Tech privacy firm warns contact tracing app violates policy

The Care19 app is seen on a cell phone screen, Friday, May 22, 2020, in Sioux Falls, S.D. Care19, a contact tracing app is being pushed by the governors of North Dakota and South Dakota as a tool to trace exposure to the coronavirus. But tech firm Jumbo Privacy points out the app violated its own privacy policy by sharing location and identification information with third-party companies like Foursquare, BugFender and Google.

SIOUX FALLS, S.D. (AP) — A contact tracing app pushed by the governors of North Dakota and South Dakota as a tool to trace exposure to the coronavirus violated its own privacy policy by sharing location and user identification information with third party companies, according to a report from a tech privacy firm.

The Care19 app, developed by ProudCrowd, of North Dakota, was one of the first contact tracing apps endorsed by state governments in response to the coronavirus. Governors from both states promoted it as a way to help health officials stop outbreaks and retrace the steps of people with infections, while assuring people that their data is protected. But tech privacy firm Jumbo Privacy reported this week that developers included lines of code that send users' location and identification data to third-party companies including Foursquare, BugFender and Google.

Concerned citizens have been eyeing the tradeoff between controlling outbreaks using apps and intrusions on personal privacy. Civil liberty groups and tech watchdogs have warned about contact tracing apps, saying governments and companies should not be able to access personal data.

The Care19 app shared location data with Foursquare, an advertising company that markets to people based on their location.

ProudCrowd CEO Tim Brookins said his company sends data to Foursquare to determine which businesses a user has visited, but the data is discarded and not used for commercial purposes.

"The simple overarching fact here is that we have stated, and Foursquare has confirmed, that they have not, nor will not, collect data from Care19 users. Period,” Brookins said.

The app generates an anonymous code for every user. The Jumbo Privacy report noted that the code, along with the phone's identification, was sent to BugFender, a Barcelona-based company that helps developers track malfunctions. The app also sent an advertising identifier linked with the user's phone to Google's Firebase service. That adds up to “serious privacy risks,” Jumbo said.

“It’s really an oversight from them,” said Jumbo Privacy CEO Pierre Valade. “It’s not a bad intention. They were rushing to build this product.”

Until Friday, Care19′s privacy statement told users their location data would “not be shared with anyone, including government entities or third parties, unless you consent or ProudCrowd is compelled under federal regulations.”

A revised statement says third parties "may have temporary access to aspects of your data for their specific data processing tasks. However, they will not collect this data in a form that allows themselves or others to access or otherwise use this data.”

South Dakota Secretary of Health Kim Malsam-Rysdon said the Care19 app doesn't violate the privacy statement and that users always had to grant permission for the app to use their data. The South Dakota version of the app has been downloaded more than 18,000 times, but hasn't been used to trace an active infection yet.

“This is a voluntary, opt-in app,” she said.

The North Dakota Department of Health, which has seen over 33,000 downloads of the app, hasn't responded to a request for comment.

Copyright 2020 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed without permission.

You must be logged in to react.
Click any reaction to login.
0
0
0
0
0

(0) comments

Welcome to the discussion.

Keep it Clean. Please avoid obscene, vulgar, lewd, racist or sexually-oriented language.
PLEASE TURN OFF YOUR CAPS LOCK.
Don't Threaten. Threats of harming another person will not be tolerated.
Be Truthful. Don't knowingly lie about anyone or anything.
Be Nice. No racism, sexism or any sort of -ism that is degrading to another person.
Be Proactive. Use the 'Report' link on each comment to let us know of abusive posts.
Share with Us. We'd love to hear eyewitness accounts, the history behind an article.