Contact tracing app vetted by Apple found to share data with Foursquare and Google
North Dakota's Care19 app, one of the first digital coronavirus contact tracing solutions to hit market in the U.S., contradicts its own privacy policy to share user information with third party companies like Foursquare and Google, according to a study released on Thursday.
A review of Care19 by consumer privacy app company Jumbo Privacy found the app sends location data and other personal information to outside parties, reports Fast Company.
Developed by ProudCrowd, which markets a location-based social networking app for North Dakota State University sports fans, Care19 promises participant anonymity by assigning and tracking random user IDs. The system logs locations where a user spent 10 minutes or more, information that can be correlated with contact tracing data provided on a voluntary basis to the North Dakota Department of Health.
The app's privacy policy notes "location data is private to you and is stored securely on ProudCrowd, LLC servers," and will not be shared with third-parties "unless you consent or ProudCrowd is compelled under federal regulations," the report said.
However, Jumbo found user ID numbers, phone IDs and what appears to be location data transmitted to Foursquare. Phone advertising identifiers are sent to servers associated with Google's Firebase service, while the assigned random ID and phone name -- which by default typically includes a user's first name -- is sent to software diagnostics firm Bugfender.
"The Care19 application user interface clearly calls out the usage of Foursquare on our Nearby Places' screen, per the terms of our Foursquare agreement," ProudCrowd said in a statement. "However, our privacy policy does not currently explicitly mention this usage. We will be working with our state partners to be more explicit in our privacy policy. It is important to note that our agreement with Foursquare does not allow them to collect Care19 data or use it in any form, beyond simply determining nearby businesses and returning that to us."
In an email to Fast Company, ProudCrowd founder Tim Brookins said Care19's Foursquare integration was a mistake that will soon be rectified. Brookins characterized the error as "fairly benign, as Foursquare doesn't actually collect our sent data."
While Care19 does not rely on the recently released Apple-Google Exposure Notification API, Apple was involved in the vetting of the app, reports The Washington Post. Apple is currently investigating Jumbo's claims and will work with ProudCrowd to bring the app in compliance with its rules.
Ironically, a North Dakota public health authority official was among a handful of experts who last week criticized Apple and Google's cross-platform Exposure Notification system as being too restrictive for general adoption. In an article published by The Post, critics of the Apple-Google solution, including developers of contact tracing apps, said the Exposure Notification API incorporates data sharing restrictions that are detrimental to contact tracing operations.
"Every minute that ticks by, maybe someone else is getting infected, so we want to be able to use everything we can," said Vern Dosch, contact tracing liaison for North Dakota. "I get it. They have a brand to protect. I just wish they would have led with their jaw."
Apple and Google's systems deny access to geolocation data, anonymize user equipment and restrict apps from storing data on a centralized server, among other safeguards. If a PHA's app does not meet Apple-Google standards, it is not granted access to the API and is thus prohibited from processing tasks in the background.
North Dakota initially built its app with hopes of integrating Exposure Notification technology, but the privacy restrictions prompted the team to start over and create two separate apps: one for contact tracing teams and another that integrates the Exposure Notification API.
It is unclear if North Dakota will roll out a new version of the Care19 app with the Exposure Notification API baked in, but the state is one of three to announce support of the Apple-Google initiative. On Thursday, Alabama and South Carolina also signed on as early adopters of the technology, reports AL.com.
"(We've) joined hands with these two global giants in hopes of helping our people learn when and where they may have gotten exposed to this virus," Alabama Gov. Kay Ivey said. "Hopefully, this will become an important tool in the tool kit to slow the spread of coronavirus by using what almost every Alabamians has in their pocket ... a cell phone."
After a brief beta testing period, Apple and Google's Exposure Notification API went live on Wednesday with the release of iOS 13.5. Contact tracing apps that take advantage of the framework should see release in the coming days or weeks.
A review of Care19 by consumer privacy app company Jumbo Privacy found the app sends location data and other personal information to outside parties, reports Fast Company.
Developed by ProudCrowd, which markets a location-based social networking app for North Dakota State University sports fans, Care19 promises participant anonymity by assigning and tracking random user IDs. The system logs locations where a user spent 10 minutes or more, information that can be correlated with contact tracing data provided on a voluntary basis to the North Dakota Department of Health.
The app's privacy policy notes "location data is private to you and is stored securely on ProudCrowd, LLC servers," and will not be shared with third-parties "unless you consent or ProudCrowd is compelled under federal regulations," the report said.
However, Jumbo found user ID numbers, phone IDs and what appears to be location data transmitted to Foursquare. Phone advertising identifiers are sent to servers associated with Google's Firebase service, while the assigned random ID and phone name -- which by default typically includes a user's first name -- is sent to software diagnostics firm Bugfender.
"The Care19 application user interface clearly calls out the usage of Foursquare on our Nearby Places' screen, per the terms of our Foursquare agreement," ProudCrowd said in a statement. "However, our privacy policy does not currently explicitly mention this usage. We will be working with our state partners to be more explicit in our privacy policy. It is important to note that our agreement with Foursquare does not allow them to collect Care19 data or use it in any form, beyond simply determining nearby businesses and returning that to us."
