When the Federal Trade Commission studied 12 mobile health and fitness apps, it found they disseminated user app data to 76 third parties.
One of those apps shared information on device models and identifiers and dietary and workout habits with 18 other entities.
As data collection, sharing, privacy and security issues become top-of-mind among government entities, the FTC this morning continued its focus on these topics through the prism of fitness and health tech.
Research on mobile-app data-sharing conducted internally by the commission was presented by Jah-Jiun Ho, an attorney working in the FTC's Mobile Technology Unit. According to Mr. Ho, the agency found that four of the 12 mobile apps evaluated sent data to one particular ad company. In some cases third parties that received consumer data from app companies saw the same device ID associated with more than one app, which potentially could allow those firms to piece together usage data on individual consumers to create more robust profiles.
"In a few instances we found names and e-mail addresses being transmitted," said Mr. Ho. The FTC did not reveal which apps or wearable devices it analyzed in its study; however it said it analyzed data sharing by free apps for pregnancy, smoking cessation and exercise.
Fourteen third parties grabbed usernames, names and email addresses from the apps, while 22 received data on exercise and diet habits, medical symptom searches, zip codes, geo-location and gender, according to the report.
The FTC seminar came on the heels of a White House report on data brokers and privacy from the House Council of Advisors on Science and Technology, published last week.
The commission's Chief Technologist Latanya Sweeney has a background in data de-identification and re-identification research, and gave a presentation describing ways in which individual data fields and sets that have been stripped of personally-identifiable data can be combined with one another to re-identify the information. Expect the FTC to continue its research into the drawbacks of data de-identification and anonymization.
Concerns about penalization
Ms. Sweeney indicated the agency is concerned consumers could be penalized based on health data; for instance, a financial institution might adjust credit ratings based on the fact someone has a disease, she suggested.
The FTC doesn't have any major health data privacy initiatives in the works, according to a spokesman, but the agency is adamant about protecting consumers from having their health, medical and fitness data to determine things like insurance rates or drug pricing. A Senate bill introduced earlier this year was prefaced by a December 2013 Senate Commerce Committee report showing how sensitive health and other personal data is compiled by data firms.
As government scrutiny of health-data sharing and use persists, one question will become increasingly important: How is health data defined?
"As we accrue this data and collate it and use it, it is going to be harder and harder to draw that line of what's health [data] and what isn't," said Joy Pritts, chief privacy officer for the Office of the National Coordinator for Health Information Technology at the Department of Health and Human Services, who spoke on a separate panel session during the seminar.
She continued, "I think people's spending patterns, for example, would never occur to you to be health data, yet that model may be used at some point to treat you and then it does become your health information, doesn't it?"