Customize your JAMA Network experience by selecting one or more topics from the list below.
Huckvale K, Torous J, Larsen ME. Assessment of the Data Sharing and Privacy Practices of Smartphone Apps for Depression and Smoking Cessation. JAMA Netw Open. 2019;2(4):e192542. doi:10.1001/jamanetworkopen.2019.2542
Do the privacy policies of popular smartphone applications (apps) for depression and smoking cessation describe accurately whether data will be processed by commercial third parties?
Health care professionals prescribing apps should not rely on disclosures about data sharing in health app privacy policies but should reasonably assume that data will be shared with commercial entities whose own privacy practices have been questioned and, if possible, should consider only apps with data transmission behaviors that have been subject to direct scrutiny.
Inadequate privacy disclosures have repeatedly been identified by cross-sectional surveys of health applications (apps), including apps for mental health and behavior change. However, few studies have assessed directly the correspondence between privacy disclosures and how apps handle personal data. Understanding the scope of this discrepancy is particularly important in mental health, given enhanced privacy concerns relating to stigma and negative impacts of inadvertent disclosure. Because most health apps fall outside government regulation, up-to-date technical scrutiny is essential for informed decision making by consumers and health care professionals wishing to prescribe health apps.
Design and Setting
Main Outcomes and Measures
Correspondence between policies and transmission behavior observed by intercepting sent data.
Conclusions and Relevance
Data sharing with third parties that includes linkable identifiers is prevalent and focused on services provided by Google and Facebook. Despite this, most apps offer users no way to anticipate that data will be shared in this way. As a result, users are denied an informed choice about whether such sharing is acceptable to them. Privacy assessments that rely solely on disclosures made in policies, or are not regularly updated, are unlikely to uncover these evolving issues. This may limit their ability to offer effective guidance to consumers and health care professionals.
While the potential of smartphone applications (apps) to improve access to health care resources,1 real-time monitoring,2 and even interventions is well established,3 concerns about data privacy remain.4,5 The 2015 closure of the UK National Health Service’s Apps Library following discovery that endorsed health apps did not adequately disclose use of, or protect content of, personal data6 underscores the primacy of privacy for health care apps. The more recent 2018 US congressional investigation into Facebook allowing Cambridge Analytica access to personal data from more than 50 million Facebook profiles after some users completed an online personality quiz has brought further attention to digital health care privacy.7 The introduction of the European Union’s General Data Protection Regulation in 2018 is stimulating renewed interest in the scope of privacy and data protection,8,9 both for online services and health care organizations that operate internationally.
This tension between personal privacy and data capture by health care apps is largely driven by the business models of these apps. Because many national health payers and insurance companies do not yet cover apps (given their often nascent evidence base), selling either subscriptions or users’ personal data is often the only path toward sustainability.10 A recent review of apps for dementia care found that only 4% offered written assurances that user data would not be sold.11 These numbers were only slightly better for diabetes apps, with 22% promising not to sell user data.12 Many health care apps label themselves as wellness tools in their privacy policies or terms and conditions in an attempt to circumvent legislation that mandates privacy protections for user data, such as the Health Insurance Portability and Accountability Act.13
Responding to the need to ensure health care apps adequately protect users’ privacy and to close loopholes that have created the current culture of nontransparent and insecure apps, organizations around the world are now promoting health care app privacy and security. The US Food and Drug Administration,14,15 UK National Health Service,16 Australian Government,17 and World Health Organization18 have each identified and begun working on efforts to make digital health tools like smartphone apps more private and secure. Clinician-led efforts by the American Medical Association19 and American Psychiatric Association20 to create specific guidelines for health care smartphone apps each place privacy as a central and critical feature that must be evaluated.
However, the evaluation of the privacy (and security) of health care apps remains a challenge. Inspection of app privacy policies has proven valuable in highlighting potential risks, such as whether users are offered routes to edit, amend, and delete personal data,6,11,21 including within apps that target depression.22 However, technical assessment that includes the interception of traffic generated by apps holds the potential to uncover issues not apparent on examination of policy text alone.6
In this study, we aimed to provide a contemporary assessment of the privacy practices of popular mental health apps and, specifically, the correspondence between disclosures made in privacy policies and data actually transmitted to third parties. Following the pattern of previous work23 assessing the quality of apps, we focused on a sample of mental health apps, selecting apps for depression, a prevalent condition24 with substantial morbidity,25 and smoking cessation, an example of mental health–related behavior change relevant to the large numbers of adults who continue to smoke.
