"Protecting your data, privacy and personal information is very important to [us]." Nowadays, sentences like this are stated in so many privacy policies – it appears all companies have become data-protection pioneers. Recent analyses, however, cast severe doubt on the seriousness of these statements.
From a legal point of view, such transfers are very questionable: The GDPR stipulates that whenever personal data is collected, the person concerned must be informed "at the time when personal data are obtained". Since the app transmitted data prior to this information, Ada seemed to interpret "at the time" quite freely.
Transferred data included not only technical information about the smartphone and operating system but also the symptoms entered by the user after logging in: "First of all, I'm asked whether it's about me or someone else. Then I'm prompted to enter what's bothering me the most. I enter incontinence for testing purposes. This is immediately transmitted to Ada [...] Not only to Ada, however, but along with other information also to the Amplitude tracker," wrote Kuketz in his blog.
c't contacted Ada Health GmbH and enquired about these transmissions of disease symptoms to Amplitude found by Kuketz. In its response the company stated: "Third parties do not have access to personal health information of users. Facebook, Adjust or Amplitude therefore do not know whether a user is claiming to have high blood pressure or where he is insured."
Data traffic to facebook
Confronted with our results, the company now declared that it had "its own protected area within Amplitude" to which "Amplitude has no access," this being "secured by appropriate contracts". However, the US-based analysis company Amplitude in its general terms and conditions, grants itself contractual access rights in order to be able to offer its service at all. Ada's contracts with Amplitude may differ from the standard terms and conditions, but in principle Amplitude needs access to the data, at least in order to receive it. In addition, under the CLOUD act, US authorities may access the data at any time, without the user being informed about it.
Asked why the symptoms and insurance data were transferred to external companies in the first place, Ada Health did not offer any information. Moreover, the company denied the problematic nature of the data transfer: "This is a common procedure. The claim that Amplitude can identify people is therefore wrong," a spokesperson told us.
But what Amplitude can or cannot do with the data depends on the behaviour of other sources transmitting data to the company. In principle, it is possible to create extensive profiles, as a recent Australian study published in the British Medical Journal shows. The researchers analysed traffic from 24 health apps, including Ada. Among the tested apps, Ada was the one that transmitted data to the largest number of third-party companies. Once the data is transferred, there is little possibility to control the further transmission to other subcontractors (so-called fourth parties). The Australian researchers were able to identify more than 200 such fourth parties in the entire test field, which potentially have access to data from health apps.
In principle, all these companies have the possibility to merge data from different sources into comprehensive dossiers on users, because the data is generally not sufficiently anonymised. The Ada app, too, not only transmitted symptom descriptions to Amplitude, but enriched them with various metadata, such as the gender of the user and the Android Advertising ID.
Precise user identification
The Advertising ID can be changed by the user. However, since few users do this regularly, data assigned to the ID can often be amassed to form detailed profiles: The Australian researchers were able to aggregate the approximate age, gender, place of residence, hobbies and interests, disease symptoms and medication of their test profile. Often users can be clearly identified with just a fraction of these parameters.
Commenting on the results of the traffic analysis, the press officer of the Techniker Krankenkasse stressed that "at no time data is exchanged between Ada and TK". The data protection office of the federal state of Berlin, which is responsible for the Berlin-based company, informed us upon request that the Ada Health GmbH was known to them, but that the app had so far not been inspected, due to lack of personnel and resources.
Ada may also have violated Google's own policies, which require that the advertising ID "must not be connected to personally-identifiable information [...] without explicit consent of the user." We asked Google to clarify its interpretation of the situation, but got only a general reply: "If apps violate these guidelines, we will act accordingly." Nevertheless, our enquiry apparently did have an effect and shortly before our editorial deadline events unfolded in rapid succession: First the Ada app disappeared from the Play Store, then it reappeared on October 4th – in the new version 2.49.1. During a brief check we could not find data transfers to Amplitude any more.
Draft law in renegotiation
Ada's behaviour and reactions demonstrate that there is obviously a lot of catching up to do regarding data privacy in health apps. Most Germans seem to agree, as a study by the Office of Technology Assessment at the German Bundestag showed: More than 80 percent of Germans want that "binding standards for quality, data privacy and data security are established" for health apps, that "compliance with data privacy requirements by app manufacturers and app store operators should be more closely monitored" and that "app manufacturers and app store operators should enter into self-commitments in order to better protect the privacy of app users."
Given cases such as Ada's and this public opinion, Jens Spahn, German Federal Minister of Health, should act and improve the draft of the digital care law (Digitale-Versorgung-Gesetz, DVG). The bill, which allows health apps to be prescribed and then be payed for by health insurance companies, was recently submitted to the committees for renegotiation after a first reading at the end of September.