Contact tracing app vetted by Apple found to share data with Foursquare and Google

Posted:
in General Discussion edited May 2020
North Dakota's Care19 app, one of the first digital coronavirus contact tracing solutions to hit market in the U.S., contradicts its own privacy policy to share user information with third party companies like Foursquare and Google, according to a study released on Thursday.

Care19


A review of Care19 by consumer privacy app company Jumbo Privacy found the app sends location data and other personal information to outside parties, reports Fast Company.

Developed by ProudCrowd, which markets a location-based social networking app for North Dakota State University sports fans, Care19 promises participant anonymity by assigning and tracking random user IDs. The system logs locations where a user spent 10 minutes or more, information that can be correlated with contact tracing data provided on a voluntary basis to the North Dakota Department of Health.

The app's privacy policy notes "location data is private to you and is stored securely on ProudCrowd, LLC servers," and will not be shared with third-parties "unless you consent or ProudCrowd is compelled under federal regulations," the report said.

However, Jumbo found user ID numbers, phone IDs and what appears to be location data transmitted to Foursquare. Phone advertising identifiers are sent to servers associated with Google's Firebase service, while the assigned random ID and phone name -- which by default typically includes a user's first name -- is sent to software diagnostics firm Bugfender.

"The Care19 application user interface clearly calls out the usage of Foursquare on our Nearby Places' screen, per the terms of our Foursquare agreement," ProudCrowd said in a statement. "However, our privacy policy does not currently explicitly mention this usage. We will be working with our state partners to be more explicit in our privacy policy. It is important to note that our agreement with Foursquare does not allow them to collect Care19 data or use it in any form, beyond simply determining nearby businesses and returning that to us."

In an email to Fast Company, ProudCrowd founder Tim Brookins said Care19's Foursquare integration was a mistake that will soon be rectified. Brookins characterized the error as "fairly benign, as Foursquare doesn't actually collect our sent data."

While Care19 does not rely on the recently released Apple-Google Exposure Notification API, Apple was involved in the vetting of the app, reports The Washington Post. Apple is currently investigating Jumbo's claims and will work with ProudCrowd to bring the app in compliance with its rules.

Ironically, a North Dakota public health authority official was among a handful of experts who last week criticized Apple and Google's cross-platform Exposure Notification system as being too restrictive for general adoption. In an article published by The Post, critics of the Apple-Google solution, including developers of contact tracing apps, said the Exposure Notification API incorporates data sharing restrictions that are detrimental to contact tracing operations.

"Every minute that ticks by, maybe someone else is getting infected, so we want to be able to use everything we can," said Vern Dosch, contact tracing liaison for North Dakota. "I get it. They have a brand to protect. I just wish they would have led with their jaw."

Apple and Google's systems deny access to geolocation data, anonymize user equipment and restrict apps from storing data on a centralized server, among other safeguards. If a PHA's app does not meet Apple-Google standards, it is not granted access to the API and is thus prohibited from processing tasks in the background.

North Dakota initially built its app with hopes of integrating Exposure Notification technology, but the privacy restrictions prompted the team to start over and create two separate apps: one for contact tracing teams and another that integrates the Exposure Notification API.

It is unclear if North Dakota will roll out a new version of the Care19 app with the Exposure Notification API baked in, but the state is one of three to announce support of the Apple-Google initiative. On Thursday, Alabama and South Carolina also signed on as early adopters of the technology, reports AL.com.

"(We've) joined hands with these two global giants in hopes of helping our people learn when and where they may have gotten exposed to this virus," Alabama Gov. Kay Ivey said. "Hopefully, this will become an important tool in the tool kit to slow the spread of coronavirus by using what almost every Alabamians has in their pocket ... a cell phone."

After a brief beta testing period, Apple and Google's Exposure Notification API went live on Wednesday with the release of iOS 13.5. Contact tracing apps that take advantage of the framework should see release in the coming days or weeks.
«13

Comments

  • Reply 1 of 43
    lkrupplkrupp Posts: 9,639member
    Anyone who downloads and installs these contact tracing apps should have their heads examined. We can’t trust ANY of these bastards, including Apple. This crap happens every time, followed by apologies and promises to fix. Right, we got caught and now we have to do our dog and pony show. On the other hand we are already a surveillance society with cameras everywhere, facial recognition soon to follow all in the name of safety. Talk spreading around about Covid-19 ‘passports’ being issued to those with anti-bodies allowing them to travel freely while the rest of us stay sequestered. 
    anantksundarammacseekerplanetary paulmuthuk_vanalingamPetrolDaveivanhpujones1mike54neillwdmagman1979
  • Reply 2 of 43
    seanismorrisseanismorris Posts: 1,624member
    The less apps you install the better.  I have 3 news apps, 3 games (one of which is freemium), a calc, a VPN, and that’s it.

