A contact-tracing app for North Dakota and South Dakota meant to help detect whether people have been exposed to the coronavirus shares personal information with third parties, according to a new report.
Jumbo, a privacy research firm, published its analysis of the app—called Care19—on Thursday and found that despite the app’s privacy policy promising location data is private unless you consent to it, the app shared data with Foursquare and a service that helps find software malfunctions.
Care19, which was launched in early April, comes as other public health authorities begin rolling out contact tracing apps. Apple and Google teamed up to release API for apps that agencies could then use. Care19 does not use that API and was developed by a called ProudCrowd.
Specifically, Care19 gave people who downloaded the app a random ID number that the app would help “anonymously cache the individual’s locations throughout the day,” North Dakota said when it launched.
However, Jumbo found that the location data and a phone’s advertising identifier were sent to Foursquare. The anonymous code assigned to the phone and the phone’s name were sent to Bugfender, a company that helps developers detect issues.
Jumbo said sending the anonymous codes and the advertising IDs posed “serious privacy risks” because the identifier is shared among all of the apps on your phone.
“We hope that these findings will help the health agencies that are currently working on similar apps to make sure privacy is respected,” wrote Pierre Valade, the CEO of Jumbo Privacy, in a blog post sharing the findings.
Foursquare told the Independent that the company did not “use the data in anyway, and it was promptly discarded.” Similarly, Bugfender said, “the sole purpose of this ID is to show the correct diagnostic data to the programmers of the app and does not contain any information related to the user or the device.”
Meanwhile, Vern Dosch, North Dakota’s contact tracing facilitator, told the Washington Post that the app should have been vetted.
“Should this have been vetted? Yes. We are following up on that as we speak,” Dosch told the newspaper. “We know that people are very sensitive.”
Last month, a poll found that Americans were wary of using contact-tracing apps and cited privacy as one of their concerns.
Meanwhile, Congress has unveiled two bills—which vary from each other in key areas—that aim to put laws around how data privacy is handled amid the coronavirus pandemic.
READ MORE:
- Scammers are pretending to be contact tracers, FTC warns
- FBI needs a warrant to look at your phone’s lock screen, judge rules
- Democrats unveil coronavirus data privacy bill that is a direct rebuke of Republicans
- Facebook, Uber’s acquisition plans spark scrutiny from Congress