. For example, the Facebook SDK, included in many popular apps, sends the IDFA back to Facebook's servers, and Facebook maintains a database linking your IDFA and your Facebook personal information, for retargeting purposes."
Additionally was sharing the anonymous phone codes with a company called Bugfender. In a blog post responding to The Fast Company's coverage of Jumbo's report, Bugfender said:
"Bugfender creates a random identifier that is sent to our servers to differentiate one device from another. The sole purpose of this ID is to show the correct diagnostic data to the programmers of the app and does not contain any information related to the user or the device."
The app's creator says it's going to make it more private
North Dakota's app was built by a Fargo-based company called ProudCrowd, which signed also signed contract with South Dakota for $9,000 to build the same app. According to the AP, the app was based on an older app a Microsoft engineer, Tim Brookins, has designed to help college football fans connect on their way to the game.
A ProudCrowd spokesperson confirmed to The Washington Post it was sending data from iPhones to Foursquare, but said it wasn't being used for commercial purposes. ProwdCrowd did not immediately respond to a request for comment from Business Insider.
ProudCrowd also said it would be re-jigging the app's privacy policy and will reduce the amount of data it shares in the future.
North Dakota's contact-tracing facilitator Vern Dosch told The Post the state would be taking action. "Should this have been vetted? Yes. We are following up on that as we speak. We know that people are very sensitive," he said.
Apple also told The Post it is now investigating the app following the report.
Trust issues
A major issue for all contact tracing apps will be getting people to use them. For such apps to be effective they need high uptake rates — if not enough people download them, they're useless for fighting the pandemic. An incident like the one in North Dakota make these efforts even harder.
Public mistrust of how users' data might be misused is already a hurdle local health authorities have to overcome in convincing people to download their apps, and in some cases seemingly hurried app releases have resulted in a privacy backlash. In Australia authorities were fast to release the country's app, but it was subsequently found to contain serious security flaws.
Samuel Woodhams, a privacy researcher who maintains a live index called the COVID-19 Digital Rights Tracker about various efforts around the world to surveil the spread of the coronavirus, said Jumbo's findings were unsurprising.
"Of the 47 apps that I've recorded, over half contain third-party trackers, with 17 apps containing Google's advertising and tracking platforms," Woodhams told Business Insider. "The speed in which these apps have been developed and deployed around the world has resulted in lots of shoddy apps that contain unnecessary permissions and redundant functionalities. However, the presence of third-party trackers clearly raises concerns that companies may be looking to profit from the public health crises," he told Business Insider.
North Dakota recently announced it would be launching a second app to sit alongside Care-19 using the specialized contact-tracing framework rolled out by Google and Apple this week. While it is possible that this second app could be more secure than the first, it risks splitting the userbase and rendering both apps much less effective.
Now it will also have to contend with the first app's bad press.
Read the original article on Business Insider