Simply App-alling! Users Pay a High Price to Use Free eHealth Apps!
They count the number of elapsed kilometers, ingested calories and fertile days. They record high blood pressure, depressions and diet deficiencies. They dial 911, provide health tips, assist in the search for physicians and medications, and even remind patients to take their medicine on time. Health apps for Android smartphones promise to support those who are sick as well as those who wish to lead healthier lives. And indeed, already more than 100,000 such apps assist millions of people in their efforts to get more physical exercise, eat a healthier diet, record and interpret their own body and vital signs, and optimize their own behavior accordingly. This provides a vast and promising market for app developers, the sports, medical and equipment industry. Yet also for advertisers, health insurance providers and other companies who make a business with user data.
Highly-sensitive user data recorded by users themselves
Apps of this nature record relevant data on their users via an array of sensors that are built into modern smartphones. But also via a fast-growing number of peripheral devices such as scales, fitness trackers and other measuring devices. And not least, users voluntarily provide the data requested by the apps; always under the assumption that certainly the app providers will treat the requested data confidentially and protect it accordingly. Because unlike others, the apps available in Google's Play Store in the categories of "Health & Fitness", "Medicine" and "Lifestyle" record and use large amounts of personal data, including health data.
The 60 apps evaluated by the data protection experts at the AV-TEST Institute indicate a broad cross-section of the eHealth apps offered free of charge in the Google Play Store. They included Android programs for diagnosing possible diseases, search apps for medical information, pharmacies and physicians, fitness trackers such as apps for monitoring vital signs, e.g. calorie counters, diabetes diaries and fertility planners, sleep monitoring apps and baby diaries.
High legal hurdles and concerns by users
In accordance with the EU's data protection directive, the German Federal Data Protection Act (BDSG), as well as special legal regulations, personal data of this nature generally enjoys special protection. For example, its collection, processing and use requires the consent of those involved. What's more, information concerning data collection, processing and use must be "comprehensive and transparent", and the processing and use of data in foreign countries must be disclosed accordingly. In the case of health data, the legal requirements are even significantly more restrictive.
These legal requirements ought to allay the concerns of persons using such apps: According to a current study of the Allensbach Institute, users are not prepared to share the data of their fitness trackers with companies, i.e. their health insurance provider. Even if the disclosure of this data would lead to a partial reimbursement of health insurance premiums, more than half of all those surveyed would clearly be opposed to this.
Little helpers, free of charge, as data bait
The legal requirements and concerns of users, however, are at odds with the practical handling of user data by many providers of eHealth apps. Instead of offering effective data protection, they lure in users with free apps in order to gain access to their health data. This is revealed in the latest study by the AV-TEST Institute. In random tests, the experts examined both the scope and the quality of the data recorded by the applications. In doing so, they assessed them in relation to the application purpose and weighted the data acquisition accordingly. The data protection experts examined whether and how well app providers fulfill legal requirements concerning their duty to inform when acquiring and using data. Furthermore, the testers checked the data traffic of the apps. In the process, they investigated the tools with which the apps recorded data and the channels of these data flows. https://mlp-ag.de/redaktion/mlp-ag-de/gesundheitsreport-microsite/2016/mlp-gesundheitsreport-2016-pk-praesentation-final.pdf (only available in German)
In the meantime, these unacceptable conditions have apparently aroused the ire of Google as well, as the provider of the world's largest app store has announced drastic measures for app developers: At the beginning of February, Google informed app providers via email if their apps did not conform to the Play Store rules concerning the handling of user data. In this, the US corporation set a deadline of March 15 to remedy any improprieties. Otherwise, app providers may face drastic measures, including being kicked out of the Play Store. According to estimates by the media portal "The Next Web", millions of apps could be affected by this in the future. Already in the year 2014, a GPEN study documented the fact that 85% of the apps had insufficient privacy policies.
Massive critical data access
The testers evaluated the necessity of the access rights demanded by the apps, taking into consideration the app functionality. If the access rights were not necessary for the core functions or a necessity was not apparent, the testers rated such access attempts as "critical". Of 186 access requests generated in the test, the experts rated as many as 77 queries as unnecessary for app deployment, and thus as "critical". One app, for example, in recording female menstruation cycles, wanted to be informed of the whereabouts of its female users. Another offered to disseminate relevant information via social networks.
Unsecured data transmission and ad tracking in plain text
In the current test, the security experts also looked at the data traffic of the eHealth apps. In doing so, it was revealed in the apps that providers are already working heavily with data acquisition tools and tracking instruments from third-party providers from the advertising industry, including Google and Flurry Analytics, Baidu, as well as automatic forwarding to Facebook.
Within the scope of this study, it was also revealed that data of all kinds is exchanged between apps and the servers of the providers, as well as affiliated advertising networks. Information that could be easily intercepted by attackers (man-in-the-middle attack) included sensitive user data such as logging of authentications, i.e.: also user names and corresponding passwords. Along with the reality that many apps disclose users' data without their knowledge to third parties comes the fact that in doing so, no provision is even made for sufficient protection measures, such as encrypted data transmission.
Data protection is a basic right!
Although in Germany and Europe health apps have become increasingly popular in recent years and can be found on the devices of many end users, there continues to be no official quality controls or seals of approval for evaluating the trustworthiness or data protection quality of such apps. The call for more data protection of apps by private players such as Google is encouraging, yet hardly credulous. After all, the company is among those that stand to gain the most from worldwide data trading.
A recent comment from Germany's Federal Minister of the Interior, Thomas de Maizière, in the daily newspaper, "Der Tagespiegel", illuminates the dilemma: "Data protection is not an end in itself. Rather, the objective is to protect people's privacy and general right of personality. In doing so, it is by no means clear what is meant by privacy. Some people consider their privacy breached when someone sends them advertising whereas others are only threatened when someone breaks into their apartment." Contrary to what Minister de Maizière believes, German laws and legal precedents clearly define the areas where citizens' privacy and right of personality are breached and are therefore to be protected. Specifically, not only when it comes to burglary but also concerning unsolicited advertising in their mailbox as well as by email, phone and fax. And as opposed to the views of the Minister of the Interior, data protection is indeed an end in itself, as is clearly stated in Article 8.1 of the EU Charter of Fundamental Rights. It says there that "Everyone has the right to the protection of personal data concerning him or her." And it goes on to say in Section 3: "Compliance with these rules shall be subject to control by an independent authority."
The German government must finally fulfill this statutory duty. The objective is to create the necessary national standards for the protection of German consumers as quickly as possible and at the same time to implement European law. Hoping for voluntary renunciation of user data by means of a "Code of Conduct" through self-commitment by the app providers cannot replace the enforcement of existing law for the protection of consumers.
Up to now, consumers have been on their own
Up until the needed implementation of legal regulations, users of health apps are left on their own to protect their data. As the latest data protection study of eHealth apps from AV-TEST demonstrates, users should take a close look at which app they allow onto their smartphone or tablet. That is why it is crucial, wherever possible, to examine the access rights of the apps in the App Store in order to keep data spies away from one's own devices.