In an email to Fast Company, ProudCrowd founder Tim Brookins said Care19's Foursquare integration was a mistake that will soon be rectified. Brookins characterized the error as "fairly benign, as Foursquare doesn't actually collect our sent data."
While Care19 does not rely on the recently released Apple-Google Exposure Notification API, Apple was involved in the vetting of the app, reports The Washington Post. Apple is currently investigating Jumbo's claims and will work with ProudCrowd to bring the app in compliance with its rules.
Ironically, a North Dakota public health authority official was among a handful of experts who last week criticized Apple and Google's cross-platform Exposure Notification system as being too restrictive for general adoption. In an article published by The Post, critics of the Apple-Google solution, including developers of contact tracing apps, said the Exposure Notification API incorporates data sharing restrictions that are detrimental to contact tracing operations.
"Every minute that ticks by, maybe someone else is getting infected, so we want to be able to use everything we can," said Vern Dosch, contact tracing liaison for North Dakota. "I get it. They have a brand to protect. I just wish they would have led with their jaw."
Apple and Google's systems deny access to geolocation data, anonymize user equipment and restrict apps from storing data on a centralized server, among other safeguards. If a PHA's app does not meet Apple-Google standards, it is not granted access to the API and is thus prohibited from processing tasks in the background.
North Dakota initially built its app with hopes of integrating Exposure Notification technology, but the privacy restrictions prompted the team to start over and create two separate apps: one for contact tracing teams and another that integrates the Exposure Notification API.
It is unclear if North Dakota will roll out a new version of the Care19 app with the Exposure Notification API baked in, but the state is one of three to announce support of the Apple-Google initiative. On Thursday, Alabama and South Carolina also signed on as early adopters of the technology, reports AL.com.
"(We've) joined hands with these two global giants in hopes of helping our people learn when and where they may have gotten exposed to this virus," Alabama Gov. Kay Ivey said. "Hopefully, this will become an important tool in the tool kit to slow the spread of coronavirus by using what almost every Alabamians has in their pocket ... a cell phone."
After a brief beta testing period, Apple and Google's Exposure Notification API went live on Wednesday with the release of iOS 13.5. Contact tracing apps that take advantage of the framework should see release in the coming days or weeks.
Comments
My home screen has quite a few website links.
Within a browser you (sadly) have more control of your data than in apps these days...
I don’t even install weather apps anymore.
Come on Apple! You can do better!
Want to bet if Apple started handing out automatic 1 year App Store bans for violators, 99% of these “oops” would disappear?
Wouldn’t it be more worthwhile to ‘examine’ the protocols that Apple/Google have published to see if there is some privacy defect? Assuming a rigidly cynical position for all contact tracing efforts could lead to reduced ability to contain outbreaks which would have real world consequences. I hope security experts do vigorously examine contract tracing efforts and I am sure they will. But unless and until a problem is discovered I would encourage everyone to participate so that fewer people get sick and die. Because it is a global pandemic.
If anybody disagrees, and they are free to do so, then they are welcome to lock themselves up inside of their homes for the next few years if they'd like.
Not just no, but hell no. Not gonna happen.
It’s only disgusting how deep people are sleeping.
But it’s ok, go on chewing blue pills…
"While Care19 does not rely on the recently released Apple-Google Exposure Notification API... "
Why wouldn't the developer want to? Because the Google/Apple system does not collect location info which the developer of ProwdCrowd finds valuable for marketing.
So if it's not using the Apple/Google API, which would have prevented this, how is Apple involved? Well, there's the second half of the sentence I quoted making that tenuous connection:
"Apple was involved in the vetting of the app." That's it. The app was approved for the App Store just like millions of others.
The Washington Post is creating FUD to scare away potential users of the Apple/Google tracing API, and I've no idea what their rationale is for employing tactics meant to ensure the effort fails. I really would hope it's not just more partisan politics. It's getting to that season where you can't believe anything you read unless you're willing to spend extra time vetting it. Too many articles are IMO intentionally misleading even if they're technically not lying.
There are limits to what Apple will allow, kudos for that, and when they really want something to be private they can and do, but always keep in mind they're in it for the money. They're not going to unduly affect App Store profits.
I completely disagree with you... NOW is the best time to start contact tracing and using this Exposure Notification API. ANYTHING to help warn people that they might be infected so they can quarantine themselves to mitigate the spread of the virus to others.
That's a ridiculous thing to say... If you can't trust Apple with this API, how can you trust them with ANY information you keep on any of their devices?
1) Protect the people and endanger the economy by staying huddled away in our houses
Who can you trust? No one these days, not even Apple. You just have to resign yourself to the fact that organizations are collecting more and more information about you every day and there’s nothing you can do about it. That doesn’t mean you go berserk. It means you have to understand that nothing about you is private or secure in this world. As for governments passing privacy laws, that’s a rich joke when those governments are the biggest consumers of your data. Everyone’s data gets put somewhere and it eventually leaks.
No, it's not benign. It proves his company doesn't take privacy seriously and doesn't design with privacy in mind. To them, privacy is an afterthought, a marketing bullet point and nothing more. They don't have the engineering skills to design it and build with it as a guiding principle.