One of the first contact-tracing apps violates its own privacy policy. North and South Dakota’s Care19 COVID-19 contact-tracing app sends users’ location data to more than just the government.
Note that the Care19 app does not use the Apple-Google contact tracing (exposure notification) API.
Geoffrey A. Fowler for The Washington Post:
A new analysis of one of the first of a handful of U.S. contact-tracing apps, North and South Dakota’s Care19, finds it violates its own privacy policy by sharing citizen location and other personal data with an outside company. The review was published Thursday by privacy software maker Jumbo.
The oversight suggests that state officials and Apple, both of which were responsible for vetting the app before it became available April 7, were asleep at the wheel.
“Should this have been vetted? Yes. We are following up on that as we speak,” said Vern Dosch, the state of North Dakota’s contact-tracing facilitator. “We know that people are very sensitive.” Health officials in South Dakota did not immediately reply to requests for comment.
Apple said it was investigating the report and that if it finds an app is out of compliance, it works with the developer to get it into compliance.
Steven Melendez for Fast Company:
The app, called Care19, and produced by a company called ProudCrowd that also makes a location-based social networking app for North Dakota State sports fans, generates a random ID number for each person who uses it.
According to the app’s privacy policy, “location data is private to you and is stored securely on ProudCrowd, LLC servers” and won’t be shared with third parties “unless you consent or ProudCrowd is compelled under federal regulations.”
But according to the Jumbo report, the app sends the random ID number, along with a phone ID used for advertising purposes and apparent latitudes and longitudes of places visited by the user, to Foursquare, a leading location-data provider. The app also sends the random ID to servers run by Bugfender, a Barcelona-based service used by app makers to track and diagnose software malfunctions, according to Jumbo, which monitored internet traffic generated by the app. It’s accompanied by the phone’s name, which often includes the device owner’s first name, according to the report. The phone’s advertising ID is also sent to Google servers that appear to be affiliated with Google’s Firebase service, Jumbo found.
Google didn’t immediately respond to an inquiry from Fast Company about the data collected via the app.
MacDailyNews Take: Wait, a contact tracing app mishandles location data in violation of its own privacy policy? Shocker.
No location data is truly anonymized. It can be cross-matched with other publicly-available data to identify and track individuals. — MacDailyNews, April 2, 2020
And, yes, once again, Apple’s App Store vetting process is proven shoddy.
These apps aren’t going to work for mitigating the spread of COVID-19 very well or at all (see why here, here and here), but they are going to provide excellent legal cover, which is necessary, especially in more litigious countries, for all of us to get back to life.
At the very least, and perhaps the primary impetus for the creation of these apps at universities and everywhere else, is that the existence of such apps relieve universities and everyone else from LIABILITY under the law. Look at digital contact tracing apps as a buffer for getting back to school, work, leisure activities, sports, travel, etc. without the fear of being sued.
Schools, restaurants, airlines, retailers, everyone will be able to say: “The apps exist. Not our fault if too few people use them. Get well soon, as do 99.72% (99.91% under age 65) of people who contract COVID-19!”
This is the real reason why digital contact tracing apps exist: Absolvement of legal liability. — MacDailyNews, May 22, 2020
A close reading of the Fast Company report suggests that this is strictly a Google (Surprise) problem: “ Contact tracing, where people potentially exposed to a disease are notified so they can be tested and potentially treated or quarantined, has been seen as a potential way to reduce the spread of COVID-19. Apple and Google have developed software toolkits to let public health agencies build iOS and Android apps to enable automated phone proximity detection via Bluetooth, and many state and local agencies have begun hiring people to manually trace contacts of those infected with the virus. North Dakota officials have indicated future versions of Care19 will incorporate the new Apple-Google technology.” The last sentence sort of indicates that the current Care19 app is not the Google_Apple process but really a app written for the states by a location tracing app company.
Here here here
I’m concerned these apps will cry wolf.
So you’re in a car, windows closed, and a car pull next to you. Someone in that car tests positive. Now alarms go off in that tracing app. This could happen dozens of times in a day.
That’s not how it works.
Hi. Not an unexpected finding, but I can’t get a feeling for the vetting process. My first impression is that someone screwed up. My second impression is that MDN is awfully fast to jump on the possible screening failure.
“And, yes, once again, Apple’s App Store vetting process is proven shoddy.”
Sounds very premature. What does App Store say? There’s Apple, a vendor, Google & two state governments involved. MDN is very quick to pick Apple out.
You do not know what you’re talking about.
Apple’s App Store vetting “process” (as if there is one) has been broken since the store’s inception and remains broken today as evidenced by the fact that the “privacy” company just approved an app that violates its own privacy policy and the privacy of iOS users.
I does not get more broken. There is NO substitution for app vetting by QUALIFIED humans, but, no mater how many times Apple’s “process” fscks up, they refuse to assemble a real team and pay them to properly vet App Store apps. It’s always an, “oh, we’ll have to check that one out,” after the fact, after it’s been in the store available for download.
There is no need for this period, this disease is not that different from any other, you don’t drop dead when you get it, most didn’t know that they had it. Recovery rates are Very high.
Course if you choose to flush what privacy and freedom you have left. That’s your choice to perpetually live in fear, I’d rather things return to near normal now.