Donate to Science & Enterprise

S&E on Mastodon

S&E on LinkedIn

S&E on Flipboard

Please share Science & Enterprise

Weak Covid-19 App Privacy Found, Risk Software in Works

Phone on desk

(HelloOlly, Pixabay)

9 June 2020. An analysis of mobile apps tracking Covid-19 cases and symptoms finds most lack basic privacy protections, despite collecting personal identifying information. A new National Science Foundation-funded project, however, is designing open-source software for assessing risks of identifying individuals who provide data for tracking Covid-19 and other disease outbreaks.

Since the global Covid-19 pandemic emerged earlier this year, a number of mobile apps also emerged to gather data on people’s health status and symptoms, making it easier for individuals and health authorities to monitor the spread of the disease through their communities or regions. Information sciences professor Masooda Bashir at University of Illinois in Champaign and doctoral candidate Tanusree Sharma reviewed 50 of these apps available to the public and reported their findings in the 26 May issue of the journal Nature Medicine.

Bashir and Sharma downloaded and analyzed the 50 apps for Android devices from the Google Play store. They found the apps in general gather personal identity and location information, as well as offer convenient tools for reporting symptoms, and isolation or quarantine status. More advanced systems connect to third-party medical devices collecting data such as heart rate or body temperature, while others are designed to also trace contacts. From these apps, users can receive pandemic statistics for their region, personal medical advice, or educational material on the Covid-19 pandemic.

In addition to data provided by users, 30 of the 50 apps also ask permission from users for data from other apps, such as contacts and call information, access the phone’s hardware including camera or microphone, or change settings on the phone. Still other apps collect highly personal identity or contact information including age, email address, phone number, and postal code.

Yet Bashir and Sharma also found only 16 of the 50 apps, about one in three, explicitly statethat  collected data will be kept anonymous, secure, transmitted in encrypted form, and reported only as aggregate statistics. Moreover, 20 of the apps are issued by government agencies, and while none are from the U.S. government, some are also offered by health care providers in the U.S. The authors note the European Data Protection Board urges app designers to take steps to protect personal information, but no comparable steps are being taken in the U.S. by the Federal Communications Commission, the responsible regulatory agency.

Evaluating privacy risks to individuals

To help resolve this problem, a computer science/medical informatics team from University of Texas in Dallas and Vanderbilt University in Nashville is developing computer models to assess privacy risks from in software used by epidemiologists for tracking the pandemic. The one-year project is led by UT-Dallas computer scientist Murat Kantarcioglu, with Vanderbilt biomedical informatics professor Bradley Malin, funded by a nearly $100,000 award from NSF.

Kantarcioglu and Malin are designing models for evaluating risks to individuals’ privacy in software that require individuals to disclose geographic and demographic data, as well as clinical information such as drugs prescribed, resulting from the Covid-19 pandemic. The models would estimate privacy risks to individuals in software, such as the ability to reveal a person’s identity, even in de-identified aggregate statistics.

“We would like to give researchers as much data as possible for this kind of analysis,” says Kantarcioglu in a UT-Dallas statement. “But we want to make sure that the risk of a person being identified is low.”

One result of this assessment would be to warn epidemiologists not to share the data, or only under strict controls. The team plans to incorporate these risk-assessment models into open-source utilities that software developers can run to check for potential privacy issues.

National Science Foundation awarded the funds under its Rapid Response Research program that provides up to $200,000 for projects of up to one year to support technologies for fighting the Covid-19 pandemic.

More from Science & Enterprise:

*     *     *

Comments are closed.