    My home screen has quite a few website links.

    Within a browser you (sadly) have more control of your data than in apps these days...

    I don’t even install weather apps anymore.

    Come on Apple!  You can do better!

    Want to bet if Apple started handing out automatic 1 year App Store bans for violators, 99% of these “oops” would disappear?
    edited May 2020 PetrolDavepujones1
  • Reply 3 of 43
    sdbryansdbryan Posts: 348member
    lkrupp said:
    Anyone who downloads and installs these contact tracing apps should have their heads examined. We can’t trust ANY of these bastards, including Apple. ...

    Wouldn’t it be more worthwhile to ‘examine’ the protocols that Apple/Google have published to see if there is some privacy defect? Assuming a rigidly cynical position for all contact tracing efforts could lead to reduced ability to contain outbreaks which would have real world consequences. I hope security experts do vigorously examine contract tracing efforts and I am sure they will. But unless and until a problem is discovered I would encourage everyone to participate so that fewer people get sick and die. Because it is a global pandemic.
    rotateleftbytewatto_cobra
  • Reply 4 of 43
    mac_dogmac_dog Posts: 919member
    And so it begins...
    magman1979
  • Reply 5 of 43
    apple ][apple ][ Posts: 9,233member
    Sorry, but I won't be downloading any of these "contact tracing" apps, no matter who is behind them. They are a bit too late also, in my opinion, now that things are beginning to relax and loosen up everywhere. The hysteria has gone far enough.

    If anybody disagrees, and they are free to do so, then they are welcome to  lock themselves up inside of their homes for the next few years if they'd like.
    edited May 2020 macseekerPetrolDavelkruppwatto_cobra
  • Reply 6 of 43
    The moment I learned of the API I made sure it was disabled on my devices. I refuse to install any of these contact tracing apps.

    Not just no, but hell no.  Not gonna happen.
    PetrolDavepujones1watto_cobra
  • Reply 7 of 43
    fastasleepfastasleep Posts: 5,847member
    The less apps you install the better.  I have 3 news apps, 3 games (one of which is freemium), a calc, a VPN, and that’s it.

    My home screen has quite a few website links.
    Yeah, I think I'd rather actually use my iPhone to its full capacity. 
    StrangeDaysjdb8167watto_cobra
  • Reply 8 of 43
    cmauscmaus Posts: 49member
    Tin foils, blah, blah…
    It’s only disgusting how deep people are sleeping.
    But it’s ok, go on chewing blue pills…
    jdb8167watto_cobra
  • Reply 9 of 43
    gatorguygatorguy Posts: 23,304member
    sdbryan said:
    lkrupp said:
    Anyone who downloads and installs these contact tracing apps should have their heads examined. We can’t trust ANY of these bastards, including Apple. ...

    Wouldn’t it be more worthwhile to ‘examine’ the protocols that Apple/Google have published to see if there is some privacy defect? Assuming a rigidly cynical position for all contact tracing efforts could lead to reduced ability to contain outbreaks which would have real world consequences. I hope security experts do vigorously examine contract tracing efforts and I am sure they will. But unless and until a problem is discovered I would encourage everyone to participate so that fewer people get sick and die. Because it is a global pandemic.
    This had zippo to with Apple/Google's COVID tracing API. The article leaves readers with the impression it does but did dedicate a single sentence to it:
    "While Care19 does not rely on the recently released Apple-Google Exposure Notification API... "
    Why wouldn't the developer want to? Because the Google/Apple system does not collect location info which the developer of ProwdCrowd finds valuable for marketing.

    So if it's not using the Apple/Google API, which would have prevented this, how is Apple involved? Well, there's the second half of the sentence I quoted making that tenuous connection: 
    "Apple was involved in the vetting of the app."  That's it. The app was approved for the App Store just like millions of others.

    The Washington Post is creating FUD to scare away potential users of the Apple/Google tracing API, and I've no idea what their rationale is for employing tactics meant to ensure the effort fails. I really would hope it's not just more partisan politics. It's getting to that season where you can't believe anything you read unless you're willing to spend extra time vetting it. Too many articles are IMO intentionally misleading even if they're technically not lying. 

    fastasleeppujones1GG1muthuk_vanalingambeowulfschmidt
  • Reply 10 of 43
    larryjwlarryjw Posts: 863member
    I keep wondering why Apple is unable to enforce privacy restrictions on apps. I take it as a given that automatic enforcement is hard. 

    But, as we’ve seen forever, relying on the honesty and integrity of developers is a mistake. 

    Also clear, that a fine-grained granularity of permissions one may grant or withhold is non-existent. 

    And like this company they claim they are protectIng your privacy by selling to a third party who is merely contractually required to protect privacy and not use the data received for nefarious purposes. Nod, Nod. Wink. Wink. 

