Houston Chronicle

Tech privacy firm warns contact tracing app violates policy

- By Stephen Groves

SIOUX FALLS, S.D. — A contact tracing app pushed by the governors of North Dakota and South Dakota as a tool to trace exposure to the coronaviru­s violated its own privacy policy by sharing location and user identifica­tion informatio­n with third-party businesses, according to a report from a tech privacy company.

The Care19 app, developed by ProudCrowd, of North Dakota, was one of the first contact tracing apps endorsed by state government­s in response to the coronaviru­s. Governors from both states promoted it as a way to help health officials stop outbreaks and retrace the steps of people with infections, while assuring people that their data is protected. But tech privacy company Jumbo Privacy reported this week that developers included lines of code that send users’ location and identifica­tion data to third-party companies including Foursquare, BugFender and Google.

Concerned citizens have been eyeing the tradeoff between controllin­g outbreaks using apps and intrusions on privacy. Civil liberty groups and tech watchdogs have warned about contact tracing apps, saying government­s and companies should not be able to access personal data.

The Care19 app shared location data with Foursquare, an advertisin­g company that markets to people based on their location.

ProudCrowd CEO Tim Brookins said his company sends data to Foursquare to determine which businesses a user has visited, but the data is discarded and not used for commercial purposes.

“The simple overarchin­g fact here is that we have stated, and Foursquare has confirmed, that they have not, nor will not, collect data from Care19 users. Period,” Brookins said.

The app generates an anonymous code for every user. The Jumbo Privacy report noted that the code, along with the phone’s identifica­tion, was sent to BugFender, a Barcelona-based company that helps developers track malfunctio­ns. The app also sent an advertisin­g identifier linked with the user’s phone to Google’s Firebase service. That adds up to “serious privacy risks,” Jumbo said.

“It’s really an oversight from them,” said Jumbo Privacy CEO Pierre Valade. “It’s not a bad intention. They were rushing to build this product.”

Until Friday, Care19’s privacy statement told users their location data would “not be shared with anyone, including government entities or third parties, unless you consent or ProudCrowd is compelled under federal regulation­s.”

A revised statement says third parties “may have temporary access to aspects of your data for their specific data processing tasks. However, they will not collect this data in a form that allows themselves or others to access or otherwise use this data.”

South Dakota Secretary of Health Kim Malsam-Rysdon said the Care19 app doesn’t violate the privacy statement and that users always had to grant permission for the app to use their data. The South Dakota version of the app has been downloaded more than 18,000 times, but hasn’t been used to trace an active infection yet.

“This is a voluntary, opt-in app,” she said.

North Dakota Republican Gov. Doug Burgum said in a statement that the app, which has over 33,000 downloads in his state, does not use names, addresses or other personal informatio­n.

“The anonymous informatio­n Care19 is gathering can save lives, and smartly and safely using technology is one more way to help us speed up our economy recovery,“he said.

 ?? Stephen Groves / Associated Press ?? The Care19cont­act tracing app is being pushed as a tool to trace exposure to the novel coronaviru­s. But tech firm Jumbo Privacy points out the app violated its own privacy policy.
Stephen Groves / Associated Press The Care19cont­act tracing app is being pushed as a tool to trace exposure to the novel coronaviru­s. But tech firm Jumbo Privacy points out the app violated its own privacy policy.

Newspapers in English

Newspapers from United States