Massive privacy deficiencies in the health app Ada

Massive privacy deficiencies in the health app Ada

Trends & News | c't deckt auf

Health apps like "Ada" process particularly sensitive data and their developers like to emphasize how important the privacy of users is to them. However, an analysis of the transmissions made by the app Ada revealed that it passed on health data to third parties.

"Protecting your data, privacy and personal information is very important to [us]." Nowadays, sentences like this are stated in so many privacy policies – it appears all companies have become data-protection pioneers. Recent analyses, however, cast severe doubt on the seriousness of these statements.

The above quotation is taken from the privacy policy of the app "Ada", developed by the German Ada Health GmbH with headquarters in Berlin. As a kind of chat program, Ada asks the user about symptoms, points out possible illnesses and advises the user to consult a doctor if necessary. The free app became known in Germany partly because the health insurance company "Techniker Krankenkasse" cooperates with Ada Health so that the app can present suitable offers to TK policyholders. It ranks among the most popular health apps in Google's and Apple's app stores.

Ada advertises its health app with a TÜV seal of approval. The TÜV, a product inspection and certification agency, apparently did not object to the data transfer.
Ada advertises its health app with a TÜV seal of approval. The TÜV, a product inspection and certification agency, apparently did not object to the data transfer.

Previously we reported on questionable passages in Ada Health's privacy policy. Meanwhile, IT security expert Mike Kuketz looked into the actual behaviour of Ada for Android – checking which data Ada transfers when and whereto – and described serious problems.

Ada uses tracking and analysis services such as Amplitude, Adjust and Facebook as declared in its privacy policy. However, according to Kuketz, data was sent to both Facebook and Amplitude even before the app presented its terms and conditions as well as its privacy policy to the user and asked to accept them. So, according to Kuketz's findings, even if the user refused to agree and closed the app, data had already been sent to Facebook and Amplitude.

From a legal point of view, such transfers are very questionable: The GDPR stipulates that whenever personal data is collected, the person concerned must be informed "at the time when personal data are obtained". Since the app transmitted data prior to this information, Ada seemed to interpret "at the time" quite freely.

Transferred data included not only technical information about the smartphone and operating system but also the symptoms entered by the user after logging in: "First of all, I'm asked whether it's about me or someone else. Then I'm prompted to enter what's bothering me the most. I enter incontinence for testing purposes. This is immediately transmitted to Ada [...] Not only to Ada, however, but along with other information also to the Amplitude tracker," wrote Kuketz in his blog.

c't contacted Ada Health GmbH and enquired about these transmissions of disease symptoms to Amplitude found by Kuketz. In its response the company stated: "Third parties do not have access to personal health information of users. Facebook, Adjust or Amplitude therefore do not know whether a user is claiming to have high blood pressure or where he is insured."

We then carried out our own analyses with the then current version 2.49.0 of the app. We could not only confirm the findings of Kuketz, but also inspect the data transmissions to Facebook: Among other information, the Ada app transferred the name of the user's health insurance. This is remarkable, since the privacy policy of Ada Health GmbH states that "no profile information of the App and no health information is transmitted to Facebook."

Confronted with our results, the company now declared that it had "its own protected area within Amplitude" to which "Amplitude has no access," this being "secured by appropriate contracts". However, the US-based analysis company Amplitude in its general terms and conditions, grants itself contractual access rights in order to be able to offer its service at all. Ada's contracts with Amplitude may differ from the standard terms and conditions, but in principle Amplitude needs access to the data, at least in order to receive it. In addition, under the CLOUD act, US authorities may access the data at any time, without the user being informed about it.

Asked why the symptoms and insurance data were transferred to external companies in the first place, Ada Health did not offer any information. Moreover, the company denied the problematic nature of the data transfer: "This is a common procedure. The claim that Amplitude can identify people is therefore wrong," a spokesperson told us.