    Is it even theoretically possible to architect a privacy system that allows users to control what information is shared and what is not? 

    My guess is the difficulties are at least tied to proving program correctness. I only know two languages that have support for protecting against illegal input. One is Mathematica. The second is the Scheme implementation Racket. 
    edited May 2020 watto_cobra
  • Reply 11 of 43
    gatorguygatorguy Posts: 23,304member
    larryjw said:
    I keep wondering why Apple is unable to enforce privacy restrictions on apps. I take it as a given that automatic enforcement is hard. 

    But, as we’ve seen forever, relying on the honesty and integrity of developers is a mistake. 

    Also clear, that a fine-grained granularity of permissions one may grant or withhold is non-existent. 

    And like this company they claim they are protectIng your privacy by selling to a third party who is merely contractually required to protect privacy and not use the data received for nefarious purposes. Nod, Nod. Wink. Wink. 

    Is it even theoretically possible to architect a privacy system that allows users to control what information is shared and what is not? 
    IMO Not if 3rd parties are allowed to be involved and they will be. Apps and services are immensely profitable for Apple.  So "Yeah but it's Apple" does not mean companies are not taking advantage of who you are and where you go and what you do when using your iDevice as long as Apple can also profit.

    There are limits to what Apple will allow, kudos for that, and when they really want something to be private they can and do, but always keep in mind they're in it for the money. They're not going to unduly affect App Store profits.
    edited May 2020
  • Reply 12 of 43
    mjtomlinmjtomlin Posts: 2,490member
    apple ][ said:
    Sorry, but I won't be downloading any of these "contact tracing" apps, no matter who is behind them. They are a bit too late also, in my opinion, now that things are beginning to relax and loosen up everywhere. The hysteria has gone far enough.

    If anybody disagrees, and they are free to do so, then they are welcome to  lock themselves up inside of their homes for the next few years if they'd like.

    I completely disagree with you... NOW is the best time to start contact tracing and using this Exposure Notification API. ANYTHING to help warn people that they might be infected so they can quarantine themselves to mitigate the spread of the virus to others.
    GeorgeBMacmagman1979command_ffastasleep
  • Reply 13 of 43
    mjtomlinmjtomlin Posts: 2,490member

    lkrupp said:
    Anyone who downloads and installs these contact tracing apps should have their heads examined. We can’t trust ANY of these bastards, including Apple. This crap happens every time, followed by apologies and promises to fix. Right, we got caught and now we have to do our dog and pony show. On the other hand we are already a surveillance society with cameras everywhere, facial recognition soon to follow all in the name of safety. Talk spreading around about Covid-19 ‘passports’ being issued to those with anti-bodies allowing them to travel freely while the rest of us stay sequestered. 

    That's a ridiculous thing to say... If you can't trust Apple with this API, how can you trust them with ANY information you keep on any of their devices?
    command_ffastasleepjdb8167watto_cobra
  • Reply 14 of 43
    mike54mike54 Posts: 480member
    lkrupp said:
    Anyone who downloads and installs these contact tracing apps should have their heads examined. We can’t trust ANY of these bastards, including Apple. This crap happens every time, followed by apologies and promises to fix. Right, we got caught and now we have to do our dog and pony show. On the other hand we are already a surveillance society with cameras everywhere, facial recognition soon to follow all in the name of safety. Talk spreading around about Covid-19 ‘passports’ being issued to those with anti-bodies allowing them to travel freely while the rest of us stay sequestered. 
    100% agree...  "head examined" - you're not wrong there.
    magman1979
  • Reply 15 of 43
    lkrupplkrupp Posts: 9,639member
    sdbryan said:
    lkrupp said:
    Anyone who downloads and installs these contact tracing apps should have their heads examined. We can’t trust ANY of these bastards, including Apple. ...

    Wouldn’t it be more worthwhile to ‘examine’ the protocols that Apple/Google have published to see if there is some privacy defect? Assuming a rigidly cynical position for all contact tracing efforts could lead to reduced ability to contain outbreaks which would have real world consequences. I hope security experts do vigorously examine contract tracing efforts and I am sure they will. But unless and until a problem is discovered I would encourage everyone to participate so that fewer people get sick and die. Because it is a global pandemic.
    You might have a point IF this were a rare thing. But every time an app like this comes out (for whatever purpose) a security researcher soon discovers it’s phoning home with all sorts of collected data. In the case of this app it was discovered that it was not only collecting data but sending it to third parties, in this case Foursquare and Google.


    GeorgeBMac
  • Reply 16 of 43
    GeorgeBMacGeorgeBMac Posts: 10,731member
    Essentially, this is failure of our own government who failed at providing adequate and effective testing as well as any contact tracing much less effective tracing.
    S. Korea did both early on and protected both its citizens as well as its economy.   And, like China, it is moving on.

