Coronavirus App Found to Collect Citizens’ Location and Private Data, Violating Its Own Privacy Policy

As governments around the world started to create the coronavirus-tracking smartphone technology, who is checking that their apps indeed obey their very own privacy promises? It seems like no one, as a new analysis of one of the first U.S. contact-tracking apps, North and South Dakota’s Care19, discovers it violates its own privacy policy by sending people’s location and other private data to a third-party company.

The analysis was published on Thursday, May 21st, by privacy software maker Jumbo. The review showcases that state officials and Apple, both of which were accountable for examining the application before it was pushed out on April 7th, were neglectful. Americans are particularly cautious of location and health information, and privacy abuse of any extent will hinder efforts to use smartphones both to contact-trace and to send exposure notifications.

Using Location-Tracking Companies

The states choose North Dakota app developer ProudCrowd to create Care19 for free, and the company has confirmed that information from its iPhone app is sent to Foursquare, a renowned location-data provider for other companies. Moreover, ProudCrowd reportedly said that the Google Android version of Care19 also uses Foursquare, but it does it in such a way that the data is hidden.

“Should this have been vetted? Yes. We are following up on that as we speak,” said Vern Dosch, the state of North Dakota’s contact-tracing facilitator. “We know that people are very sensitive.”

However, health officials in South Dakota did not reply to requests for comment. In the meantime, Apple stated that it was examining the report and that if it finds an app that doesn’t comply with the policy, it will make it right.

Health authorities are accelerating the development of coronavirus apps, often with very limited technical resources. They depend on commercial tracking entities and some obscure privacy protections, with the Care19 app as an upfront working to voluntarily collect citizen location data.

Falling Short of Promises

Care19 calls itself a ‘digital diary’ that stores people’s location over the last 14 days so their steps can be traced, as well as the people they’ve been in contact with. The app allows users to voluntarily share their location data with the state’s Department of Health, but Care19’s privacy policy says the location info is ‘private to you’ and is ‘stored securely’ on ProudCrowd’s servers, and the location ‘will not be shared with anyone including government entities or third parties,’ it says.

However, this is where Jumbo found the app falling short. Tracing the incoming data from the app, it discovered that Care19 sends information to Foursquare, such as citizens’ location, the advertising identifier, which is a unique code representing a particular smartphone, and the ‘citizen code’ generated by the app.

Care19’s developer, Tim Brookins of ProudCrowd, reported that the app uses a Foursquare service called Pilgrim SDK that adapts the location data as latitude and longitude into the names of places.

“The Care19 application user interface clearly calls out the usage of Foursquare on our ‘Nearby Places’ screen, per the terms of our Foursquare agreement,” Brookins wrote in an email. “We will be working with our state partners to be more explicit in our privacy policy.”

Jumbo CEO Pierre Valade said that Apple and Google have more definite rules for the new category of virus-tracking apps that users access to a smartphone’s Bluetooth signals to notify people that they may have been in contact with people who have COVID-19. The rules for these ‘exposure’ apps clearly state that they are now allowed to collect any location info or the user’s advertising identifier.

You May Also Like

Leave a Reply

Your email address will not be published. Required fields are marked *