A new investigation has found that several widely used opioid treatment recovery apps access and sharewith third parties. As a result of the and efforts to reduce transmission in the U.S., telehealth services and in popularity. as addiction treatment facilities face budget cuts and closures, which has seen both investor and government interest turn to telehealth as a tool to combat the growing addiction crisis.
While people accessing these services may have a reasonable expectation ofpractices.
The report studied ten opioid treatment apps accessed unique identifiers about the user’s device and, in some cases, shared that data with third parties.Bicycle Health, Boulder Care, and Confidant Health. DynamiCare Health, Kaden Health, Loosid, Pear Reset-O, PursueCare, Sober Grid, and Workit Health. These apps have been installed at least 180,000 times and have received more than $300 million in funding from investment groups and the . Despite these services’ vast reach and sensitivity, the research found that most
Seven of the ten apps studied access the Android Advertising ID (AAID), a user-generated identifier linked to other information to provide insights into identifiable individuals. Five of the apps also access the devices’ phone number; three access the device’s unique IMEI and IMSI numbers, which can also be used to identify a person’s device uniquely; and two access a users’ list of , which the researchers say can be used to build a “fingerprint” of a user to track their activities.
Many of the apps examined also obtain location information in some form, which, when correlated with these unique identifiers, strengthens the capability for surveilling an individual and their daily habits, behaviors, and who they interact with. One of the apps’ methods is through Bluetooth; seven of the apps request permission to make Bluetooth connections, which the researchers say is particularly worrying because this can be used to track users in real-world locations. “Bluetooth can do what I call proximity tracking, so if you’re in the grocery store, it knows how long you’re in a certain aisle,or how close you are to someone else,” Sean O’Brien, principalLab who led the investigation, told TechCrunch. “Bluetooth is an area that I’m pretty concerned about.”
SDKs, or software development kits, are bundles of code with apps to make them work properly, such as collecting location data. Often, SDKs are provided for free in exchange for sending back the data that the app’s cache. Another central area of concern is the use of tracker SDKs in these apps, which O’Brien previously warned about in a recent investigation that revealed that hundreds of Android apps were sending granular userto X-Mode, a data broker known to sell location data to U.S. military contractors, and now banned from both .
While the app’s developers and third parties.out that it does not categorize all usage of trackers as malicious, exceptionally as many developers may not even be aware of their existence within their apps, they discovered a high prevalence of tracker SDKs in seven out of the ten apps that revealed potential data-sharing activity. Some SDKs are explicitly designed to collect and aggregate user data, even where the SDK’s core functionality is concerned. However, the researchers explain that an app that provides navigation to a recovery center may also be tracking a user’s movements throughout the day and sending that data back to the
In the case of Kaden Health, Stripe — which is used for payment health insurance and people getting jobs.”the list of installed apps on a user’s phone, their location, phone number, and carrier name, as well as their AAID, IP address, IMEI, IMSI, and SIM serial number. “An entity as large as Stripe having an app share that information directly is alarming. It’s worrisome because I know that information could be very useful for law enforcement,” O’Brien tells TechCrunch. “I also worry that people having information about who has been in treatment will eventually make its way into decisions about
The researchers say the data-sharing practices of these apps are likely a consequence of these services being developed in an environment of unclear U.S. federal guidance regarding the handling and disclosing patient information. However, O’Brien tells TechCrunch that the actions could be in breach of 42 CFR Part 2, a over the disclosure of patient information related to treatment for addiction. However, Jacqueline Seitz, a senior staff attorney for health privacy at Legal Action Center, said this 40-year-old law hasn’t yet been updated to recognize apps.
“Confidentiality continues to be one of the major concerns people cite for not entering treatment,” Seitz told TechCrunch. “While 42 CFR Part 2 recognizes the sensitive nature of substance use disorder treatment, it doesn’t mention apps. Existing privacy laws are not up to speed. “It would be great to see some leadership from the tech community to establish some basic standards and recognize that they’re collecting super-sensitive information so that patients aren’t left in the middle of atrying to navigate privacy policies,” said Seitz.
Another likely reason for these practices is a lack of security and data privacy staff, according to Jonathan Stoltman, director of the Opioid Policy Institute, which contributed to the research. “If you look at a hospital’s website, you’ll see a chief information officer, a chief privacy officer, or a chief security officer in charge of physical security and data security,” he tells TechCrunch. “None of these startups have that.” “There’s no way you’re thinking about privacy if you’re collecting the AAID, and almost all of these apps are doing that from the get-go,” Stoltman added.
Google is aware of ExpressVPN’s findings but has yet to comment. However, theprepares to start limiting developer access to the Android Advertising ID, mirroring Apple’s recent efforts to enable users to opt out of ad tracking. While ExpressVPN is keen to make patients aware that these apps may violate expectations of privacy, it also stresses the central role that addiction treatment and recovery apps may play in the lives of those with opioid addiction.
It recommends that if you or a family member used one of these services and find the disclosure of this data problematic, contact the Office of Civil Rights through Health and Human Services to careful and cautious,” said O’Brien. “There needs to be disclosure, users need to be aware, and they need to demand better.”. “The bottom line is this is a general problem with the app economy, and we’re watching telehealth become part of that, so we need to be very