Federal Trade Commission – Watch out to Health and Fitness Apps

The Federal Trade Commission debated on the privacy ramifications of consumer generated and controlled health data, following data on mobile apps.

The Federal Trade Commission has recently released the disconcerting results of a study conducted on 12 mobile health and fitness apps, focusing the analysis on the way they manage users’ personal information.

Let me anticipate that he mobile apps use to share users’ personal data with 76 different third parties, if we consider that these applications are widely diffused we can imagine the effect on privacy and security.

Jah-Juin Ho, an attorney in the Federal Trade Commission ’s Mobile Technology Unit presented the results of the research on the privacy of consumer-generated health data  this week during a presentation at the  Federal Trade Commission led panel in Washington, D.C., he avoided naming any of the apps the FTC looked at.

Ho explained that third parties receive from the application several phone information screen size, device model, language setting) and a series of metrics and characteristics about their bodies.

“Who are these third parties and what kind of information are they receiving about our bodies?” this is the question made by the attorney.

Practically all the audited apps share the handset information with third parties, 18 of 76 entities collect information as Unique Device Identifier (UDID) for Apple devices, the device MAC address and International Mobile Station Equipment Identity (IMEI).

But private entities are mainly interested in users’ habits, third party companies collect consumer information (e.g Sleeping patterns, cadence of how they walk or run, users’ running routes, eating habits). In many cases, they are able to track users in the usage of different application from user identifier, making the analysis very effective for advertising activities.

22 of the 76 third parties received information about users’ exercise information, customers diet, symptoms, gender, geo-location data) and much more, Ho highlighted that 12 apps were found sending data to a single ad company and some of them were found transferring data without anonymizing the users’ data.

“It wasn’t uncommon for third parties to identify users by their first name, last initial and then a stream of identifiers,” said Ho.

The study, presented at the panel arranged by The Federal Trade Commission, shows mobile users don’t properly manage permissions for the apps they run, causing an unpredictable exposure of their data to third parties.

“We were as permissive as possible, meaning that if an app asked us for permission to access a certain feature or to sync with another app, we always accepted and opted in,” Ho said commenting the results of the research.

As explained later in the seminar by Joseph Lorenzo Hall, the Chief Technologist for the Center for Democracy & Technology, these apps represent a serious risk for user’s physical safety and privacy.

“If you’re talking about running routes and things like that, you may be able to predict where someone is alone and when they’re not at home and that can be extremely sensitive given your own personal context,” Hall said.

Be conscious of your media exposure when you choose your apps and carefully evaluate the permissions you are granting them!

Pierluigi Paganini

(Security Affairs –  The Federal Trade Commission, mobile apps)