Mobile Health and Fitness Apps Privacy Study

The “Privacy Rights Clearinghouse” looked at 43 apps and summarized their findings here:

https://www.privacyrights.org/mobile-medical-apps-privacy-alert

This looks very interesting. I propose we have a bit of a “reading group” in this thread and post what we learn.

The phrase “don’t look a gift horse in the mouth” appears to sum up consumer behavior quite well :frowning:

But I’m curious how many people do bother to check the terms and then decide to not to use an app (or don’t even bother, due to a lack of trust).

I admit I never read those things either. My filter is whether or not it asks for access on my device it has no business asking for, like my location or my contacts.

I think insurance companies are the biggest concern when it comes to health data privacy. But others argue we should forget about privacy in this space, especially considering how easy it is to get samples for genetic or other molecular testing. Forget your boss reading your iPhone health data, how far are we from company toilets that steal your metabolome and microbiome? :stuck_out_tongue:

I find them hard to read myself, and I care a lot for multiple reasons; this is not easy reading.

I think that there are some applications where all your information keeps private. I work for an app development agency and on our apps we install special code that really keeps your data safe. But of course, all free apps have no such security.

One think that people do not consider is the unexpected ways the data can be used, some of which might be quite unwelcome. An example is Uber’s Rides of Glory blog post (taken down, read about it here, and I think you can find it in the Waybackmachine), where an Uber blogger wrote about using Uber data to track one night stands. It is reasonable to expect Uber to try and figure out your riding trends, perhaps predict when you will want to ride. But it is a surprise, and for most an unwelcome one, when Uber starts actively infer behavior you consider deeply personal and outside the domain of their stated mission of providing a taxi service. What if Google started using gmail to figure out how often you have a fight with your spouse, wtf does that have to do with serving ads?

But companies DO this, quite often I expect. Even if it doesn’t directly relate to the core business, that kind of explanatory analysis is a great way for a data modeler to build an intuition for the data and the stories it can tell. Most aren’t stupid enough to blog about it though.

[quote=“Robert_Ness, post:7, topic:677”]
What if Google started using gmail to figure out how often you have a fight with your spouse, wtf does that have to do with serving ads?[/quote]

Divorce lawyers would pay handsomely to be able to target ads at people who just had a fight with their spouse :slight_smile:

According to this post, the cost-per-click for the keyword “lawyer” is already ~$40!

A company that rhymes with “trombone” comes to mind…

I struggled with this very issue when I started letting people use the self tracker app I built just for me. All the data was 100% in the cloud, and I couldn’t believe how easily people would blindly put their highly personal data on some strangers servers.

I decided to kill the entire idea and rebuild it for offline first with an option to sync to your own servers. But I think we’re just seeing the tip of the personal data nightmare that’s coming.

And I couldn’t believe how easily people blindly put strange apps on their mobile devices :wink:

I don’t have any issues with storing data on servers I don’t control, as long as I know I can remove it, and I feel that the people running the service are reasonable trustworthy and competent.

Ejain: I ran a website (www.clearware.org) years ago about trying to make sense of terms in online agreements. 78% of people never or rarely read the terms… I would expect this applies to privacy policies as well. How would you ass if a service was trustworthy and competent?

Interesting… Have you been following the ToS;DR project?

Also, see https://forum.quantifiedself.com/thread-terms-of-service-privacy-policies

My clearware site is a sad state. I also saw your assessments of the privacy policies for various fitness apps… excellent work.

I am one of the few people that find ToS and privacy policies sexy. I’m familiar with Hugo’s very hard work. I have also been part of Open Notice and CommonTerms as well. Gregg Bernstein has done some interesting work as well before joining MailChimp.

Still curious what would make you consider a service trustworthy and competent (I ask because I’m in the process of launching a health and fitness related one).

Can’t judge a service’s competence without doing some kind of audit, but things like use of secure connections, handling of password resets, responsiveness to bug reports etc can be a good indicator.

Judging a service’s trustworthiness is harder: What is the business model? What is the revenue and valuation of the company? Did they put any thought into their ToS, or did they just copy it from another service?

Agreed. I think transparency is important and really a site/service needs time to demonstrate their trustworthiness and competence. Not always the best option, but external services that provide seals can be useful to consumers (depending on the seal… such as Truste, WebTrust or others).