Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Contact tracing app vetted by Apple found to share data with Foursquare and Google

Last updated

North Dakota's Care19 app, one of the first digital coronavirus contact tracing solutions to hit market in the U.S., contradicts its own privacy policy to share user information with third party companies like Foursquare and Google, according to a study released on Thursday.

A review of Care19 by consumer privacy app company Jumbo Privacy found the app sends location data and other personal information to outside parties, reports Fast Company.

Developed by ProudCrowd, which markets a location-based social networking app for North Dakota State University sports fans, Care19 promises participant anonymity by assigning and tracking random user IDs. The system logs locations where a user spent 10 minutes or more, information that can be correlated with contact tracing data provided on a voluntary basis to the North Dakota Department of Health.

The app's privacy policy notes "location data is private to you and is stored securely on ProudCrowd, LLC servers," and will not be shared with third-parties "unless you consent or ProudCrowd is compelled under federal regulations," the report said.

However, Jumbo found user ID numbers, phone IDs and what appears to be location data transmitted to Foursquare. Phone advertising identifiers are sent to servers associated with Google's Firebase service, while the assigned random ID and phone name — which by default typically includes a user's first name — is sent to software diagnostics firm Bugfender.

"The Care19 application user interface clearly calls out the usage of Foursquare on our Nearby Places' screen, per the terms of our Foursquare agreement," ProudCrowd said in a statement. "However, our privacy policy does not currently explicitly mention this usage. We will be working with our state partners to be more explicit in our privacy policy. It is important to note that our agreement with Foursquare does not allow them to collect Care19 data or use it in any form, beyond simply determining nearby businesses and returning that to us."

In an email to Fast Company, ProudCrowd founder Tim Brookins said Care19's Foursquare integration was a mistake that will soon be rectified. Brookins characterized the error as "fairly benign, as Foursquare doesn't actually collect our sent data."

While Care19 does not rely on the recently released Apple-Google Exposure Notification API, Apple was involved in the vetting of the app, reports The Washington Post. Apple is currently investigating Jumbo's claims and will work with ProudCrowd to bring the app in compliance with its rules.

Ironically, a North Dakota public health authority official was among a handful of experts who last week criticized Apple and Google's cross-platform Exposure Notification system as being too restrictive for general adoption. In an article published by The Post, critics of the Apple-Google solution, including developers of contact tracing apps, said the Exposure Notification API incorporates data sharing restrictions that are detrimental to contact tracing operations.

"Every minute that ticks by, maybe someone else is getting infected, so we want to be able to use everything we can," said Vern Dosch, contact tracing liaison for North Dakota. "I get it. They have a brand to protect. I just wish they would have led with their jaw."

Apple and Google's systems deny access to geolocation data, anonymize user equipment and restrict apps from storing data on a centralized server, among other safeguards. If a PHA's app does not meet Apple-Google standards, it is not granted access to the API and is thus prohibited from processing tasks in the background.

North Dakota initially built its app with hopes of integrating Exposure Notification technology, but the privacy restrictions prompted the team to start over and create two separate apps: one for contact tracing teams and another that integrates the Exposure Notification API.

It is unclear if North Dakota will roll out a new version of the Care19 app with the Exposure Notification API baked in, but the state is one of three to announce support of the Apple-Google initiative. On Thursday, Alabama and South Carolina also signed on as early adopters of the technology, reports AL.com.

"(We've) joined hands with these two global giants in hopes of helping our people learn when and where they may have gotten exposed to this virus," Alabama Gov. Kay Ivey said. "Hopefully, this will become an important tool in the tool kit to slow the spread of coronavirus by using what almost every Alabamians has in their pocket ... a cell phone."

After a brief beta testing period, Apple and Google's Exposure Notification API went live on Wednesday with the release of iOS 13.5. Contact tracing apps that take advantage of the framework should see release in the coming days or weeks.



43 Comments

lkrupp 19 Years · 10521 comments

Anyone who downloads and installs these contact tracing apps should have their heads examined. We can’t trust ANY of these bastards, including Apple. This crap happens every time, followed by apologies and promises to fix. Right, we got caught and now we have to do our dog and pony show. On the other hand we are already a surveillance society with cameras everywhere, facial recognition soon to follow all in the name of safety. Talk spreading around about Covid-19 ‘passports’ being issued to those with anti-bodies allowing them to travel freely while the rest of us stay sequestered. 

🎁
seanismorris 8 Years · 1624 comments

The less apps you install the better.  I have 3 news apps, 3 games (one of which is freemium), a calc, a VPN, and that’s it.

My home screen has quite a few website links.

Within a browser you (sadly) have more control of your data than in apps these days...

I don’t even install weather apps anymore.

Come on Apple!  You can do better!


Want to bet if Apple started handing out automatic 1 year App Store bans for violators, 99% of these “oops” would disappear?

🌟
sdbryan 17 Years · 351 comments

lkrupp said:
Anyone who downloads and installs these contact tracing apps should have their heads examined. We can’t trust ANY of these bastards, including Apple. ...

Wouldn’t it be more worthwhile to ‘examine’ the protocols that Apple/Google have published to see if there is some privacy defect? Assuming a rigidly cynical position for all contact tracing efforts could lead to reduced ability to contain outbreaks which would have real world consequences. I hope security experts do vigorously examine contract tracing efforts and I am sure they will. But unless and until a problem is discovered I would encourage everyone to participate so that fewer people get sick and die. Because it is a global pandemic.

apple ][ 13 Years · 9225 comments

Sorry, but I won't be downloading any of these "contact tracing" apps, no matter who is behind them. They are a bit too late also, in my opinion, now that things are beginning to relax and loosen up everywhere. The hysteria has gone far enough.

If anybody disagrees, and they are free to do so, then they are welcome to  lock themselves up inside of their homes for the next few years if they'd like.