Mobile health and fitness apps: What are the privacy risks?

by Editor, Privacy Rights Clearinghouse

Many individuals use mobile apps to monitor their health, learn about specific medical conditions, and help them achieve personal fitness goals.  Apps in the “wellness” space include those that support diet and exercise programs; pregnancy trackers; behavioral and mental health coaches; symptom checkers that can link users to local health services; sleep and relaxation aids; and personal disease or chronic condition managers.

After studying 43 popular health and fitness apps (both free and paid) from both a consumer and technical perspective, it is clear that there are considerable privacy risks for users – and that the privacy policies for those apps that have policies do not describe those risks. However, these apps appeal to a wide range of consumers because they can be beneficial, convenient, and are often free to use.

Consumers should not assume any of their data is private in the mobile app environment—even health data that they consider sensitive.  Users must weigh the benefits of the service with the realistic possibility that they are revealing information about their health not only to the app developer or publisher but also to third parties.

Of the free apps we reviewed, just under half (43%) provided a link to a website privacy policy. Of the sites that posted a privacy policy, only about half were accurate in describing the app’s technical processes.

We performed a technical risk assessment to determine what data the apps collected, stored, and transmitted over the network. In other words, we “looked under the hood” to view the actual flow of personal information back to the app developer and to third parties.

Our findings:

  • Many apps send data in the clear – unencrypted — without user knowledge.
  • Many apps connect to several third-party sites without user knowledge.
  • Unencrypted connections potentially expose sensitive and embarrassing data to everyone on a network.
  • Nearly three-fourths, or 72%, of the apps we assessed presented medium (32%) to high (40%) risk regarding personal privacy.
  • The apps which presented the lowest privacy risk to users were paid apps.  This is primarily due to the fact that they don’t rely solely on advertising to make money, which means the data is less likely to be available to other parties.

Tips for consumers:

  • Research the app before you download it.
  • Consider using paid apps over free apps if they offer better privacy protections.
  • Make your own assessment of the app’s intrusiveness based on the personal information it asks for in order to use the app.
  • Assume any information you provide to an app may be distributed to the developer, third-party sites the developer uses for functionality, and unidentified third-party marketers and advertisers.
  • Try to limit the personal information you provide, and exercise caution when you share it.  If the app allows it, try the features first without entering personal information.
  • Ask a tech savvy friend to help you determine what information an app is asking for, help you navigate settings, and potentially help you restrict the information an app gathers.
  • If you stop using an app, delete it.  If you have the option, also delete your personal profile and any data archive you’ve created while using the app.

We encourage mobile app developers to create products with privacy in mind and implement responsible information privacy and security practices.  Most consumers lack the tools and knowledge to analyze data flows and security, so they have no way of knowing what is happening behind the scenes.  Even if privacy and security practices are accurately detailed in a privacy policy, the average user has no way to decipher them.

Also see: CFC supported AB 658 closes a loophole on medical app privacy