Assessment of the Data Sharing and Privacy Practices of Smartphone Apps for Depression and Smoking Cessation.

Importance: Inadequate privacy disclosures have repeatedly been identified by cross-sectional surveys of health applications (apps), including apps for mental health and behavior change. However, few studies have assessed directly the correspondence between privacy disclosures and how apps handle personal data. Understanding the scope of this discrepancy is particularly important in mental health, given enhanced privacy concerns relating to stigma and negative impacts of inadvertent disclosure. Because most health apps fall outside government regulation, up-to-date technical scrutiny is essential for informed decision making by consumers and health care professionals wishing to prescribe health apps. Objective: To provide a contemporary assessment of the privacy practices of popular apps for depression and smoking cessation by critically evaluating privacy policy content and, specifically, comparing disclosures regarding third-party data transmission to actual behavior. Design and Setting: Cross-sectional assessment of 36 top-ranked (by app store search result ordering in January 2018) apps for depression and smoking cessation for Android and iOS in the United States and Australia. Privacy policy content was evaluated with prespecified criteria. Technical assessment of encrypted and unencrypted data transmission was performed. Analysis took place between April and June 2018. Main Outcomes and Measures: Correspondence between policies and transmission behavior observed by intercepting sent data.
Results: Twenty-five of 36 apps (69%) incorporated a privacy policy. Twenty-two of 25 apps with a policy (88%) provided information about primary uses of collected data, while only 16 (64%) described secondary uses. While 23 of 25 apps with a privacy policy (92%) stated in a policy that data would be transmitted to a third party, transmission was detected in 33 of all 36 apps (92%). Twenty-nine of 36 apps (81%) transmitted data for advertising and marketing purposes or analytics to just 2 commercial entities, Google and Facebook, but only 12 of 28 (43%) transmitting data to Google and 6 of 12 (50%) transmitting data to Facebook disclosed this. Conclusions and Relevance: Data sharing with third parties that includes linkable identifiers is prevalent and focused on services provided by Google and Facebook. Despite this, most apps offer users no way to anticipate that data will be shared in this way. As a result, users are denied an informed choice about whether such sharing is acceptable to them. Privacy assessments that rely solely on disclosures made in policies, or are not regularly updated, are unlikely to uncover these evolving issues. This may limit their ability to offer effective guidance to consumers and health care professionals.

Introduction

While the potential of smartphone applications (apps) to improve access to health care resources,[1] real-time monitoring,[2] and even interventions is well established,[3] concerns about data privacy remain.[4,5] The 2015 closure of the UK National Health Service’s Apps Library following discovery that endorsed health apps did not adequately disclose use of, or protect content of, personal data[6] underscores the primacy of privacy for health care apps. The more recent 2018 US congressional investigation into Facebook allowing Cambridge Analytica access to personal data from more than 50 million Facebook profiles after some users completed an online personality quiz has brought further attention to digital health care privacy.[7] The introduction of the European Union’s General Data Protection Regulation in 2018 is stimulating renewed interest in the scope of privacy and data protection,[8,9] both for online services and health care organizations that operate internationally.

This tension between personal privacy and data capture by health care apps is largely driven by the business models of these apps. Because many national health payers and insurance companies do not yet cover apps (given their often nascent evidence base), selling either subscriptions or users’ personal data is often the only path toward sustainability.[10] A recent review of apps for dementia care found that only 4% offered written assurances that user data would not be sold.[11] These numbers were only slightly better for diabetes apps, with 22% promising not to sell user data.[12] Many health care apps label themselves as wellness tools in their privacy policies or terms and conditions in an attempt to circumvent legislation that mandates privacy protections for user data, such as the Health Insurance Portability and Accountability Act.[13]

Responding to the need to ensure health care apps adequately protect users’ privacy and to close loopholes that have created the current culture of nontransparent and insecure apps, organizations around the world are now promoting health care app privacy and security. The US Food and Drug Administration,[14,15] UK National Health Service,[16] Australian Government,[17] and World Health Organization[18] have each identified and begun working on efforts to make digital health tools like smartphone apps more private and secure. Clinician-led efforts by the American Medical Association[19] and American Psychiatric Association[20] to create specific guidelines for health care smartphone apps each place privacy as a central and critical feature that must be evaluated.

