Several widely used Opioid treatment recovery apps access and share sensitive user data with third parties, a new investigation has revealed.
In the wake of the COVID-19 pandemic and efforts to reduce transmission in the United States, telehealth services and apps offering treatment for opioid dependence have grown in popularity. This increase in app-based services comes as drug treatment facilities face budget cuts and closures, which has led investors and government to turn to telehealth as a tool to fight drug abuse. growing drug addiction crisis.
While people accessing these services may have a reasonable expectation of the privacy of their health data, a new report from ExpressVPN’s Digital Security Lab, compiled in collaboration with the Opioid Policy Institute and the Defensive Lab Agency, found that some of these apps collect and share sensitive information with third parties, raising questions about their privacy practices and security.
The report looked at 10 opioid treatment apps available on Android: Bicycle Health, Boulder Care, Confidant Health. DynamiCare Health, Kaden Health, Loosid, Pear Reset-O, ââPursueCare, Sober Grid and Workit Health. These apps have been installed at least 180,000 times and have received more than $ 300 million in funding from investment groups and the federal government.
Despite the vast scope and sensitive nature of these services, research has found that the majority of apps access unique identifiers on the user’s device and, in some cases, share that data with third parties.
Of the 10 apps studied, seven access the Android Advertising Identifier (AAID), a user-generated identifier that can be linked to other information to provide information about identifiable individuals. Five of the applications also access the phone numbers of the devices; three access the device’s unique IMEI and IMSI numbers, which can also be used to uniquely identify a person’s device; and two access a list of user-installed apps, which the researchers say can be used to create a user’s âfingerprintâ in order to track their activities.
Many of the apps reviewed also obtain location information in one form or another, which, when correlated with these unique identifiers, enhances the ability to monitor a person, as well as their daily habits and behaviors and the people they are with. interacts. One of the methods used by apps is to use Bluetooth; Seven of the apps ask for permission to make Bluetooth connections, which the researchers say is of particular concern because it can be used to track users in real locations.
“Bluetooth can do what I call proximity tracking, so if you’re in a grocery store it knows how long you’ve been in a certain aisle, or how close you are to someone else,” Sean O’Brien, senior researcher at ExpressVPN’s Digital Security Lab who conducted the investigation, told TechCrunch. âBluetooth is an area of ââgreat concern to me. “
Another major area of ââconcern is the use of tracking SDKs in these apps, which O’Brien previously warned against in a recent investigation that found that hundreds of Android apps were sending user location data. granular to X-Mode, a data broker known for location data to US military contractors, and now banned from Apple and Google app stores. SDKs, or software development kits, are code packets that are included with the apps to make them work properly, like collecting location data. Often, SDKs are provided for free in exchange for returning data collected by applications.
âPrivacy continues to be one of the top concerns people cite for not undergoing treatmentâ¦ existing privacy laws are absolutely not up to date. ” Jacqueline Seitz, Legal Action Center
While the researchers are keen to stress that it does not classify all uses of trackers as malicious, especially since many developers may not even be aware of their existence in their applications, they have found a high prevalence of Tracker SDK in seven of the 10 apps. which revealed potential data sharing activity. Some SDKs are designed specifically to collect and aggregate user data; this is true even with regard to the core functionality of the SDK.
But the researchers explain that an app, which navigates to a recovery center, for example, can also track a user’s movements throughout the day and send that data back to the app’s developers and users. third.
In the case of Kaden Health, Stripe – which is used for payment services within the app – can read the list of apps installed on a user’s phone, their location, phone number, and name. its operator, as well as its AAID, its IP address, IMEI, IMSI and SIM serial number.
âAn entity as large as Stripe having an application directly sharing this information is quite alarming. It’s worrying for me because I know this information could be very useful for law enforcement, âO’Brien told TechCrunch. “I am also concerned that people with information about who has had treatment will end up making their way into decisions about health insurance and who to find a job.”
The data-sharing practices of these apps are likely a consequence of the development of these services in an environment of unclear U.S. federal guidelines regarding the processing and disclosure of patient information, the researchers say, although O’Brien said. told TechCrunch the actions could violate 42 CFR Part 2, a law that sets strict controls on the disclosure of patient information related to drug treatment.
Jacqueline Seitz, senior health privacy attorney at the Legal Action Center, however, said the 40-year-old law has yet to be updated to recognize apps.
âPrivacy continues to be one of the top concerns people cite for not going into treatment,â Seitz told TechCrunch. âWhile 42 CFR Part 2 recognizes the very sensitive nature of the treatment of substance use disorders, it does not mention applications at all. Existing privacy laws are definitely not up to date.
âIt would be great to see some leadership from the tech community setting some basic standards and recognizing that they are collecting ultra-sensitive information so that patients aren’t left in the middle of a health crisis trying to navigate them. privacy policies. Seitz said.
Another likely reason for these practices is the lack of staff responsible for data security and privacy, according to Jonathan Stoltman, director of the Opioid Policy Institute, who contributed to the research. “If you look at a hospital’s website, you will see an information officer, privacy officer or security officer in charge of physical security and data security,” he said. he told TechCrunch. “None of these startups have that.”
âThere’s no way you’ll think about privacy if you collect AAID, and almost all of these apps do it right off the bat,â Stoltman added.
Google is aware of ExpressVPN’s findings but has yet to comment. However, the report was released as the tech giant prepares to start restricting developer access to the Android Ad ID, mirroring Apple’s recent efforts to allow users to opt out of ad tracking. .
While ExpressVPN wants to educate patients that these apps may violate expectations of privacy, it also highlights the central role that addiction treatment and recovery apps can play in the lives of those addicted to opioids. It recommends that if you or a family member have used any of these services and find the disclosure of this data problematic, contact the Civil Rights Office through Health and Social Services to make a formal complaint. .
âAt the end of the day, this is a general issue with the app economics, and we’re seeing telehealth as one of it, so we have to be really careful and careful,â O’Brien said. âThere has to be disclosure, users have to be aware and they have to demand better. “
Recovery from addiction is possible. For assistance, please call the free and confidential helpline (1-800-662-HELP) or visit findtreatment.gov.