You want to get in shape for swimming season, and you find an app to help you keep track of your daily exercise and your daily food intake. But what happens to all that data you enter? Unfortunately, your BBB has learned, much of that data is being shared with or sold to numerous third parties.
The Federal Trade Commission (FTC) studied 12 mobile health and fitness apps and found that it shared user app data with 76 third parties. One of the apps shared information on device models and identifiers and on dietary and workout habits with 18 other entities. Some of these third parties saw the same universal device IDs (UDID) used in other apps. This would allow them to piece together enough information to identify individual consumers. The FTC found that 14 third parties acquired usernames, names, and email addresses, and 22 third parties received data on exercise and diet habits, medical symptom searches, zip codes, geo-location and gender.
The Privacy Rights Clearinghouse also conducted a study of 43 health and fitness apps (23 free and 20 paid) on the Apple iOS and Android platforms. These apps included diet and exercise programs, pregnancy trackers, behavioral and mental health coaches, symptom checkers, sleep and relaxation aids, personal disease or chronic condition managers, and nutritional values of restaurant food.
Not so bad, you think? Consider this. The FTC’s Chief Technologist, Latanya Sweeney, said they are concerned that this information could be used in a discriminatory way. Would you want your sensitive information known by prospective employers, insurers, and others? For example, a financial institution might adjust credit ratings based on the fact that someone has a disease.
When you use an app, you are creating a record of your daily eating and exercise habits, your height, weight, glucose readings if you have diabetes, any herbal supplements you take, etc. As reported in the Washington Post, Deborah Peel, the executive director of Patient Privacy Rights, called the growing fitness data marketplace a “privacy nightmare.” According to Peel, health and wellness data is “the most valuable information in the digital age, bar none.”
Jeffrey Chester, the executive director of the Center for Digital Democracy, says that the tech industry’s focus on health and fitness tracking “is all part of a much wider system of data collection. The next frontier is local, and they know that health apps and other kind of apps related to recreation and lifestyle will be an economic bonanza. Information about consumers’ most intimate health conditions is going to be sold to the highest bidder.”
One problem is that fitness data does not have the same protection as data created by consumers’ health record of visits to doctors. That information is protected by the Health Insurance Portability and Accountability Act (HIPPA). The apps are not regulated by the Food and Drug Administration (FDA) because they do not meet the definition of medical devices. The FTC is concerned about the lack of security on consumer-generated health data and in early May hosted a public conference on the topic, but they have limited authority to punish companies for breaking their promises to consumers.
So, it is basically up to consumers to watch their own backs. Some privacy safeguarding tips from the Privacy Rights Clearinghouse are
• research an app before you download it by reading information on the app developer’s website and reading consumer reviews of the app,
• only provide information you would want shared with third parties,
• consider turning off the geo-location service,
• make sure the app uses https to transmit your data,
• if you stop using an app, delete it.
For more information you can trust, visit bbb.org/evansville.