Do COVID-19 apps protect your privacy?

June 08, 2020

CHAMPAIGN, Ill. -- Mobile apps are helping track the spread of COVID-19 to contain the outbreak, but the apps also raise concerns about personal privacy.

Information sciences professor Masooda Bashir and doctoral student Tanusree Sharma at the University of Illinois at Urbana-Champaign analyzed 50 COVID-19-related apps available in the Google Play store for their access to users' personal data and their privacy protections. Bashir and Sharma found that most of the apps required access to users' personal data, but only a handful indicated the data would be anonymous, encrypted and secured.

They report their findings in the journal Nature Medicine.

"What is disconcerting is that these apps are continuously collecting and processing highly sensitive and personally identifiable information, such as health information, location and direct identifiers (e.g., name, age, email address and voter/national identification)," they wrote in the journal article. "Governments' use of such tracking technology - and the possibilities for how they might use it after the pandemic - is chilling to many. Notably, surveillance mapping through apps will allow governments to identify people's travel paths and their entire social networks."

The functionalities of the COVID-related apps developed around the world include live maps and updates of confirmed cases, real-time location-based alerts, systems for monitoring home isolation and quarantine, direct reporting to the government of symptoms and education about COVID-19. Some also offer monitoring of vital signs, virtual medical consultations and community-driven contact tracing.

Of the 50 apps the researchers evaluated, 30 require users' permission to access data from their mobile devices such as contacts, photos, media, files, location data, the camera, the device's ID, call information, Wi-Fi connection, microphone, network access, the Google service configuration and the ability to change network connectivity and audio settings. Some of the apps state they will collect users' age, email address, phone number and postal code; the device's location, unique identifiers, mobile IP address and operating system; and the types of browsers used on the device.

Only 16 of the apps indicated such data will be anonymous, encrypted, secured and reported only in aggregate form.

Of the apps sampled, 20 were issued by governments, health ministries and other such official sources. It is not clear if the data collected by the apps is protected by laws such as the Health Insurance Portability and Accountability Act, and the U.S. doesn't have a structured privacy framework in place as Europe does, the researchers wrote.

They acknowledged that mass surveillance measures may be necessary to contain the spread of the virus.

"Health care providers must absolutely use whatever means are available to save lives and confine the spread of the virus," they wrote. "But it is up to the rest, especially those in the field of information privacy and security, to ask the questions needed to protect the right to privacy."
-end-
Bashir will participate in a webinar, "Ask the experts: COVID-19 exposure notification, privacy, and security," with other Illinois security experts at 4 p.m. Tuesday, June 9. They will talk about data privacy and security concerns surrounding the technology pertinent to COVID-19 exposure notification and tracing.

Bashir is the director of Social Sciences in Engineering Research in the Grainger College of Engineering and is affiliated with Illinois Informatics and the Information Trust Institute of the Coordinated Science Laboratory. Sharma is affiliated with Illinois Informatics.

Editor's notes: To contact Masooda Bashir, email mnb@illinois.edu. To contact Tanusree Sharma, email tsharma6@illinois.edu.

The paper "Use of apps in the COVID-19 response and the loss of privacy protection" is available online and from the U. of I. News Bureau.

DOI: https://doi.org/10.1038/s41591-020-0928-y

University of Illinois at Urbana-Champaign, News Bureau

Related Privacy Articles from Brightsurf:

Yale team finds way to protect genetic privacy in research
In a new report, a team of Yale scientists has developed a way to protect people's private genetic information while preserving the benefits of a free exchange of functional genomics data between researchers.

Researchers simulate privacy leaks in functional genomics studies
In a study publishing November 12 in the journal Cell, a team of investigators demonstrates that it's possible to de-identify raw functional genomics data to ensure patient privacy.

Some children at higher risk of privacy violations from digital apps
While federal privacy laws prohibit digital platforms from storing and sharing children's personal information, those rules aren't always enforced, researchers find.

COVID-19 symptom tracker ensures privacy during isolation
An online COVID-19 symptom tracking tool developed by researchers at Georgetown University Medical Center ensures a person's confidentiality while being able to actively monitor their symptoms.

New research reveals privacy risks of home security cameras
An international study has used data from a major home Internet Protocol (IP) security camera provider to evaluate potential privacy risks for users.

Researcher develops tool to protect children's online privacy
A University of Texas at Dallas study of 100 mobile apps for kids found that 72 violated a federal law aimed at protecting children's online privacy.

Do COVID-19 apps protect your privacy?
Many mobile apps that track the spread of COVID-19 ask for personal data but don't indicate the information will be secure.

COVID-19 contact tracing apps: 8 privacy questions governments should ask
Imperial experts have posed eight privacy questions governments should consider when developing coronavirus contact tracing apps.

New security system to revolutionise communications privacy
A new uncrackable security system created by researchers at King Abdullah University of Science and Technology (KAUST), the University of St Andrews and the Center for Unconventional Processes of Sciences (CUP Sciences) is set to revolutionize communications privacy.

Mayo Clinic studies patient privacy in MRI research
Though identifying data typically are removed from medical image files before they are shared for research, a Mayo Clinic study finds that this may not be enough to protect patient privacy.

Read More: Privacy News and Privacy Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.