U of T news
  • Follow U of T News

Data sharing by popular medical apps is 'routine,' U of T researcher finds

Photo of Quinn Grundy

Quinn Grundy is an assistant professor at U of T's Lawrence S. Bloomberg Faculty of Nursing (photo by Susan Merrell)

Mobile health apps for consumers and clinicians pose a risk to patients’ privacy, an international study led by the University of Toronto has found.

Mobile health apps are a booming market targeted at both patients and health professionals. Some apps help patients track and learn more about their prescription medications, while others provide information to clinicians to help them prescribe and administer medications. Both types pose a heightened risk to patients’ privacy, the study found.

“Most health apps fail to provide privacy assurances or transparency around data-sharing practices,” said Quinn Grundy, an assistant professor at U of T's Lawrence S. Bloomberg Faculty of Nursing who led the study. 

“User data collected from apps providing medicines information or support may also be particularly attractive to cybercriminals or commercial data brokers.”

The peer-reviewed study, published recently in the BMJ, identified the 24 top-rated, medicines-related apps for the Android mobile platform in Canada, the United States, the United Kingdom and Australia. The research revealed that 79 per cent of the apps share user data outside the app.

The international and multidisciplinary collaborative research team from the University of Toronto, the University of Sydney and the University of California, Santa Barbara also discovered that sharing of user data is routine, but far from transparent.

Researchers investigated apps that were available to the public on the Android platform, provided information about medicines, and were interactive. Of the 24 apps investigated, most shared personal data including username, medicines searched, medical conditions, device ID and email address. The study found a total of 55 unique entities, owned by 46 parent companies, received or processed this user data, including developers, parent companies (first parties) and service providers (third parties).

The majority (about two-thirds) of these third parties provided services related to analysis of user data, including targeted advertising.

To conduct the study, researchers ran a laboratory-based traffic analysis of each app downloaded onto a smartphone, simulating real-world use with dummy scripts. Privacy leaks were detected using a technique called Differential Traffic Analysis. Researchers ran the app 14 times to establish the app’s normal baseline functioning network traffic, then changed one aspect of the user’s profile, such as location, and inferred privacy leaks from any change in the network traffic. Researchers identified the companies directly receiving user data from their IP addresses and domain names.

Researchers then searched the websites and the privacy policies of the third parties receiving user data and found that they reported further sharing of anonymized data with additional commercial entities, termed “fourth parties."

Third parties advertised the ability to share user data with 216 of the fourth parties, including multinational technology companies, digital advertising companies, telecommunications corporations, and a consumer credit reporting agency. Only three of these fourth parties could be characterized predominantly as belonging to the health sector. A small number of commercial entities – such as Facebook and Alphabet (Google’s parent company) – had the ability to potentially aggregate and re-identify user data. 

While it is unclear whether medicines-related apps share user data more or less than other health apps or apps in general, the findings raise privacy concerns for consumers and clinicians alike. Mobile apps are not generally required to have clear privacy policies, and researchers are calling for increased transparency and regulation.

“Privacy regulators should consider that loss of privacy is not a fair cost for the use of digital health services,” Grundy said. “Regulators should emphasize the accountabilities of those who control and process user data, while health app developers should disclose all data-sharing practices and allow users to choose precisely what data are shared and where.”

The research was supported by the Canadian Institutes of Health Research and the Sydney Policy Lab.

Read the research in the BMJ



(graphic by Jazmin Ozsvar)