However, the evaluation of the privacy (and security) of health care apps remains a challenge. Inspection of app privacy policies has proven valuable in highlighting potential risks, such as whether users are offered routes to edit, amend, and delete personal data,[6,11,21] including within apps that target depression.[22] However, technical assessment that includes the interception of traffic generated by apps holds the potential to uncover issues not apparent on examination of policy text alone.[6]

In this study, we aimed to provide a contemporary assessment of the privacy practices of popular mental health apps and, specifically, the correspondence between disclosures made in privacy policies and data actually transmitted to third parties. Following the pattern of previous work[23] assessing the quality of apps, we focused on a sample of mental health apps, selecting apps for depression, a prevalent condition[24] with substantial morbidity,[25] and smoking cessation, an example of mental health–related behavior change relevant to the large numbers of adults who continue to smoke.

Methods

To constitute the set of apps to be evaluated, 2 of us (J.T. and K.H.) searched the official Android and iOS app marketplaces in the United States and Australia using the terms “depression” and “smoking cessation.” The search of US app stores took place on January 14, 2018; the search of Australian stores, January 15, 2018. We used search rank as a proxy for popularity, following practices adopted by prior app research studies.[23,26] To minimize the risk of user-specific tailoring of search results,[27] we ran searches from an anonymized user account with no prior credentials registered at each marketplace. We prespecified that the first 10 apps returned for each search term by each country-specific store would be retained. After pooling and deduplication, this yielded a final test set of 36 apps (15 Android-only, 14 iOS-only, and 7 available on both platforms). Based on studies that have attempted to exhaustively identify Android and iOS apps for depression[28] and smoking cessation[29] published in 2015 and 2017, respectively, this approach can be expected to have sampled approximately 8% of available apps for depression (20 of 243) and 6% of apps for smoking cessation (20 of 316). Apps were not filtered by payment model or language. All selected apps were free to use.

Privacy policies and related material with the potential to contain privacy-related content, such as terms and conditions, were identified from app store descriptions, app content, and associated websites. We adopted a permissive stance that reviewed all policy material, whether (1) presented within, or linked from, the app user interface; (2) hyperlinked from the app marketplace entry; or (3) presented on the developer’s website. Each policy was reviewed to identify compliance with a schema of privacy policy quality criteria derived from earlier work[6] (Table 1). This schema covered disclosures of the primary and secondary uses of data, data transmission, subject access rights, technical security measures, governance, and operational controls, such as policy update procedures. In coding policies, we recognized a distinction between disclosures about the purposes to which data would be put and the handling of data by different entities. Policy text concerning transmission to third parties was coded according to the intended use as for either advertising and marketing purposes (defined as the use of data to tailor the content of advertisements or generate commercial insights about the characteristics of users) or analytics (tracking use of an app for the purposes of product improvement). Policies were reviewed by 2 individuals (of K.H., J.T., and a research assistant), working independently, with any disagreements resolved by a third not involved in the initial review (of M.E.L. or K.H.). Raw binary agreement between coders before reconciliation was 90.4% with a Cohen κ of 0.801, suggesting strong agreement.[30]

Table 1.

Counts and Proportions of Apps Addressing Specific Privacy Criteria in a Policy

Privacy Criteria	Apps Addressing Privacy Criterion, No. (%)a
Apps with a privacy policy	25 (69)b
Primary uses of collected data, eg, administering accounts, contacting users, providing and improving services	22 (88)
Secondary uses of collected data, eg, selling data, sharing data for purposes such as subpoena or conducting investigations, repackaging data	16 (64)
Sending data to online services, eg, app developer database or cloud	23 (92)
Sending data to a third party	23 (92)
Sending data for analytics or research	19 (76)
Sending data to advertisers or marketers	22 (88)
Sending data while loading content, eg, searching	1 (4)
Asserting nonidentifiable data collection only	7 (28)
Technical and procedural security arrangements, eg, anonymization, Secure Sockets Layer, secure servers, limited access, backup	18 (72)
How long data will be retained	8 (32)
Inherent risks or limitations of security using public internet	10 (40)
How cookies will be used	16 (64)
Procedures for opting out of online data sharing	13 (52)
Consequences of not providing or sharing data	9 (36)
Procedures for subject access requests	10 (40)
Procedures for editing data held by developers or third parties	10 (40)
Procedures for deleting data held by developers or third parties	12 (48)
Complaints procedures	8 (32)
Special procedures for vulnerable or at-risk users and/or children	15 (60)
Identity of data controller or responsible legal entity	18 (72)
Legal jurisdiction governing policy	12 (48)
Legal jurisdictions governing data processing	5 (20)
Date of policy	16 (64)
Date of next review	0
Procedures for changing the terms of the policy	19 (76)
Procedures after takeover or dissolution of legally responsible body	3 (12)

Abbreviation: apps, smartphone applications.

