A cybersecurity company has claimed that a contact tracing app introduced by North Dakota is sending data to third parties and exposing users' identities.
Like South Dakota and Utah, North Dakota has built its own contact-tracing app, Care19, in an effort to monitor the spread of the novel coronavirus.
Jumbo Privacy alleges that the Care19 app, created by ProudCrowd LLC to track the spread of COVID-19 in The Peace Garden State, is sharing user data with Foursquare and other third-party services.
Foursquare is a location service that provides advertisers with tools to reach audiences who have been at specific locations.
Users of the Care19 app are told in the privacy policy that their "location data is private to you and is stored securely on ProudCrowd, LLC servers. It will not be shared with anyone including government entities or third parties, unless you consent or ProudCrowd is compelled under federal regulations.”
North Dakota claims that users of the app cannot be individually identified. On the state's website in the app FAQ section it states that “the application does not have any information that is tied to an individual person” and information uploaded via the app is "100% anonymous."
Jumbo disputes this assertion, claiming instead that users accessing the app via the iOS on their iPhone can be unmasked through the Identifier for Advertisers (IDFA) on their device.
The IFDA is an ad-tracking device that enables an advertiser to understand when a phone user has taken an action like a click or an app install.
"They share the IDFA with Foursquare, which means it’s not anonymous,” said Jumbo Privacy CEO Pierre Valade. "It’s a unique ID tied to your phone.”
Foursquare confirmed in a statement that it receives Care19 data. However, the company said it promptly discards the information sent via the app and doesn't use it for anything.
The Care19 privacy policy indicates that “Your data is identified by an anonymous code.” Jumbo found that, along with the IDFA, this anonymous code was transmitted to Foursquare. The code was also being sent, together with the name given to the phone by the user (e.g., Paul's phone), to remote logger Bugfender.