From the Journals

Data sharing to third parties prevalent in depression, smoking cessation apps



When making prescribing decisions, health care professionals should assume that apps for depression and smoking cessation will share user data with third parties despite claims made in privacy policy statements, recent research shows.

“Mechanisms that potentially enable a small number of dominant online service providers to link information about the use of mental health apps, without either user consent or awareness, appear to be prevalent,” Kit Huckvale, MB ChB, MSc, PhD, of Black Dog Institute at the University of New South Wales Sydney in Randwick, New South Wales, Australia, and colleagues wrote in their study. “Mismatches between declared privacy policies and observed behavior highlight the continuing need for innovation around trust and transparency for health apps.” The study was published in JAMA Network Open.

Dr. Huckvale and colleagues examined the top 36 depression and smoking cessation apps for Android and iOS in the United States accessed in January 2018; Of the apps downloaded, 15 apps were Android-only, 14 apps were iOS-only, and 7 apps were available on both platforms. The apps were assessed over a series of two sessions while network traffic was captured during use, which allowed researchers to determine what personal information was in each data transmission and where the information was going.

There were 25 apps with a privacy policy (69%), 22 of 25 apps (88%) described how that app primarily collected data, and only 16 of 25 apps (64%) provided information on secondary uses of data. Despite 23 of 25 apps (92%) addressing “the possibility of transmission of data to any third party,” 33 of 36 apps overall (92%) transmitted data to third parties. The two most common entities that received third-party data for marketing, advertising, or analytic purposes were Google and Facebook (29 of 36 apps; 81%). However, 12 of 28 apps (43%) that sent data to Google and 6 of 12 apps (50%) that sent data to Facebook disclosed that they would share data with those companies.

The type of data sent to Google and Facebook consisted of a strong identifier to the device or a username (9 of 33 apps; 27%), or a weak identifier in the form of an advertising identifier or a pseudonymous profile that can link users to their behavior on the app and on other products and platforms (26 of 33 apps; 79%).

“As smartphones continue to gain capabilities to collect new forms of personal, biometric, and health information, it is imperative for the health care community to respond with new methods and processes to review apps and ensure they remain safe and protect personal health information,” the researchers concluded.

One of the investigators, Mark E. Larsen, DPhil, reported receiving grants from National Health and Medical Research Council. The other authors reported no relevant conflicts of interest.

SOURCE: Huckvale K et al. JAMA Netw Open. 2019. doi: 10.1001/jamanetworkopen.2019.2542.

Next Article: