Health apps are designed to track and shareBMJ 2021; 373 doi: https://doi.org/10.1136/bmj.n1429 (Published 17 June 2021) Cite this as: BMJ 2021;373:n1429
- Quinn Grundy, assistant professor1,
- Lindsay Jibb, Signy Hildur Eaton chair in paediatric nursing research2,
- Elsie Amoako, chief executive officer and founder3,
- Geoffrey Fang, patient advisor2
- 1Lawrence S. Bloomberg Faculty of Nursing, University of Toronto, Toronto, ON, Canada
- 2Hospital for Sick Children (SickKids), Toronto, ON, Canada
- 3Mommy Monitor, Toronto, ON, Canada
- Correspondence to: Q Grundy
Mobile health apps have generated substantial investment and enthusiasm for their potential to personalise interventions using real time user data. However, user data are not only invaluable for creating engaging and effective apps. Health apps are just one source of user data that is collected, transmitted to third parties, then aggregated to create detailed impressions about users and people such as them. These sources of big data are commercialised, often as consumer insights or algorithms, and used to deliver microtargeted adverts, influence political behaviours, or make decisions about health insurance, employment, and housing,12 sometimes with exploitive or discriminatory effects.3
Even so, users might reasonably assume that apps advertised for health purposes would treat health and personal information with greater care. To question this assumption, Tangari and colleagues (doi:10.1136/bmj.n1248) analysed more than 15 000 free Android apps in the “medical” and “health and fitness” categories of the Google Play store and compared their privacy practices with a random sample of more than 8000 apps from store categories unrelated to health.4 They examined the apps’ code to understand what kind of user data might be shared and with whom, and then during network traffic analysis which data were actually shared. Finally, they assessed users’ awareness of privacy failings as expressed in app store reviews.
The authors found that mobile health apps were designed for tracking and sharing information.4 Developers had programmed most health apps (88%) to enable tracking capabilities. About two thirds of apps could collect advert identifiers or cookies, which can be used to uniquely identify users across different apps and websites, even if not by name. One third could collect a user’s email address, and about a quarter could identify the mobile phone tower to which a user’s device is connected, potentially providing information on the user’s geolocation.
Health apps then shared user data within the wider, commercial mobile ecosystem, which includes developers, their parent companies, cloud storage providers, and a host of services that developers use to monetise, improve, or learn about use of their app.567 In 63% of apps, developers had embedded at least one third party service such as an advert library, analytics service, or social media provider, which most commonly were a small number of tech corporations, including Google, Facebook, and Yahoo!.4
Mobile health apps appeared to be somewhat more reticent about sharing user data with third parties than non-health apps, having fewer interactions with advert and tracking services.4 This could reflect what users expect from health apps: users rated health apps with adverts or tracking more negatively.4 Tangari and colleagues found that only 4% of health apps actually transmitted data; however, they measured data transmission for only 180 seconds while automatically running the app,4 finding a much lower prevalence of data sharing than recent small, in-depth analyses, which fully explored apps’ functions.58
May 2021 marked the third anniversary of the General Data Protection Regulation (GDPR), which has improved transparency around apps’ data collection and sharing practices59 and requires specific measures to ensure active consent to data sharing.10 Privacy regulation such as the GDPR continues to distinguish between sensitive and non-sensitive data, requiring more stringent controls for sensitive or personal data.11 However, a user’s health status can increasingly be inferred—accurately or not—on the basis of diverse data points such as self-reported mood, the name of the health app, postal code, search history, and race or ethnicity, calling into question whether all data, and especially aggregated data, should be treated as sensitive.
The status quo regarding health apps’ privacy practices means that it is difficult and even irresponsible to offer tips to busy clinicians or consumers about how to choose a health app that protects their privacy. Consumers can, however, make it more difficult to be tracked by disabling advert identifiers, adjusting app permissions, and using advert blockers.14 We must also advocate for greater scrutiny, regulation, and accountability on the part of key players behind the scenes—the app stores, digital advertisers, and data brokers—to address whether these data should exist and how they should be used, and to ensure accountability for harms that arise.15
Competing interests: The BMJ has judged that there are no disqualifying financial ties to commercial companies. The authors declare the following other interests: QG and LJ have received research funding from the New Frontiers in Research Fund (government of Canada) through the Hospital for Sick Children for research on data sharing practices of children’s health apps. Mommy Monitor receives funding from the government of Ontario.
Provenance and peer review: Commissioned; not externally peer reviewed.