Healthcare professionals who are in a position to recommend the use of fitness apps need to be aware that patients’ personal data can be used in ways that HIPAA would prohibit and that will surprise patients who are trying to be smart about fitness in a smartphone world.
The Customer is Not the User
The consumer is the user, not the customer of the app company. The customer is the advertiser. The user provides data that the app sells to advertisers to generate revenue. This business model goes a long way to understanding the limitations on privacy protection, especially with free apps.
What Fitness Data is Collected and Therefore at Risk?
Fitness data includes a wide range of data, including: (1) archetypal personal data provided by the user, such as name and address; (2) fitness and health-related data provided by the user, such as height, weight, and fitness activities; (3) information collected by the app during use; (4) information shared through the app’s social media component; (4) information measured by sensors on the mobile device, such as heart rate; (5) information provided by the mobile device itself, such as geolocations; (6) aggregated data from the above; (7) behavior tracking data prepared by third party analytics firms; and (8) user data collected by advertisers during use. “Behavior tracking” is a set of online techniques used to collect and interpret the fitness app user activity as they use apps, visit websites, and engage in other Internet activity. Advertising and marketing agencies use behavior tracking to tailor advertisements for specific users.
Privacy Polices Available at App Store vs. Only Within the App
Long vs. Short Privacy Policies
Perhaps counterintuitively, longer privacy policies are most often less protective of privacy than are shorter ones. Long policies generally protect the app developer more than the user. The length is driven by the need to explain all the ways in which the user’s information will be used and give and get notice and consent to third party use.
Free vs. Paid Apps
Free apps rely more on advertising for revenue than do paid apps. Paid apps receive revenue from direct payments from users, and thus have less need for ad revenue. The more detailed the information about their users that free apps provide, the more attractive the apps’ fitness data is to advertisers. Accordingly, in almost all cases, free apps collect more personal information than do paid apps because the business model of the free apps requires collecting information and selling it.
Research conducted for the Privacy Rights Clearinghouse and reported in the “Technical Analysis of Data Practices and Privacy Risks of 43 Popular Mobile Health and Fitness Applications” (the “Technical Analysis”) found that compared with the 45 percent of paid fitness apps, 75 percent of the free apps use behavior tracking, often by multiple analytics services. It also found that most free apps and half of the paid apps sent user data to as many as five different third party analytics sites, often within minutes after the user begins using the app.
HTTP vs. HTTPS
“HTTP” means “Hyper Text Transfer Protocol”—the Internet protocol used to send between a user’s browser and the website to which he or she is connecting. In “HTTPS,” the “S” stands for secure, and “secure” means encrypted. HTTPS is an example of the use of “SSL,” or “Secure Socket Layer,” a technology that encrypts data so that it cannot be read while in transit. In contrast, data transferred over plain HTTP is transmitted in the “clear.” As an example, an HTTP transfer allows third parties with access to the data in transit to see the website the user is looking at or the behavioral analytics generated by the fitness app. The encryption vs. non-encryption issues apply whether the app is a free or paid app.
According to the technical analysis, only 6 percent of the free apps and only 15 percent of the paid apps sent behavior tracking information to third party analytics services using HTTPS or some other form of encrypted SSL connections. Thus at least 85 percent—a high percentage indeed—of such data about app users is sent in unprotected form using only HTTP whether a fee or paid app is used.
(2) A paid app, not a free app; and
These factors can be used to balance the benefits of a fitness app against a broad use of personal fitness data by companies other than the app company.
William A. Tanenbaum is the co-head of technology transactions group at the law firm of Arent Fox LLP and the leader of the firm’s healthcare IT practice. Lourdes M. Turrecha is a privacy attorney at the firm.