Percentage of apps with a privacy policy (n = 25), unless otherwise stated.

Percentage of apps included in study (n = 36).

Apps were downloaded on January 21, 2018, installed on 1 of 2 test devices (Huawei Nexus 6P running Android version 7.1.2 and iPhone 6S running iOS version 11.0.1), and subjected to 2 sessions of simulated use intended to exercise the set of features available in each app. All network traffic generated during simulated use, including data encrypted using standard internet protocols (eg, Secure Sockets Layer and Transport Layer Security), was silently intercepted using a previously described method[6] based on a technical strategy termed a man-in-the-middle attack.[31] The destination and content of each transmission were tagged automatically to identify (1) the owner of the destination, whether developer or third party and (2) instances of personal and other user-generated data contained within each message. All tagging was verified manually (by K.H. and M.E.L.). In a post hoc analysis, apps installed on each platform were reviewed to identify those implementing social login functions. Social login is a convenience strategy that allows users to register for internet services by reusing the username, password, and other identity details held by a third party, such as Facebook or Google.

Data were summarized using descriptive statistics. The unit of analysis was the platform-independent app. Because this study did not involve human participants, ethical review was not required according to the policies of the human research ethics procedure of UNSW Sydney. The Strengthening the Reporting of Observational Studies in Epidemiology (STROBE) reporting guideline was used in the reporting of this observational study.[32]

Results

More than two-thirds (25 of 36 [69%]) of apps incorporated or linked to a privacy policy. Table 1 summarizes the extent to which the content of these satisfied predefined privacy policy quality criteria. While 22 of 25 apps with a policy (88%) described primary uses for collected data, only 16 of 25 (64%) described secondary uses. Descriptions of technical security measures and the use of cookies were present in 18 of 25 apps (72%) and 16 of 25 apps (64%), respectively. Mechanisms for opting out of data sharing and deleting data were described by approximately half of the apps (13 of 26 [52%] and 12 of 25 [48%], respectively), but only 10 of 25 (40%) described users’ ability to edit data and 8 of 25 (32%) provided information about data retention practices. Disclosures about the jurisdictions in which data would be processed were rare (5 of 25 apps [20%]), and only 3 apps (12% of those with a policy) explained what would happen to personal data should the operating organization be taken over or dissolved.

Of the 23 of 25 apps (92%) that, within policy text, addressed the possibility of transmission of data to any third party, 16 (70%) positively indicated data would be shared with advertisers (of which 6 displayed visible advertisements during testing) and 14 (61%) indicated that data would be shared with both advertisers and analytics services. Of the 23 apps that referenced third-party transmission to any party, 6 (26%) specifically asserted that strong personal identifiers (such as name, email address, or date of birth) would not be shared with advertisers. Only 1 app stated explicitly that data would not be shared with any third party.

After interception and inspection of internet traffic generated by each app, data transmission to 1 or more third parties was identified for 33 of 36 apps (92%) (compared with 12 of 36 [33%] in which data were transmitted to a destination operated by the developer). Table 2 summarizes, in decreasing frequency, these third-party destinations. Almost half of the apps (17 of 36 [47%]) transmitted data to a third party but lacked a privacy policy (9 apps), failed to disclose this transmission in policy text (5 apps), or explicitly stated that transmission would not occur (3 apps).

Table 2.

Counts and Proportions of Apps Transmitting Data to a Third Party and Whether This Was Disclosed in a Privacy Policy

Destinations	No. (%)
	Apps With Privacy Policy			Apps Without Privacy Policy, Transmission Occurred
	Transmission Occurred, Disclosed in Policy	Transmission Occurred, Not Disclosed in Policy	Transmission Occurred, Policy States Transmission Would Not Occur
Any destination typea	16 (44)	5 (14)	3 (8)	9 (25)
Advertising or marketing services	10 (28)	2 (6)	2 (6)	8 (22)
Analytics services	14 (39)	5 (14)	1 (3)	4 (11)
Google destinations	13 (36)	5 (14)	3 (8)	7 (19)
Google advertising servicesb	6 (17)	2 (6)	1 (3)	6 (17)
Google analytics servicesc	12 (33)	5 (14)	1 (3)	4 (11)
Facebook analytics	9 (25)	2 (6)	0	1 (3)
Other destinations	15 (42)	1 (3)	0	4 (11)
Mixpanel	3 (8)	0	1 (3)	0
AppNexus	2 (6)	0	0	1 (3)
Twitter Mopub	3 (8)	0	0	0
Yahoo Flurry Analytics	3 (8)	0	0	0
AdColony	1 (3)	0	0	1 (3)
AppsFlyer	1 (3)	0	1 (3)	0
Kiip	1 (3)	0	0	1 (3)
Branch	1 (3)	0	0	0
AddThis	1 (3)	0	0	0
Amplitude	1 (3)	0	0	0
Manage.com	1 (3)	0	0	0
Singular/Apsalar	1 (3)	0	0	0
UserVoice	1 (3)	0	0	0
Unknown destinationd	0	0	0	1 (3)

Abbreviation: app, application.

