North Dakota’s COVID-19 app has been sending data to Foursquare and Google

The official COVID-19 contact-tracing app for the state of North Dakota, designed to detect whether people have potentially been exposed to the coronavirus, sends location data and a unique user identifier to Foursquare—and other data to Google and a bug-tracking company—according to a new report from smartphone privacy company Jumbo Privacy.

The app, called Care19, and produced by a company called ProudCrowd that also makes a location-based social networking app for North Dakota State sports fans, generates a random ID number for each person who uses it. Then, it can “anonymously cache the individual’s locations throughout the day,” storing information about where people spent at least 10 minutes at a time, according to the state website. If users test positive for the coronavirus, they can provide that information to the North Dakota Department of Health for contact-tracing purposes so that other people who spent time near virus patients can potentially be notified.

According to the app’s privacy policy, “location data is private to you and is stored securely on ProudCrowd, LLC servers” and won’t be shared with third parties “unless you consent or ProudCrowd is compelled under federal regulations.”

But according to the Jumbo report, the app sends the random ID number, along with a phone ID used for advertising purposes and apparent latitudes and longitudes of places visited by the user, to Foursquare, a leading location-data provider. The app also sends the random ID to servers run by Bugfender, a Barcelona-based service used by app makers to track and diagnose software malfunctions, according to Jumbo, which monitored internet traffic generated by the app. It’s accompanied by the phone’s name, which often includes the device owner’s first name, according to the report. The phone’s advertising ID is also sent to Google servers that appear to be affiliated with Google’s Firebase service, Jumbo found.

“Our main point is that the privacy policy is not disclosing this sharing with third parties,” says Jumbo CEO Pierre Valade. Valade and Jumbo CTO Jan Sichermann previously worked at Foursquare, but the company emphasizes the study wasn’t based on any information they collected while at the company. In its report, Jumbo recommends people don’t install the app until the privacy policy is made more explicit or the app is updated to stop sharing data.

Tightening up

In a statement, ProudCrowd confirmed the use of Bugfender and Foursquare services and said it plans to update its privacy policies and the app in the future.

“The Care19 application user interface clearly calls out the usage of Foursquare on our ‘Nearby Places’ screen, per the terms of our Foursquare agreement,” according to the company’s statement. “However, our privacy policy does not currently explicitly mention this usage. We will be working with our state partners to be more explicit in our privacy policy. It is important to note that our agreement with Foursquare does not allow them to collect Care19 data or use it in any form, beyond simply determining nearby businesses and returning that to us.”

In an email to Fast Company, ProudCrowd founder Tim Brookins wrote that the random ID was included in the messages to Foursquare unintentionally, and that the company will remove it as soon as possible.

The transmission of information to Foursquare is “fairly benign, as Foursquare doesn’t actually collect our sent data,” Brookins wrote. “But easy enough for us to remove. Good catch by the security firm.”

Jennifer Skjod, a public information officer for North Dakota, says the state stands behind ProudCrowd’s statement.

“We’re confident whatever he responded [with] is exactly what we would say,” she says of Brookins’s response.

Foursquare has expanded beyond its namesake city guide app to provide location tracking for other software companies. “Foursquare receives some data from Care19, a free user of our SDK, but we do not use the data in any way and it is promptly discarded,” a company spokesperson wrote in an email to Fast Company. “For free users of our SDK, Foursquare does not use, repackage, or resell the data. Essentially, any data we might receive is immediately discarded.”

ProudCrowd also plans to make “diagnostic data collection” via Bugfender opt-in in future versions of the app, according to the company’s statement.

“This will enable users to opt in to send diagnostics when they need technical support and avoid overcollection of unneeded data on our part,” according to the statement.

In an email to Fast Company, Bugfender cofounder and CEO Jordi Giménez said he wasn’t able to confirm whether or not ProudCrowd’s app used Bugfender’s software. In general, he wrote, data sent by apps to its servers is stored securely and not shared with third parties or used for user profiling or advertising.

“We make money by charging the app makers a fee for using the tool, and their data belongs to them,” he wrote. “We don’t mess with it.”

The privacy policy will also be updated to reflect data sent to Google, Brookins says.

“Our privacy policy currently has a fairly blanket-like statement in the second paragraph noting we collect data for app usability and app reliability reasons (app crashes, etc..),” he wrote. “Our revised privacy policy will call this out in some additional detail and also name the third party (Google Firebase).”

Google Analytics for Firebase has rules about what information can be sent to the service, a Google spokesperson wrote in an email to Fast Company.

“Any developer that chooses to use Google Analytics for Firebase is prohibited from passing information, like an email address or phone number, that could personally identify someone to Google, and we use a combination of machine learning and human review to identify health apps and mark them ineligible for ads usage,” the spokesperson wrote.

Jumbo CEO Valade says he was encouraged by ProudCrowd’s statement and says that if the company updates the app and privacy policy, Jumbo may revise its recommendation not to use the app.

“I think they are taking the appropriate steps,” he says.

The complications of contact tracing

Contact tracing, where people potentially exposed to a disease are notified so they can be tested and potentially treated or quarantined, has been seen as a potential way to reduce the spread of COVID-19. Apple and Google have developed software toolkits to let public health agencies build iOS and Android apps to enable automated phone proximity detection via Bluetooth, and many state and local agencies have begun hiring people to manually trace contacts of those infected with the virus. North Dakota officials have indicated future versions of Care19 will incorporate the new Apple-Google technology. A Google spokesperson indicated the app isn’t currently using that system.

“This app does not use Google’s Exposure Notification API, which strictly prohibits apps from collecting or using Android’s Advertising ID,” the spokesperson wrote in an email to Fast Company.

How well such apps will work, and whether people will install them in sufficient numbers to be useful, remains an open question, with some surveys indicating people are skeptical of the technology. Experts and activists have also expressed concerns about erroneous results and privacy concerns. A bill introduced in Congress last week would limit how such data could be used.

“Data collected in connection with contact tracing should not be used for any secondary purpose, let alone a commercial one,” wrote Ryan Calo, an associate professor at the University of Washington School of Law and a backer of the proposed law, in an email to Fast Company.

This story was updated on May 22 to include information from Google.