Researchers have discovered that, contrary to its own privacy policy, North Dakota’s contact tracing app shares data with FourSquare.
North Dakota became one of the first states to unveil a contact tracing app to help combat the coronavirus pandemic. The app, Care19, was created for the state by ProudCrowd LLC. The app’s privacy policy makes the following statement regarding how data is used:
“This location data is private to you and is stored securely on ProudCrowd, LLC servers. It will not be shared with anyone including government entities or third parties, unless you consent or ProudCrowd is compelled under federal regulations.”
Similarly, the privacy policy claims to anonymize user data, saying “your data is identified by an anonymous code.”
There’s only one problem: It isn’t true. Researchers at Jumbo Privacy analyzed the app and found that it was sharing user location data with FourSquare. To make matters even worse, the anonymized code was sent to FourSquare along with a device’s Advertiser Identifier (IDFA). As Jumbo Privacy states, “An IDFA is an identifier that is shared across all apps on your phone, and often leaked by third-party SDKs, along with personal information.”
ProudCrowd is perfectly illustrating why Apple and Google have fought so hard to build their contact tracing API with a focus on privacy. Even when using the API, there is still room for abuse.
In the meantime, Jumbo Privacy recommends that users not install the app until the application lives up to its privacy policy, or the privacy policy accurately reflects what the app is doing.