Percentage of apps included in study (n = 36).

Identified services were AdSense, AdWords, and DoubleClick.

Identified services were Google Analytics and Crashlytics.

Identity or ownership information for the domain startappexchange.com could not be established.

Among the 36 apps, 29 (81%) transmitted data to analytics and advertising or marketing services operated by 2 commercial entities, Google and Facebook, but only 17 of the 29 (59%) disclosed transmission in a policy. Of the 15 apps transmitting data to Google advertising services, 6 of 15 (40%) disclosed transmission for advertising or marketing purposes in a privacy policy. The proportion of apps using Google Analytics services that disclosed this purpose in a policy was 55% (12 of 22). Of the 12 apps transmitting to Facebook Analytics, 9 of 12 (75%) described transmission for analytics purposes in general terms. The proportion of policies that made specific references to either Google or Facebook was smaller. Only half of the apps (6 of 12 [50%]) using a Facebook service named the company in their privacy policies, while of those transmitting to a Google service, fewer than half (12 of 28 [43%]) made a specific reference to data sharing with Google.

Of the 33 apps transmitting data to a third party, 9 (27%) sent a strong identifier consisting of either a fixed device identifier (8 apps) or a username (1 app); 26 of the 33 (79%) sent weak identifiers, such as an advertising identifier (24 apps), a pseudonymous key that can be used to track user behavior over time and across different products and technology platforms. Two of the apps (6%) incorporated user-reported health status information (such as health diary information [1 app] or substance use [1 app]) as part of usage data sent to third-party analytics services. No other personal or sensitive information (such as full names, passwords, dates of birth, or medical data) was observed in transmissions to third parties.

Google social login was present in 3 apps (8%), while Facebook social login was present in 7 (19%). All apps implementing these social login functions were found to be transmitting weak personal identifiers to Google or Facebook, respectively. Transmissions occurred regardless of whether the social login feature was used.

Discussion

Transmission of data to third-party entities was prevalent, occurring in 33 of 36 top-ranked apps (92%) for depression and smoking cessation, but most apps failed to provide transparent disclosure of such practices. Commonly observed issues included the lack of a written privacy policy, the omission of policy text describing third-party transmission (or for such transmissions to be declared in a nonspecific manner), or a failure to describe the legal jurisdictions that would handle data. In a smaller number of cases, data transmissions were observed that were contrary to the stated privacy policies.

Transmissions to third parties were dominated in this sample by just 2 commercial entities offering advertising and analytics services. While both Google and Facebook require developers to name the use of their services to users,[33,34,35] only approximately half of the apps did this in a privacy policy. It may be argued that user interface features, such as a branded social login or advertising content, offer a form of implicit disclosure of data sharing. However, most apps offered users no way to determine in advance that data would be shared with either Google or Facebook and, as a result, users are effectively denied the opportunity to make an informed choice about whether such sharing is acceptable to them. Identification of the possibility of commercial data sharing appears to rely on the technical privacy literacy of users (for example, to understand that the presence of a social login in the user interface may imply that data sharing will occur). However, privacy literacy is known to be variable,[36] and user interface cues were an unreliable proxy for transmission in this sample.

While transmission of directly personally identifiable information was not observed, traffic sent to third parties routinely included linkable information. This included fixed device identifiers on Android (despite these being deprecated on privacy grounds[37] and no longer available to developers of iOS apps[38]) and advertising identifiers on both platforms (which ostensibly provide greater protection, as they can be reset by the user, but are still designed to allow user tracking across services). The transmission of even basic details, such as the name or category of the app generating traffic, alongside these identifiers potentially enables third parties to generate linkable information about mental health status. The observed consolidation of services offering advertising, marketing, and analytics may exacerbate this risk by increasing the likelihood that a given service provider holds data from multiple sources. While Google explicitly limits the secondary uses of data collected for analytics[33] and advertising or marketing[39] purposes, Facebook’s developer policy states that “We can analyze your app, website, content, and data for any purpose, including commercial.”[34] Consequently, users should be aware that their use of ostensibly stand-alone mental health apps, and the health status that this implies, may be linked to other data for other purposes, such as marketing targeting mental illness. Critically, this may take place even if an app provides no visible cues (such as a Facebook login), and even for users who do not have a Facebook account. This study was not designed to identify whether linkable information was actually being used by advertisers, for example, to subsequently drive tailored advertising. Future work could consider looking for direct evidence of linkable information being used in this way, for example, by looking for changes in advertisement content suggestive of tailoring once an app has been used.

