As governments build coronavirus-tracking smartphone tech, who is making sure their apps live up to privacy promises?
The study suggests that state officials and Apple, both of which were responsible for vetting the app before it became available April 7, were asleep at the wheel. Americans are especially wary of location and health data, and privacy violations of any degree will hamper efforts to use smartphones both to trace contact and to provide exposure notifications.
"Should this have been vetted? Yes. We are following up on that as we speak," said Vern Dosch, North Dakota's contact-tracing facilitator. "We know that people are very sensitive." Health officials in South Daoka did not immediately reply to requests for comment.
Apple said it was investigating the report, and if it finds that an app is out of compliance it works with the developer to get it into compliance.
Foursquare does not "use the data in any way, and it is promptly discarded," said spokeswoman Jennifer Yu.
Health authorities are moving fast to build coronavirus apps, often with limited technical resources. They're relying on commercial tracking companies and murky privacy protections - and under those conditions, it's not clear whether consumers should trust them.
The Care19 app is upfront that its main purpose is to voluntarily collect location data. (It's different from a new set of apps that use Bluetooth technology from Apple and Google to provide anonymous exposure alerts without collecting location data.) Care19 calls itself a "digital diary" to help people remember where they've been over the previous 14 days so that they can retrace their steps and the people they've been in contact with, should they contract the novel coronavirus, which causes the disease covid-19.
If users do test positive, the app lets them volunteer to share their location data with the state's health department to assist in its efforts to slow the spread of the virus.
That's where the privacy review by Jumbo finds the app falling short. Tracing the flow of data from the app, it found Care19 sends data to Foursquare, including a user's location, his advertising identifier (a unique code representing a specific phone) and the unique "citizen code" generated by the app.
Care19's maker Tim Brookins of ProudCrowd told The Post that the app uses a Foursquare service called Pilgrim SDK to convert the location data it collects as latitude and longitude into the names of recognizable places.
Brookins said his app would stop sharing the users' code with Foursquare. "It is important to note that our agreement with Foursquare does not allow them to collect Care19 data or use it in any form, beyond simply determining nearby businesses and returning that to us," he said.
Foursquare does "not financially benefit from free users like Care19," said Yu, the spokeswoman. "Essentially, any data we might receive is immediately discarded."
Foursquare does have a significant business in marketing tech. Other apps use Pilgrim SDK to help send targeted notifications and put users into marketing audience segments, such as "fitness fanatic" and "beauty enthusiast," based on where they go.
Jumbo chief executive Pierre Valade said Apple and Google have more-explicit rules for the new category of virus-tracking apps that use special access to a phone's Bluetooth signals to help anonymously notify people that they may have been exposed to people who have covid-19. The rules for these "exposure" apps say they're not allowed to collect any location data or the user's advertising identifier.
Brookins says he's making a second version of the Care19 app that will do exposure notification and comply with Apple and Google's rules.
The Care19 oversight exposes a common privacy hole in apps: They contain code from hidden third-party tracking companies. A study of the data flowing out of a Washington Post iPhone encountered more than 5,400 trackers in a week. Some of them were gathering personal information while the user was asleep and the phone's screen was turned off.
Third-party software makes it easier for app companies to code quickly. But it also often feeds the personal data economy, used to target us for marketing and political messaging.
As governments develop these apps, they're going to need the resources to develop their own technology that doesn't rely on commercial surveillance companies - or more help from Apple and Google.
Last week, a group of Democrats in the House and Senate introduced the Public Health Emergency Privacy Act, which includes new provisions for enforcing the use of citizen data in apps to fight the coronavirus.
Sen. Maria Cantwell of Washington state, the top Democrat on a key tech-focused committee, said apps need strong privacy protections in the fight against the coronavirus. "If it doesn't have a strong privacy framework, it will undermine consumer confidence," she said.