* The following article was originally published by Healthcare Informatics. To read it on the Healthcare Informatics website, click here.
Healthcare professionals who are in a position to recommend the use of fitness apps need to be aware that patients’ personal data can be used in ways that HIPAA would prohibit and that will surprise patients who are trying to be smart about fitness in a smartphone world.
The Customer is Not the User
The consumer is the user, not the customer of the app company. The customer is the advertiser. The user provides data that the app sells to advertisers to generate revenue. This business model goes a long way to understanding the limitations on privacy protection, especially with free apps.
What Fitness Data is Collected and Therefore at Risk?
Fitness data includes a wide range of data, including: (1) archetypal personal data provided by the user, such as name and address; (2) fitness and health-related data provided by the user, such as height, weight, and fitness activities; (3) information collected by the app during use; (4) information shared through the app’s social media component; (4) information measured by sensors on the mobile device, such as heart rate; (5) information provided by the mobile device itself, such as geolocations; (6) aggregated data from the above; (7) behavior tracking data prepared by third party analytics firms; and (8) user data collected by advertisers during use. “Behavior tracking” is a set of online techniques used to collect and interpret the fitness app user activity as they use apps, visit websites, and engage in other Internet activity. Advertising and marketing agencies use behavior tracking to tailor advertisements for specific users.
Privacy Polices Available at App Store vs. Only Within the App
Long vs. Short Privacy Policies
Free vs. Paid Apps
HTTP vs. HTTPS
“HTTP” means “Hyper Text Transfer Protocol”—the Internet protocol used to send between a user’s browser and the website to which he or she is connecting. In “HTTPS,” the “S” stands for secure, and “secure” means encrypted. HTTPS is an example of the use of “SSL,” or “Secure Socket Layer,” a technology that encrypts data so that it cannot be read while in transit. In contrast, data transferred over plain HTTP is transmitted in the “clear.” As an example, an HTTP transfer allows third parties with access to the data in transit to see the website the user is looking at or the behavioral analytics generated by the fitness app. The encryption vs. non-encryption issues apply whether the app is a free or paid app.
According to the technical analysis, only 6 percent of the free apps and only 15 percent of the paid apps sent behavior tracking information to third party analytics services using HTTPS or some other form of encrypted SSL connections. Thus at least 85 percent—a high percentage indeed—of such data about app users is sent in unprotected form using only HTTP whether a fee or paid app is used.
(2) A paid app, not a free app; and
These factors can be used to balance the benefits of a fitness app against a broad use of personal fitness data by companies other than the app company.