Our findings are topical not just because of contemporary concerns about the privacy practices of certain commercial entities,[7] but also in respect to current efforts to establish accreditation programs for mental health apps that account for privacy and transparency concerns. Our data highlight that, without sustained and technical efforts to audit actual data transmissions, relying solely on either self-certification or policy audit may fail to detect important privacy risks. The emergence of a services landscape in which a small number of commercial entities broker data for large numbers of health apps underlines both the dynamic nature of app privacy issues and the need for continuing technical surveillance for novel privacy risks if users and health care professionals are to be offered timely and reliable guidance. For example, consolidation of data processing into a few transnational companies underlines the risk that user data may be inadvertently moved into jurisdictions with fewer user protections, or that this may be exploited by malicious actors. The lack of information provided about data processing jurisdictions observed in this sample suggests that developers may either be unaware of this risk or do not appreciate its significance for potentially sensitive health data.

These dynamic aspects of app privacy underline the need for the clinical community to respond with frequent privacy reviews that incorporate both consideration of privacy policies and technical security reviews. While it is appealing to offer health care consumers metrics such as transparency scores for app privacy policies, our results highlight the need for such metrics to be updated often and include the interrogation of actual app traffic. As demonstrated in this study, such a review is not only possible but also revealing of emerging issues that may influence decision making around use of smartphone apps for health.

Limitations

This study has limitations. As with other studies of health app policy and content, our analysis was conducted using a snapshot of apps and policy documentation captured at a single point. While we recognize that the app marketplaces are a dynamic environment,[40] more frequent analyses are not feasible owing to the time required for double coding each policy and configuring and testing each app to capture data transmission. At the conclusion of analysis on June 7, 2018, all apps remained available, almost three-quarters (72% [26 of 36]) remained in the top 10 results, and 92% (33 of 36) remained in the top 20 results returned by the app marketplaces. Nevertheless, the proportions reported should be interpreted as indicators of the frequency of phenomena, rather than as definitive statistics.

This analysis examined only the 10 top-ranked apps on each platform, targeting 2 areas: depression and smoking cessation. This represents a small fraction of the pool of available apps for mental health. Although multiple factors are associated with app adoption,[27] search rank appears to be a heuristic strategy by most users when selecting which apps to download.[41] Consequently, when paired with strategies to minimize algorithmic tailoring of search results, highly ranked apps are likely to be representative of those apps installed by users.

Data transmissions were categorized into advertising and marketing vs analytics uses using an existing data-derived schema[6] and based on the web address of the receiving services. The emergence of analytics services consuming advertising identifiers for linking user behavior across multiple services highlights that this categorical distinction may no longer be relevant. Future work should consider collapsing these categories and instead characterizing third-party services by the purposes for which data are used. Categorical analysis of third-party traffic was also limited to the 2 most common traffic destinations, Google (by 28 apps) and Facebook (by 12 apps). The remaining 14 third-party destinations were used by fewer than 5 apps each.

We could only identify transmissions to third parties occurring directly from apps. We cannot rule out the possibility that data sent to developer-run services (observed in 12 of 36 apps [33%]) are subsequently shared with third parties. Our findings may, therefore, be conservative in this regard.

Conclusions

While smartphone apps hold substantial potential to increase access to mental health care, our results highlight deficits in the disclosure of data transmission practices involving third parties. Mechanisms that potentially enable a small number of dominant online service providers to link information about the use of mental health apps, without either user consent or awareness, appear to be prevalent. Mismatches between declared privacy policies and observed behavior highlight the continuing need for innovation around trust and transparency for health apps. Privacy policy review must be supplemented by sustained technical efforts if new and evolving privacy risks are to be identified in a timely way and flagged effectively to consumers and health care professionals. As smartphones continue to gain capabilities to collect new forms of personal, biometric, and health information, it is imperative for the health care community to respond with new methods and processes to review apps and ensure they remain safe and protect personal health information.