Research Shows iOS Covid Apps Are A Privacy Mess
from the with-friends-like-these dept
Jonathan Albright, director of the Digital Forensics Initiative at the Tow Center for Digital Journalism, recently released analysis he did into 493 COVID-19 related iOS apps across dozens of countries. The results are...not great, and highlight how such apps routinely hoover up far more data than they need to, including unneeded access to cameras and microphones, your photo gallery, your contacts, and far more location data than is needed. Much of this data then winds up in the adtech ecosystem for profit, where it winds up in the hands of third parties.
Only 47 of the apps used Google and Apple's more privacy-friendly exposure-notification system, resulting in a number of folks building their own apps with substandard (in some cases borderline nonexistent) privacy standards. Six out of seven COVID iOS apps worldwide are allowed to request any permissions they'd like. 43 percent of all apps were found to be tracking user location at all times. 44% requested access to the users' camera, 22 percent asked for access to users' smartphone mic, 32 percent asked for access to users' photos, and 11 percent asked for full access to user contact lists.
Albright told Ars Technica that while many of these app makers may be well intentioned, they're often working at cross purposes, while hoovering up far more data than they actually need. Data that in many instances is then being sold to unknown third parties:
"It's hard to justify why a lot of these apps would need your constant location, your microphone, your photo library," Albright says. He warns that, even for COVID-19-tracking apps built by universities or government agencies—often at the local level—that introduces the risk that private data, sometimes linked with health information, could end up out of users' control. "We have a bunch of different, smaller public entities that are more or less developing their own apps, sometimes with third parties. And we don't know where the data's going."
Albright's study focused on iOS, while other studies focused on Android and showed the same problem(s). Albright notes that he didn't find any nefarious activity himself, but he also made it pretty clear than once this data starts circulating in the largely unaccountable adtech universe, it's possible that sensitive data (including your COVID status) could be revealed to third parties:
"some COVID-19 apps he analyzed went beyond direct requests for permission to monitor the user's location to include advertising analytics, too: while Albright didn't find any advertising-focused analytic tools built into exposure-notification or contact-tracing apps, he found that, among apps he classifies as "information and updates," three used Google's ad network and two used Facebook Audience Network, and many others integrated software development kits for analytics tools including Branch, Adobe Auditude, and Airship. Albright warns that any of those tracking tools could potentially reveal users' personal information to third-party advertisers, including potentially even users' COVID-19 status."
That's not to say many of these apps aren't doing good things, but they're doing them so in a way that potentially puts consumer privacy at risk, a particular problem when you can't opt out of using it due to work or school requirements. That's not particularly surprising here in the States, where we can't even pass a baseline privacy law for the internet era, resulting in no real concrete guidance from the top down. The end result is, well, precisely what you'd expect.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: apps, covid, ios, jonathan albright, privacy
Companies: apple
Reader Comments
Subscribe: RSS
View by: Time | Thread
I don't know how anyone's surprised by this. The apps will have been developed in a rush, with functionality being a bigger driving factor than privacy, usually with multiple people racing to get their app out first and contractors often chosen by their government contacts over their actual competence.
The shock would be if these apps were uniformly built with minimal security risks.
[ link to this | view in chronology ]
Re:
But they put in the time and code to gather extra user data for advertising purposes.
[ link to this | view in chronology ]
Re: Re:
No, they use an off-the-shelf framework provided for free by an adtech provider. The data gathering is because they didn't bother to put in the time to do it properly themselves, or read the fine print as to what the adtech provider was actually doing with their framework they provided for "free".
[ link to this | view in chronology ]
Re: Re: Re:
Think of it like this: Fox Inc makes a framework called "feed location" that they provide for free. The local chickens, who can't be bothered hunting for food themselves, use this app to build an app that does it for them.
Presto! Everyone wins! The chickens, who have no expertise themselves in building apps, get an app that does exactly what they want and get their food without much effort, and Fox Inc gets the real time location data of all the well-fed chickens.
[ link to this | view in chronology ]
Re: Re: Re:
They still have to implement it in their code, and that takes some effort because of build systems etc.
[ link to this | view in chronology ]
Re: Re: Re: Re:
"that takes some effort"
Not really. In actual fact, you can do such a thing accidentally - implementing some off the shelf framework for speed of development, but forgetting to turn off certain tracking and ad features. Easy to do when you're in a race and the people you're working with have been chosen for political connections rather than coding skills.
[ link to this | view in chronology ]
Three cheers
„ The end result is, well, precisely what you'd expect.“
Well, Germans tend to be rightfully paranoid about privacy (something something Hitler and East Germany’s Stasi). The official Corona Warn App (by Robert Koch Institut, our CDC) seems to be pretty much exemplary according to the linked table. Open source as well, to facilitate trust. (in fact it may be a bit too much focused on privacy and could use some more pressure to add everyone’s test results automatically)
So don’t say it can’t be done, hurry or none. And why does every country reinvent the wheel when it’s open source? Looking at you, UK ...
[ link to this | view in chronology ]
Re: Three cheers
And why does every country reinvent the wheel when it’s open source?
Even organizations and governments inside countries. 493 tracing apps. Four. Hundred. Ninety-three. I wonder how any reasonable, reliable epidemiologists could make use of that hot mess whatsoever.
[ link to this | view in chronology ]
Re: Three cheers
"And why does every country reinvent the wheel when it’s open source? Looking at you, UK ..."
I.T. projects in the UK tend to consist of some dodgy bidding process (optional), which magically always seems to go to some old friend of a Tory cabinet minister or a related outsourcing company, which will then run years and many millions over budget to deliver a non-working system.
You can't make as much money if it's a quick process that uses existing components that are known to work.
[ link to this | view in chronology ]