To constitute the set of apps to be evaluated, 2 of us (J.T. and K.H.) searched the official Android and iOS app marketplaces in the United States and Australia using the terms “depression” and “smoking cessation.” The search of US app stores took place on January 14, 2018; the search of Australian stores, January 15, 2018. We used search rank as a proxy for popularity, following practices adopted by prior app research studies.23,26 To minimize the risk of user-specific tailoring of search results,27 we ran searches from an anonymized user account with no prior credentials registered at each marketplace. We prespecified that the first 10 apps returned for each search term by each country-specific store would be retained. After pooling and deduplication, this yielded a final test set of 36 apps (15 Android-only, 14 iOS-only, and 7 available on both platforms). Based on studies that have attempted to exhaustively identify Android and iOS apps for depression28 and smoking cessation29 published in 2015 and 2017, respectively, this approach can be expected to have sampled approximately 8% of available apps for depression (20 of 243) and 6% of apps for smoking cessation (20 of 316). Apps were not filtered by payment model or language. All selected apps were free to use.
Apps were downloaded on January 21, 2018, installed on 1 of 2 test devices (Huawei Nexus 6P running Android version 7.1.2 and iPhone 6S running iOS version 11.0.1), and subjected to 2 sessions of simulated use intended to exercise the set of features available in each app. All network traffic generated during simulated use, including data encrypted using standard internet protocols (eg, Secure Sockets Layer and Transport Layer Security), was silently intercepted using a previously described method6 based on a technical strategy termed a man-in-the-middle attack.31 The destination and content of each transmission were tagged automatically to identify (1) the owner of the destination, whether developer or third party and (2) instances of personal and other user-generated data contained within each message. All tagging was verified manually (by K.H. and M.E.L.). In a post hoc analysis, apps installed on each platform were reviewed to identify those implementing social login functions. Social login is a convenience strategy that allows users to register for internet services by reusing the username, password, and other identity details held by a third party, such as Facebook or Google.
Data were summarized using descriptive statistics. The unit of analysis was the platform-independent app. Because this study did not involve human participants, ethical review was not required according to the policies of the human research ethics procedure of UNSW Sydney. The Strengthening the Reporting of Observational Studies in Epidemiology (STROBE) reporting guideline was used in the reporting of this observational study.32
Of the 23 of 25 apps (92%) that, within policy text, addressed the possibility of transmission of data to any third party, 16 (70%) positively indicated data would be shared with advertisers (of which 6 displayed visible advertisements during testing) and 14 (61%) indicated that data would be shared with both advertisers and analytics services. Of the 23 apps that referenced third-party transmission to any party, 6 (26%) specifically asserted that strong personal identifiers (such as name, email address, or date of birth) would not be shared with advertisers. Only 1 app stated explicitly that data would not be shared with any third party.
Of the 33 apps transmitting data to a third party, 9 (27%) sent a strong identifier consisting of either a fixed device identifier (8 apps) or a username (1 app); 26 of the 33 (79%) sent weak identifiers, such as an advertising identifier (24 apps), a pseudonymous key that can be used to track user behavior over time and across different products and technology platforms. Two of the apps (6%) incorporated user-reported health status information (such as health diary information [1 app] or substance use [1 app]) as part of usage data sent to third-party analytics services. No other personal or sensitive information (such as full names, passwords, dates of birth, or medical data) was observed in transmissions to third parties.
Google social login was present in 3 apps (8%), while Facebook social login was present in 7 (19%). All apps implementing these social login functions were found to be transmitting weak personal identifiers to Google or Facebook, respectively. Transmissions occurred regardless of whether the social login feature was used.
While transmission of directly personally identifiable information was not observed, traffic sent to third parties routinely included linkable information. This included fixed device identifiers on Android (despite these being deprecated on privacy grounds37 and no longer available to developers of iOS apps38) and advertising identifiers on both platforms (which ostensibly provide greater protection, as they can be reset by the user, but are still designed to allow user tracking across services). The transmission of even basic details, such as the name or category of the app generating traffic, alongside these identifiers potentially enables third parties to generate linkable information about mental health status. The observed consolidation of services offering advertising, marketing, and analytics may exacerbate this risk by increasing the likelihood that a given service provider holds data from multiple sources. While Google explicitly limits the secondary uses of data collected for analytics33 and advertising or marketing39 purposes, Facebook’s developer policy states that “We can analyze your app, website, content, and data for any purpose, including commercial.”34 Consequently, users should be aware that their use of ostensibly stand-alone mental health apps, and the health status that this implies, may be linked to other data for other purposes, such as marketing targeting mental illness. Critically, this may take place even if an app provides no visible cues (such as a Facebook login), and even for users who do not have a Facebook account. This study was not designed to identify whether linkable information was actually being used by advertisers, for example, to subsequently drive tailored advertising. Future work could consider looking for direct evidence of linkable information being used in this way, for example, by looking for changes in advertisement content suggestive of tailoring once an app has been used.
