Privacy: A hole in the virtual medicine cabinet

Researchers hoped health data would be treated as personal and sensitive. They were disappointed to find the sharing going on was really "business as usual."

Researchers find popular medication phone apps share data with third parties

Data traffic analysis by a team of researchers found popular medication apps downloaded from the Google Play store shared sensitive personal information with third parties. (Timothy Neesam/CBC)

This is an excerpt from Second Opinion, a weekly roundup of eclectic and under-the-radar health and medical science news emailed to subscribers every Saturday morning. If you haven't subscribed yet, you can do that by clicking here.

It's personal information that can't get any more personal: your medical conditions, symptoms you've searched and lists of medication you take.

If you happen to have entered that information into popular prescription drug-tracking Android phone apps, some of it might be shared with data giants like Google, Amazon and Facebook.

Those are the findings from an international team of researchers who analyzed the data traffic of each of the 24 medication apps they downloaded from the Google Play store.

The apps, which include, Medscape and Epocrates Plus, have been downloaded by millions of users. They're popular among doctors and patients because they not only keep track of the user's prescription drugs and medical conditions, but they're also a quick search tool for all medications on the market and even offer a possible diagnosis of symptoms.

The findings published in the BMJ this week found that sharing all this data with third parties is routine. Even the lead author, Quinn Grundy of the University of Toronto's school of nursing, admitted she was surprised at how freely the data was being passed on to other companies, given the nature of the information. 

"We'd hoped that health data would be treated as personal and sensitive and I think we're disappointed to see that the kind of sharing going on was really 'business as usual' as for any other kind of app."

'Dangerous' permissions

During the installation process, users are required to grant app developers permission to start collecting personal information. Grundy and her colleagues from the University of California and the University of Sydney in Australia set up fake user profiles to track the flow of data.

In all cases, the type of permission granted was considered "dangerous" by Android's own security standards for developers. (The research was restricted to Android apps, so it's unknown whether the iPhone versions of these apps shared data differently).

The most commonly collected information by apps was about:

  • The devices they were downloaded on.
  • The operating system.
  • Browsing activity.
  • List of drugs entered by the user.

In a few cases, extremely sensitive data was also scooped up, such as the name of the user's doctor and pharmacy, as well as "feelings" they were experiencing.

In most cases, app developers aren't actually selling the data to third parties for money. Instead, it's a free trade, whereby third parties like Google Analytics, Crashlytics (Google) and Flurry (Yahoo!) retain the right to collect user data in exchange for providing app developers services such as app usage statistics, social media links, or bug reporting. These arrangements are sometimes called '"freemium services."

A few medication apps can link with users' Facebook accounts, creating another avenue for personal data to be connected and shared. In most cases, the data is anonymized.

But users shouldn't be confident in thinking they won't be identified. The data-sharing often doesn't end with third parties if that third party happens to be Google, for example.

Google shares data with what Grundy refers to as "fourth parties" — business partners that have the ability to perform sophisticated data analysis.

"And so we could see user data kind of travelling through this mobile ecosystem and these big players at the centre of it able to aggregate and potentially re-identify users," she said.

Grundy added, although users consent to sharing data, and none of the activity is illegal, users are likely unaware of what happens to that information after it's passed along to third parties and beyond. The same goes for app developers.

Canada's 'lax' data laws

The research team's findings don't surprise Sharon Polsky, who has written privacy policies for organizations and is currently an adviser with the Privacy and Access Council of Canada, a non-profit advocacy group.

Polsky said however responsible an app developer's privacy policies sound, users kick the floodgates open once they give their consent. "It's carefully worded fuzzy language that essentially allows wide latitude for an organization to use the information."

Polsky said there are only a few examples of governments trying to rein in what she calls "surveillance capitalism." In 2018, the state of Vermont passed new regulations requiring data brokers to register and maintain basic data security standards.

Polsky said the European Union's General Data Protection Regulation (GDPR) is a "good start" but should go further, while referring to Canada's data privacy laws as "lax."

In a separate commentary published in the BMJ, health information professor Claudia Pagliari of the University of Edinburgh credited Grundy's research for providing some sobering context amid the excitement surrounding digital health.

Pagliari also wrote there is a "good news story hidden in this work," referring to the fact that companies were more transparent about their data-sharing arrangements after the GDPR came into effect.

To read the entire Second Opinion newsletter every Saturday morning, please subscribe.