Contact Tracing App Violates its Own Privacy Policy

The Care19 app shares location and user identification information with third-party businesses, a privacy group says.

The Care19 app on a cell phone screen, May 22, 2020, Sioux Falls, S.D.
The Care19 app on a cell phone screen, May 22, 2020, Sioux Falls, S.D.
AP Photo/Stephen Groves

SIOUX FALLS, S.D. (AP) — A contact tracing app pushed by the governors of North Dakota and South Dakota as a tool to trace exposure to the coronavirus violated its own privacy policy by sharing location and user identification information with third-party businesses, according to a report from a tech privacy company.

The Care19 app, developed by ProudCrowd, of North Dakota, was one of the first contact tracing apps endorsed by state governments in response to the coronavirus. Governors from both states promoted it as a way to help health officials stop outbreaks and retrace the steps of people with infections, while assuring people that their data is protected. But tech privacy company Jumbo Privacy reported this week that developers included lines of code that send users' location and identification data to third-party companies including Foursquare, BugFender and Google.

Concerned citizens have been eyeing the tradeoff between controlling outbreaks using apps and intrusions on privacy. Civil liberty groups and tech watchdogs have warned about contact tracing apps, saying governments and companies should not be able to access personal data.

The Care19 app shared location data with Foursquare, an advertising company that markets to people based on their location.

ProudCrowd CEO Tim Brookins said his company sends data to Foursquare to determine which businesses a user has visited, but the data is discarded and not used for commercial purposes.

"The simple overarching fact here is that we have stated, and Foursquare has confirmed, that they have not, nor will not, collect data from Care19 users. Period,” Brookins said.

The app generates an anonymous code for every user. The Jumbo Privacy report noted that the code, along with the phone's identification, was sent to BugFender, a Barcelona-based company that helps developers track malfunctions. The app also sent an advertising identifier linked with the user's phone to Google's Firebase service. That adds up to “serious privacy risks,” Jumbo said.

“It’s really an oversight from them,” said Jumbo Privacy CEO Pierre Valade. “It’s not a bad intention. They were rushing to build this product.”

Until Friday, Care19′s privacy statement told users their location data would “not be shared with anyone, including government entities or third parties, unless you consent or ProudCrowd is compelled under federal regulations.”

A revised statement says third parties "may have temporary access to aspects of your data for their specific data processing tasks. However, they will not collect this data in a form that allows themselves or others to access or otherwise use this data.”

South Dakota Secretary of Health Kim Malsam-Rysdon said the Care19 app doesn’t violate the privacy statement and that users always had to grant permission for the app to use their data. The South Dakota version of the app has been downloaded more than 18,000 times, but hasn’t been used to trace an active infection yet.

“This is a voluntary, opt-in app,” she said.

North Dakota Republican Gov. Doug Burgum said in a statement that the app, which has over 33,000 downloads in his state, does not use names, addresses or other personal information.

“The anonymous information Care19 is gathering can save lives, and smartly and safely using technology is one more way to help us speed up our economy recovery," he said.

More