The operators of a North Dakota contact tracing app have had a rethink when it comes to sharing users' data with third-party services.
Care19 was created by ProudCrowd LLC to track the spread of COVID-19 in the Peace Garden State. Following the app's launch, cybersecurity company Jumbo Privacy discovered that Care19 was sending user data to third-party services.
The information being shared was the Identifier for Advertisers (IDFA), an ad-tracking device that enables an advertiser to understand when a phone user has taken an action like a click or an app install.
North Dakota stated that the Care19 app "does not have any information that is tied to an individual person” and information uploaded via the app is "100% anonymous."
However, Jumbo found that users accessing the Care19 app via the iOS on their iPhone could be unmasked through the IDFA on their device.
One of the third-party services receiving Care19 users' IDFA data was Foursquare, a location service that provides advertisers with tools to reach people who have visited specific locations. That arrangement has now ceased.
Jumbo CEO Pierre Valade told Infosecurity Magazine: "Care19 shared with us on June 3rd that the new version of their app (v3.3) was no longer sharing users’ IDFA to Foursquare. We’ve reviewed the app and can confirm this is true."
Care19 and Foursquare told Jumbo that the IDFA data was collected automatically by using Foursquare's SDK, Pilgrim, and there was no way for developers to disable this collection.
Valade said: "After you published our research and in response to our concerns, Foursquare made an important change to its geolocation SDK 'Pilgrim' to permit developers to disable collection of a user’s IDFA and prevent it from being shared with Foursquare."
Jumbo's CEO described the change of heart as "a big win for privacy" but said that there were still concerns about Care19 that needed to be addressed.
"Care19’s privacy policy does not indicate how a user can exercise their privacy rights, what the officials intend to do with the data once recent contacts have been identified, and how long will this data be retained for," said Valade.
In addition, Care19 has not yet confirmed that pushing the deletion tab will also delete user data anywhere else it was stored, notably in third-party servers.