Ada 2.49.0 transmitted symptom descriptions (here "Herzrasen", i.e. "tachycardia") to Amplitude. We logged the transmission with Packet Capture.
Ada 2.49.0 transmitted symptom descriptions (here "Herzrasen", i.e. "tachycardia") to Amplitude. We logged the transmission with Packet Capture.

But what Amplitude can or cannot do with the data depends on the behaviour of other sources transmitting data to the company. In principle, it is possible to create extensive profiles, as a recent Australian study published in the British Medical Journal shows. The researchers analysed traffic from 24 health apps, including Ada. Among the tested apps, Ada was the one that transmitted data to the largest number of third-party companies. Once the data is transferred, there is little possibility to control the further transmission to other subcontractors (so-called fourth parties). The Australian researchers were able to identify more than 200 such fourth parties in the entire test field, which potentially have access to data from health apps.

In principle, all these companies have the possibility to merge data from different sources into comprehensive dossiers on users, because the data is generally not sufficiently anonymised. The Ada app, too, not only transmitted symptom descriptions to Amplitude, but enriched them with various metadata, such as the gender of the user and the Android Advertising ID.

The Advertising ID can be changed by the user. However, since few users do this regularly, data assigned to the ID can often be amassed to form detailed profiles: The Australian researchers were able to aggregate the approximate age, gender, place of residence, hobbies and interests, disease symptoms and medication of their test profile. Often users can be clearly identified with just a fraction of these parameters.

Additionally, a more detailed analysis of Ada's privacy policy revealed differences between the German and the English version. According to Ada, the latter is the official version and authoritative in case of discrepancies. The phrase "... um unbefugten Zugriff zu verhindern" in the German version corresponds to a sentence which expresses the mere attempt in the English version: "... to try to prevent unauthorised access." A German paragraph on the use of name, date of birth, Facebook username and password was completely missing in the English version and right at the beginning the English version spoke of "your rights" (of the user regarding his data), while the German version spoke of "unseren Rechten", that is the rights of Ada. Various minor deviations and technical inaccuracies (such as "SSL" and not "TLS") are comparatively harmless. Such differences, which German-speaking readers are apparently supposed to discover themselves with the help of the English version, are hardly GDPR-compliant. The GDPR requires regulations to be "easy to understand, and that clear and plain language" is used.

Commenting on the results of the traffic analysis, the press officer of the Techniker Krankenkasse stressed that "at no time data is exchanged between Ada and TK". The data protection office of the federal state of Berlin, which is responsible for the Berlin-based company, informed us upon request that the Ada Health GmbH was known to them, but that the app had so far not been inspected, due to lack of personnel and resources.

Ada may also have violated Google's own policies, which require that the advertising ID "must not be connected to personally-identifiable information [...] without explicit consent of the user." We asked Google to clarify its interpretation of the situation, but got only a general reply: "If apps violate these guidelines, we will act accordingly." Nevertheless, our enquiry apparently did have an effect and shortly before our editorial deadline events unfolded in rapid succession: First the Ada app disappeared from the Play Store, then it reappeared on October 4th – in the new version 2.49.1. During a brief check we could not find data transfers to Amplitude any more.

Ada's behaviour and reactions demonstrate that there is obviously a lot of catching up to do regarding data privacy in health apps. Most Germans seem to agree, as a study by the Office of Technology Assessment at the German Bundestag showed: More than 80 percent of Germans want that "binding standards for quality, data privacy and data security are established" for health apps, that "compliance with data privacy requirements by app manufacturers and app store operators should be more closely monitored" and that "app manufacturers and app store operators should enter into self-commitments in order to better protect the privacy of app users."

Given cases such as Ada's and this public opinion, Jens Spahn, German Federal Minister of Health, should act and improve the draft of the digital care law (Digitale-Versorgung-Gesetz, DVG). The bill, which allows health apps to be prescribed and then be payed for by health insurance companies, was recently submitted to the committees for renegotiation after a first reading at the end of September. (syt)


This article was first published in c't 22/2019

Kommentare