North Dakota’s contact-tracing digital solution has been violating its privacy policy by sharing sensitive user data with third-parties, smartphone privacy company Jumbo Privacy found in an investigation. The state’s Care19 app, which is one of the first contact-tracing apps to debut in the United States, is covertly transmitting location information to the search and discovery platform, Foursquare, and the phone’s unique Advertising ID to Google.
In addition, the anonymous code that the app assigns to individuals and is exchanged with phones it comes in contact with to notify them when they’re exposed to an infected person is sent to Foursquare and Bugfender, a Barcelona-based diagnostics software maker.
Care19 is developed by ProudCrowd, a company that’s also responsible for the state’s location-based social networking service. As per the app’s official website, it “anonymously caches the individual’s locations throughout the day” and only stores information of places “a person visits for 10 minutes or more.”
While the rest of the data that’s being shared like the Advertising ID may seem harmless, it can prove rather detrimental to your privacy. This information is unique to you and is available to nearly every app installed on your phone. That enables advertising platforms such as Google to track you across various third-party services and is a common loophole tech companies take advantage of to snoop on your digital activities.
The Care19 privacy policy says that the “location data is private to you and is stored securely on ProudCrowd, LLC servers” and it will not be “shared with anyone including government entities or third parties, unless you consent or ProudCrowd is compelled under federal regulations.”
In a statement to FastCompany, ProudCrowd, and Jennifer Skjod, a public information officer for North Dakota confirmed the presence of these entities.
While the location data is transmitted to facilitate Foursquare’s services which are used to determine businesses nearby to your location, the random ID wasn’t supposed to be shared and the company plans to remove it. “Foursquare does not allow them to collect Care19 data or use it in any form,” it added. On top of that, Care19 users will soon have the option to opt-out of Bugfender’s diagnostic data collection.
ProudCrowd founder Tim Brookins also told FastCompany that it will be updating the app’s privacy policy to explicitly “call this out in some additional detail and also name the third party (Google Firebase).”
Privacy is one of the fundamental concerns experts have raised against contact-tracing apps and warned that proactive data collection can lead to incidents such as these. Interestingly, North Dakota is one of the first states to adopt Apple-Google’s contact-tracing tech. Since Google and Apple won’t officials to collect or store location data, the state says it plans to maintain two separate contact-tracing apps, Care19 Diary, which will keep tabs on a person’s location history, and Care19 Exposure, which will be based on the Apple-Google API to alert users of exposure through Bluetooth.
