A data privacy group has analysed 108 Covid-19 apps across the world to see how effective they are at protecting personal information.
Technology – and specifically smartphones – has been seen as a potentially essential tool in tracking and monitoring the spread of Covid-19. While there has been plenty of discussion about contact-tracing apps, other types of apps include symptom checkers, quarantine checkers and telehealth platforms.
The pace at which these apps have been deployed has raised concerns among privacy advocates who fear that these developments could, unintentionally, leave a person’s data vulnerable to hackers and governments alike.
Now, the International Digital Accountability Council (IDAC) has published a report looking at how effective 108 Covid-19 Android apps across the world are at protecting user information. This included apps developed in Asia (41), Europe (30), North America (21) and elsewhere, with apps from both government entities and private organisations.
Out of a total of 23 contact-tracing apps studied, the group said that less than 20pc explicitly mention or inform users if their data is anonymised.
One app that raised concerns was a privately owned contact-tracing app created by Indian developer Medinin. The IDAC said the app had unsecured transmissions, meaning that a user’s personal data could be exposed.
Approximately half of all the Covid-19 apps examined requested potentially intrusive permissions. While noting that these permissions may be used for legitimate purposes – such as being able to read your phone’s contacts to share information – the IDAC said it was concerned there was still potential for misuse of data.
Role of SDKs
Among the 60 symptom-checker apps analysed for the report, the majority were found to not be transparent about third-party sharing practices. This means that most of these apps do not inform users if they share their data, or where it is being shared.
The authors of the report said that only five symptom-checked apps disclosed that they encrypted the data, and only two informed users that their data would be anonymised.
One of the biggest concerns was around the use of third-party software development kits (SDKs). A total of eight apps were found to be using third-party SDKs, including the PatientMPower app developed in Ireland that included an analytics SDK developed by Urban Airship.
“SDKs that would be appropriate in a non-pandemic context were not designed to accommodate the sensitive nature of a Covid-19 app,” the IDAC said. “Consequently, there is a potential for extraneous sensitive information to be sent out in conjunction with the use of these apps. This is particularly true in the case of SDKs that provide monetisation capabilities.”
However, it stressed that its tests did not reveal active personal data transmissions in connection with the SDKs analysed for the report and that developers may have legitimate reasons for their use.
Claims of inaccuracies
When contacted by Siliconrepublic.com, PatientMPower said that while it welcomes oversight from bodies such as the IDAC, there are inaccuracies with the findings. It added that the app was reviewed by the Data Protection Commissioner earlier this year.
“[The app] can only be used when prescribed by a healthcare professional for the remote monitoring of key medical parameters in Covid-19 patients,” PatientMPower said. “Analytics are used to ensure patients record their oxygen saturation levels as frequently as necessary for optimum patient care. This use of analytics is expressly stated in the privacy policy.”
PatientMPower added that IDAC has subsequently “committed to update the report to address these inaccuracies”.
Speaking about the report, IDAC president Quentin Palfrey said: “Smartphone apps offer promising tools for collecting data about users’ contacts and sharing that information with public health authorities.
“Our analysis shows that many of these tools employ good privacy and security measures, but that some apps did not follow best practices relating to transparency, security and data-sharing with third parties.”