Health and Location Apps May Track Your Data and Pass It On to Third Parties | TC detective

Among the measures to combat new coronavirus During these two years of pandemic, federal agencies in several countries have used technology resources, such as apps, to monitor the population – if they were following isolation measures – and try to contain the disease.

Even before Covid-19, mobile tools allow tracking of health information, especially in relation to women. And despite ensuring data protection, they often end up being forwarded to third parties without your consent.

Several recent reports point to the misuse of apps aimed at user health. THE TC detective went after understanding them to tell you next.

Use of data by the US CDC

One of the findings in recent weeks has to do with the US Centers for Disease Control and Prevention (CDC). They would have purchased access to location data collected from tens of millions of cell phones in the US for a year by the company SafeGraph – banned from the Play Store by Google in June 2021 – for an amount of US$420,000.

The rationale for this is to analyze compliance with the curfew, track patterns of people visiting schools in what they call K-12 – that is, kindergartens – and monitor the effectiveness of policy in the Navajo Nation – considered the largest community. indigenous in the country.

However, the documents obtained by the Motherboard – dated 2021 – indicate more general uses than those officially cited. The type of data acquired has been aggregated, that is, it follows trends and includes device location, which indicates where someone lives, works and has gone. The researchers fear that this information will no longer be anonymous and will start to signal to specific individuals.

The screenshot of the CDC use cases includes some items that are outside the scope of the pandemic. Among them is item 19, which cites “Research points of interest for physical activity and chronic disease prevention, such as visits to parks, gyms, or weight management businesses”.

Another part of the document also explains the part of using location data to support programmatic areas that are not related to Covid-19.

“CDC also plans to use mobility data and services acquired through this acquisition to support non-COVID-19 programmatic areas and public health priorities across the agency, including but not limited to travel to parks and green spaces, physical activity and mode of travel, and population migration before, during and after natural disasters. The mobility data obtained under this agreement will be available for use across the CDC agency and will support numerous CDC priorities.”

U.S. Centers for Disease Control and Prevention (in document obtained by Motherboard)

The information still accounts for the data packages purchased by the CDC. The list has packages such as “US Central Location Data”, “Weekly Patterns Data” and “Neighborhood Patterns Data”. The latter, specifically, shows the time of residence at home and is aggregated by state and census block.

Apps for women’s health

This concern seems to have been going on since before the pandemic. An application called Flo, created in 2015 and focused on women’s health, had as main functions the monitoring of users’ activities. For this, he requested intimate details ranging from the length of the menstrual cycle to the level of libido.

The information would serve to help monitor the person’s reproductive period, indicating more or less fertile days. And in theory, there was a promise to keep user data secret.

However, the Federal Trade Commission (FTC) in the US found that between 2016 and 2019, the company that owns the app even passed on some intimate health details of users to marketing and analytics companies such as Facebook and Google.

according to New York Timesthe US agency disclosed that data sharing practices made it possible for third parties to use “personal health information in an expansive manner, including for advertising”. To the newspaper, Flo and Google denied using it in ads, while Facebook gave no comment.

The FTC eventually struck a deal with Flo Health – without admitting wrongdoing – to prohibit deception about data manipulation practices, as well as require users’ consent before sharing health information and provide an independent review of their data. privacy terms.

How does it work in the European Union?

If this impasse occurs within any of the member countries of the European Union, the famous Data Protection Law in force in the bloc has the outlet for responsibility for what happened.

The so-called GDPR places the burden of lack of privacy on application developers. The standard gives users broad data control rights, with a requirement that companies ask for explicit permission before collecting or sharing people’s confidential information.

It’s in Brazil?

Within the territory of Brazil, there is the General Data Protection Law (LGPD), a legislation based on the European GDPR to establish rules on the use of internet users’ data in the country.

When speaking specifically of the health area, in paragraph 4 of Art. 11 of Section II of Chapter II, it is quite explicit that the communication and shared use of sensitive information related to health, with the objective of obtaining economic advantage, is prohibited.



Section II

Processing Sensitive Personal Data

Art. 11. § 4 Communication or shared use between controllers of sensitive personal data relating to health with the objective of obtaining economic advantage is prohibited, except in cases related to the provision of health services, pharmaceutical assistance and health care, provided that in compliance with § 5 of this article, including auxiliary services for diagnosis and therapy, for the benefit of the interests of data subjects, and to allow:

I – data portability when requested by the holder; or

II – the financial and administrative transactions resulting from the use and provision of the services referred to in this paragraph

§ 5 Operators of private health care plans are prohibited from processing health data for the practice of risk selection in contracting any modality, as well as in contracting and excluding beneficiaries.

Therefore, like the European Union, Brazil also treats it as an irregularity provided for by law if any of your health data is forwarded to third parties without your consent, for economic purposes.

Have you ever detected an application that was tracking your data improperly? Report it to us in the space below.

Leave a Comment