Business_news Researchers found North Dakota’s contact-tracing app covertly sending location and advertising data to third parties

Business_news

  • North Dakota debuted a contact-tracing app in April which uses geolocation to track the spread of COVID-19.
  • Analysis by privacy research firm Jumbo has found the app sends location data with Foursquare, despite saying privacy policy that it won’t share data with any third parties.
  • The app’s maker admitted to sending data from iPhones to Foursquare, but said it wasn’t being used for commercial purposes.
  • It said it will revise the privacy policy and reduce the amount of data being sent to third parties.
  • Visit business Insider’s homepage for more stories.

One of the first US states to roll out a contact-tracing app has been caught sending user data to third parties without permission.

North Dakotalaunched its app “Care-19” in early Aprilto try and curb the spread of the coronavirus inside the state. “Once the app is downloaded, individuals will be given a random ID number and the app will anonymously cache the individual’s locations throughout the day,” the state said in a statement when the app launched.

An analysis of the appby privacy research firm Jumbo has found that although the app says in its privacy policy that users’ location data will be kept private, it sends data to third parties including Google and data intelligence company Foursquare.

Specifically Jumbo found the phone’s anonymous code was being transmitted to Foursquare, a company that specializes in passing location data on to advertisers.

Significantly Jumbo found the app was sending location data to Foursquare, along with something called an Advertising Identifier (commonly referred to as an IDFA). IDFAs are numbers assigned to phones that help advertisers target them. This IDFA number was also being passed along to Google.

Google CEO Sundar Pichai.

REUTERS/Brandon Wade/File Photo


“Sharing what is supposed to be an anonymous code along with an Advertising Identifier has serious privacy risks,” privacy research firm Jumbo wrote in its analysis. “An IDFA is an identifier that is shared across all apps on your phone, and often leaked by third-party SDKs [software development kits], along with personal information. For example, the Facebook SDK, included in many popular apps, sends the IDFA back to Facebook’s servers, and Facebook maintains a database linking your IDFA and your Facebook personal information, for retargeting purposes.”

In a statement to business Insider Foursquare said the Care-19 app uses the free version of its own SDK, meaning the data is “promptly discarded.”

“For free users of our SDK, Foursquare does not use, repackage or resell the data. Essentially, any data we might receive is immediately discarded,” a spokeswoman said, pointing tothe company’s license agreement.

Additionally Care-19 was found sharing the anonymous phone codes with a company called Bugfender. Ina blog postresponding toThe Fast Company’scoverage of Jumbo’s report, Bugfender said:

“Bugfender creates a random identifier that is sent to our servers to differentiate one device from another. The sole purpose of this ID is to show the correct diagnostic data to the programmers of the app and does not contain any information related to the user or the device.”

ProudCrowd also said it would be re-jigging the app’s privacy policy and will reduce the amount of data it shares in the future.

North Dakota’s contact-tracing facilitator Vern Dosch told The Post the state would be taking action. “Should this have been vetted? Yes. We are following up on that as we speak. We know that people are very sensitive,” he said.

Apple also told The Post it is now investigating the app following the report.

A major issue for all contact tracing apps will be getting people to use them. For such apps to be effective they need high uptake rates — if not enough people download them, they’re useless for fighting the pandemic. An incident like the one in North Dakota make these efforts even harder.

Public mistrust of how users’ data might be misused is already a hurdle local health authorities have to overcome in convincing people to download their apps, and in some cases seemingly hurried app releases have resulted in a privacy backlash. In Australia authorities were fast to release the country’s app, but it wassubsequently found to contain serious security flaws.

Samuel Woodhams, a privacy researcher whomaintains a live indexcalled the COVID-19 digital Rights Tracker about various efforts around the world to surveil the spread of the coronavirus, said Jumbo’s findings were unsurprising.

“Of the 47 apps that I’ve recorded, over half contain third-party trackers, with 17 apps containing Google’s advertising and tracking platforms,” Woodhams told business Insider. “The speed in which these apps have been developed and deployed around the world has resulted in lots of shoddy apps that contain unnecessary permissions and redundant functionalities. However, the presence of third-party trackers clearly raises concerns that companies may be looking to profit from the public health crises,” he told business Insider.

North Dakota recently announced it would belaunching a second app to sit alongside Care-19using the specialized contact-tracing frameworkrolled out by Google and Apple this week. While it is possible that this second app could be more secure than the first, it risks splitting the userbase and rendering both apps much less effective.

Now it will also have to contend with the first app’s bad press.

Read More