Our findings are topical not just because of contemporary concerns about the privacy practices of certain commercial entities,7 but also in respect to current efforts to establish accreditation programs for mental health apps that account for privacy and transparency concerns. Our data highlight that, without sustained and technical efforts to audit actual data transmissions, relying solely on either self-certification or policy audit may fail to detect important privacy risks. The emergence of a services landscape in which a small number of commercial entities broker data for large numbers of health apps underlines both the dynamic nature of app privacy issues and the need for continuing technical surveillance for novel privacy risks if users and health care professionals are to be offered timely and reliable guidance. For example, consolidation of data processing into a few transnational companies underlines the risk that user data may be inadvertently moved into jurisdictions with fewer user protections, or that this may be exploited by malicious actors. The lack of information provided about data processing jurisdictions observed in this sample suggests that developers may either be unaware of this risk or do not appreciate its significance for potentially sensitive health data.
These dynamic aspects of app privacy underline the need for the clinical community to respond with frequent privacy reviews that incorporate both consideration of privacy policies and technical security reviews. While it is appealing to offer health care consumers metrics such as transparency scores for app privacy policies, our results highlight the need for such metrics to be updated often and include the interrogation of actual app traffic. As demonstrated in this study, such a review is not only possible but also revealing of emerging issues that may influence decision making around use of smartphone apps for health.
This study has limitations. As with other studies of health app policy and content, our analysis was conducted using a snapshot of apps and policy documentation captured at a single point. While we recognize that the app marketplaces are a dynamic environment,40 more frequent analyses are not feasible owing to the time required for double coding each policy and configuring and testing each app to capture data transmission. At the conclusion of analysis on June 7, 2018, all apps remained available, almost three-quarters (72% [26 of 36]) remained in the top 10 results, and 92% (33 of 36) remained in the top 20 results returned by the app marketplaces. Nevertheless, the proportions reported should be interpreted as indicators of the frequency of phenomena, rather than as definitive statistics.
This analysis examined only the 10 top-ranked apps on each platform, targeting 2 areas: depression and smoking cessation. This represents a small fraction of the pool of available apps for mental health. Although multiple factors are associated with app adoption,27 search rank appears to be a heuristic strategy by most users when selecting which apps to download.41 Consequently, when paired with strategies to minimize algorithmic tailoring of search results, highly ranked apps are likely to be representative of those apps installed by users.
Data transmissions were categorized into advertising and marketing vs analytics uses using an existing data-derived schema6 and based on the web address of the receiving services. The emergence of analytics services consuming advertising identifiers for linking user behavior across multiple services highlights that this categorical distinction may no longer be relevant. Future work should consider collapsing these categories and instead characterizing third-party services by the purposes for which data are used. Categorical analysis of third-party traffic was also limited to the 2 most common traffic destinations, Google (by 28 apps) and Facebook (by 12 apps). The remaining 14 third-party destinations were used by fewer than 5 apps each.
We could only identify transmissions to third parties occurring directly from apps. We cannot rule out the possibility that data sent to developer-run services (observed in 12 of 36 apps [33%]) are subsequently shared with third parties. Our findings may, therefore, be conservative in this regard.
Accepted for Publication: March 3, 2019.
Published: April 19, 2019. doi:10.1001/jamanetworkopen.2019.2542
Open Access: This is an open access article distributed under the terms of the CC-BY License. © 2019 Huckvale K et al. JAMA Network Open.
Corresponding Author: Kit Huckvale, MBChB, MSc, PhD, Black Dog Institute, UNSW Sydney, Hospital Road, Randwick, New South Wales 2031, Australia (email@example.com).
Author Contributions: Dr Huckvale had full access to all of the data in the study and takes responsibility for the integrity of the data and the accuracy of the data analysis.
Concept and design: Huckvale, Larsen.
Acquisition, analysis, or interpretation of data: All authors.
Drafting of the manuscript: Huckvale, Torous.
Critical revision of the manuscript for important intellectual content: All authors
Statistical analysis: Huckvale, Larsen.
Administrative, technical, or material support: All authors.
Conflict of Interest Disclosures: Dr Larsen reported grants from National Health and Medical Research Council during the conduct of the study. No other disclosures were reported.
Additional Contributions: Harini Kolamunna, PhD, UNSW Sydney, reviewed the privacy policies. Dr Kolamunna was compensated for her contribution to the study.