In a collaboration between the University of Sydney, the University of Toronto and the University of California, the research team set out to investigate if and how user data is shared by top-rated medicines-related mobile apps, and sought to characterise privacy risks to app users, both clinicians and consumers alike.

The researchers found that sharing of user data by medicines-related apps is routine but far from transparent, and also identified a small number of commercial entities with the ability to aggregate and potentially re-identify user data.

“Privacy regulators should consider that loss of privacy is not a fair cost for the use of digital health services,” said lead author of the study and assistant professor Quinn Grundy of the University of Toronto and University of Sydney School of Pharmacy, Charles Perkins Centre.

Mobile health apps are a growing market targeted at both patients and health professionals, helping patients track their prescriptions and to remind them to take their pills. They also provide drug information to help clinicians prescribe and administer medications.

However, the study shows that these apps also pose risks to consumers’ privacy given their ability to collect user data. This includes sensitive information that is highly valuable to commercial interests.

The research team identified 24 top-rated medicines-related apps for the Android mobile platform in the UK, USA, Canada and Australia. All apps tested were available to the public – providing information about medicine dispensing, administration, prescribing or use – and were interactive.

They ran a laboratory-based traffic analysis of each app downloaded onto a smartphone, simulating real-world use with four dummy scripts.

Privacy leaks were detected using a technique called Differential Traffic Analysis, explained co-author Dr Ralph Holz from the University of Sydney’s School of Computer Science.

“The idea is to capture a baseline of the normal network data that an app causes, and then change privacy-related settings in the app. The places where the new settings turn up in any fresh network data shows us where and to whom the app is leaking it,” Dr Holz added.

Of the sampled apps, most – 19 out of 24, or 79 per cent – shared user data outside of the app, with a total of 55 unique entities, owned by 46 parent companies, receiving or processing this data. Such receivers included developers, parent companies (first parties) and service providers (third parties).

While it’s unclear if iOS apps share user data – and whether or not medicines-related apps share user data more or less than other health apps, or apps in general – the findings remain of concern, according to assistant professor Grundy.

“Most health apps fail to provide privacy assurances or transparency around data-sharing practices,” she said.

“User data collected from apps providing medicines information or support may also be particularly attractive to cyber criminals or commercial data brokers.”

Grundy also expressed how “health professionals need to be aware of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent”.

“Regulators should also emphasise the accountabilities of those who control and process user data, while health app developers should disclose all data-sharing practices and allow users to choose precisely what data are shared and where,” she concluded.

The research by the team was published in the medical research journal BMJ on 21 March.

In a collaboration between the University of Sydney, the University of Toronto and the University of California, the research team set out to investigate if and how user data is shared by top-rated medicines-related mobile apps, and sought to characterise privacy risks to app users, both clinicians and consumers alike.

The researchers found that sharing of user data by medicines-related apps is routine but far from transparent, and also identified a small number of commercial entities with the ability to aggregate and potentially re-identify user data.

“Privacy regulators should consider that loss of privacy is not a fair cost for the use of digital health services,” said lead author of the study and assistant professor Quinn Grundy of the University of Toronto and University of Sydney School of Pharmacy, Charles Perkins Centre.

Mobile health apps are a growing market targeted at both patients and health professionals, helping patients track their prescriptions and to remind them to take their pills. They also provide drug information to help clinicians prescribe and administer medications.

However, the study shows that these apps also pose risks to consumers’ privacy given their ability to collect user data. This includes sensitive information that is highly valuable to commercial interests.

The research team identified 24 top-rated medicines-related apps for the Android mobile platform in the UK, USA, Canada and Australia. All apps tested were available to the public – providing information about medicine dispensing, administration, prescribing or use – and were interactive.

They ran a laboratory-based traffic analysis of each app downloaded onto a smartphone, simulating real-world use with four dummy scripts.

Privacy leaks were detected using a technique called Differential Traffic Analysis, explained co-author Dr Ralph Holz from the University of Sydney’s School of Computer Science.

“The idea is to capture a baseline of the normal network data that an app causes, and then change privacy-related settings in the app. The places where the new settings turn up in any fresh network data shows us where and to whom the app is leaking it,” Dr Holz added.

Of the sampled apps, most – 19 out of 24, or 79 per cent – shared user data outside of the app, with a total of 55 unique entities, owned by 46 parent companies, receiving or processing this data. Such receivers included developers, parent companies (first parties) and service providers (third parties).

While it’s unclear if iOS apps share user data – and whether or not medicines-related apps share user data more or less than other health apps, or apps in general – the findings remain of concern, according to assistant professor Grundy.

“Most health apps fail to provide privacy assurances or transparency around data-sharing practices,” she said.

“User data collected from apps providing medicines information or support may also be particularly attractive to cyber criminals or commercial data brokers.”

Grundy also expressed how “health professionals need to be aware of privacy risks in their own use of apps and, when recommending apps, explain the potential for loss of privacy as part of informed consent”.

“Regulators should also emphasise the accountabilities of those who control and process user data, while health app developers should disclose all data-sharing practices and allow users to choose precisely what data are shared and where,” she concluded.

The research by the team was published in the medical research journal BMJ on 21 March.