This week, the Privacy Rights Clearinghouse, a California nonprofit dedicated to empowering individuals to protect their privacy, issued a study on mobile health and fitness apps based on a technical risk assessment they performed to determine what data the apps collected, stored, and transmitted. After studying 43 popular apps (both free and paid) from a consumer and technical perspective, the group found "considerable privacy risks for users" and that the privacy policies for those apps that have policies do not describe those risks.
Among the Privacy Rights Clearinghouse's other findings:
- Many apps send data in the clear--unencrypted--without user knowledge
- Many apps connect to several third-party sites without user knowledge
- 72 percent of the apps had medium (32 percent) to high (40 percent) risk regarding personal privacy
As the report points out, the danger that health and fitness apps pose is that they "appeal to a wide range of consumers because they can be beneficial, convenient, and are often free to use." However, as the group warns consumers should not assume any of their data is private in the mobile app environment--even health data that they consider sensitive.
Is any of this really shocking? Last month, rogue Booz Allen Hamilton employee Edward Snowden exposed a massive effort by the National Security Agency to track cell phone calls and monitor the e-mail and Internet traffic of virtually all Americans. And, it was also revealed that the NSA and the FBI are siphoning personal data from the main computer servers of nine major U.S. Internet firms.
Unless you go completely "off the grid" and eliminate all forms of electronic communication, it's a safe bet that someone is looking at your data. As the Privacy Rights Clearinghouse advises users of mobile health and fitness apps: assume any information you provide to an app may be distributed to the developer, third-party sites the developer uses for functionality, and unidentified third-party marketers and advertisers. Welcome to our brave new world. - Greg (@Slabodkin)