Contact tracing app vetted by Apple found to share data with Foursquare and Google
A review of Care19 by consumer privacy app company Jumbo Privacy found the app sends location data and other personal information to outside parties, reports Fast Company.
Developed by ProudCrowd, which markets a location-based social networking app for North Dakota State University sports fans, Care19 promises participant anonymity by assigning and tracking random user IDs. The system logs locations where a user spent 10 minutes or more, information that can be correlated with contact tracing data provided on a voluntary basis to the North Dakota Department of Health.
However, Jumbo found user ID numbers, phone IDs and what appears to be location data transmitted to Foursquare. Phone advertising identifiers are sent to servers associated with Google's Firebase service, while the assigned random ID and phone name — which by default typically includes a user's first name — is sent to software diagnostics firm Bugfender.
In an email to Fast Company, ProudCrowd founder Tim Brookins said Care19's Foursquare integration was a mistake that will soon be rectified. Brookins characterized the error as "fairly benign, as Foursquare doesn't actually collect our sent data."
While Care19 does not rely on the recently released Apple-Google Exposure Notification API, Apple was involved in the vetting of the app, reports The Washington Post. Apple is currently investigating Jumbo's claims and will work with ProudCrowd to bring the app in compliance with its rules.
Ironically, a North Dakota public health authority official was among a handful of experts who last week criticized Apple and Google's cross-platform Exposure Notification system as being too restrictive for general adoption. In an article published by The Post, critics of the Apple-Google solution, including developers of contact tracing apps, said the Exposure Notification API incorporates data sharing restrictions that are detrimental to contact tracing operations.
"Every minute that ticks by, maybe someone else is getting infected, so we want to be able to use everything we can," said Vern Dosch, contact tracing liaison for North Dakota. "I get it. They have a brand to protect. I just wish they would have led with their jaw."
Apple and Google's systems deny access to geolocation data, anonymize user equipment and restrict apps from storing data on a centralized server, among other safeguards. If a PHA's app does not meet Apple-Google standards, it is not granted access to the API and is thus prohibited from processing tasks in the background.
North Dakota initially built its app with hopes of integrating Exposure Notification technology, but the privacy restrictions prompted the team to start over and create two separate apps: one for contact tracing teams and another that integrates the Exposure Notification API.
It is unclear if North Dakota will roll out a new version of the Care19 app with the Exposure Notification API baked in, but the state is one of three to announce support of the Apple-Google initiative. On Thursday, Alabama and South Carolina also signed on as early adopters of the technology, reports AL.com.
"(We've) joined hands with these two global giants in hopes of helping our people learn when and where they may have gotten exposed to this virus," Alabama Gov. Kay Ivey said. "Hopefully, this will become an important tool in the tool kit to slow the spread of coronavirus by using what almost every Alabamians has in their pocket ... a cell phone."
After a brief beta testing period, Apple and Google's Exposure Notification API went live on Wednesday with the release of iOS 13.5. Contact tracing apps that take advantage of the framework should see release in the coming days or weeks.