    But, because our government failed, we are left with these crappy, piecemeal, mostly ineffective private tracing apps.

    So, the failures leave us choosing between two bad options:
    1)  Protect the people and endanger the economy by staying huddled away in our houses
    2)  Protect the economy and endangering the people by pretending the virus just went away somewhere and start reopening as if everything were normal.

    Our country lacks leadership in its crisis.
    muthuk_vanalingam
  • Reply 17 of 43
    lkrupplkrupp Posts: 9,639member

    mjtomlin said:

    lkrupp said:
    Anyone who downloads and installs these contact tracing apps should have their heads examined. We can’t trust ANY of these bastards, including Apple. This crap happens every time, followed by apologies and promises to fix. Right, we got caught and now we have to do our dog and pony show. On the other hand we are already a surveillance society with cameras everywhere, facial recognition soon to follow all in the name of safety. Talk spreading around about Covid-19 ‘passports’ being issued to those with anti-bodies allowing them to travel freely while the rest of us stay sequestered. 

    That's a ridiculous thing to say... If you can't trust Apple with this API, how can you trust them with ANY information you keep on any of their devices?
    Who can you trust? No one these days, not even Apple. You just have to resign yourself to the fact that organizations are collecting more and more information about you every day and there’s nothing you can do about it. That doesn’t mean you go berserk. It means you have to understand that nothing about you is private or secure in this world. As for governments passing privacy laws, that’s a rich joke when those governments are the biggest consumers of your data. Everyone’s data gets put somewhere and it eventually leaks.  
  • Reply 18 of 43
    GeorgeBMacGeorgeBMac Posts: 10,731member
    apple ][ said:
    Sorry, but I won't be downloading any of these "contact tracing" apps, no matter who is behind them. They are a bit too late also, in my opinion, now that things are beginning to relax and loosen up everywhere. The hysteria has gone far enough.

    If anybody disagrees, and they are free to do so, then they are welcome to  lock themselves up inside of their homes for the next few years if they'd like.

    Unfortunately, the lack of leadership in the U.S. left us with only those two bad options:  either stay at home or risk your life (or somebody else's) by opening things up.

    S. Korea instead instituted effective testing and tracing programs and not only got its Typhoid Mary's off of their streets but is able to keep them off -- thus reducing the liklihood of a second wave.

    And no, it is not too late for the U.S. to do the same.   As a matter of fact, it is more important now than ever that we have the number of infections coming down.   But, all it takes is a single Typhoid Mary in your community to start a second wave -- and we have thousands, maybe tens of thousands of them wondering our streets.   Testing and tracing is the only way, long term, to protect the people and the economy of this nation.   Unfortunately, our leadership is focused on propping up the stock market and blaming others for its failures and has officially shifted to a "let 'em die" policy.
    magman1979lkruppsdbryan
  • Reply 19 of 43
    blktubeblktube Posts: 2member
    apple ][ said:
    Sorry, but I won't be downloading any of these "contact tracing" apps, no matter who is behind them. They are a bit too late also, in my opinion, now that things are beginning to relax and loosen up everywhere. The hysteria has gone far enough.

    If anybody disagrees, and they are free to do so, then they are welcome to  lock themselves up inside of their homes for the next few years if they'd like.

    Unfortunately, the lack of leadership in the U.S. left us with only those two bad options:  either stay at home or risk your life (or somebody else's) by opening things up.

    S. Korea instead instituted effective testing and tracing programs and not only got its Typhoid Mary's off of their streets but is able to keep them off -- thus reducing the liklihood of a second wave.

    And no, it is not too late for the U.S. to do the same.   As a matter of fact, it is more important now than ever that we have the number of infections coming down.   But, all it takes is a single Typhoid Mary in your community to start a second wave -- and we have thousands, maybe tens of thousands of them wondering our streets.   Testing and tracing is the only way, long term, to protect the people and the economy of this nation.   Unfortunately, our leadership is focused on propping up the stock market and blaming others for its failures and has officially shifted to a "let 'em die" policy.

  • Reply 20 of 43
    blktubeblktube Posts: 2member
    Maybe if people practiced better hygiene this could have been avoided also. Almost 100% of people get this by toughing a surface with the virus and then touching their eyes, putting a finger in their nose or mouth. This isn't an airborne virus. You can get it from an infected person that sneezes on you if you are close to them but that is a very small percentage of the cases. Would be nice if people stopped blaming someone else and take personal responsibility for what happens to them. It's not rocket science.

    WASH YOUR HANDS FREQUENTLY & DON'T STICK YOUR FINGERS IN YOUR EYES, NOSE OR MOUTH! But that's probably too much to ask for people nowdays. They are lazy and want everything done for them. LOL
    watto_cobra
Sign In or Register to comment.