Ethical Ambiguities in the Privacy Policies of Mobile Health and Fitness Applications

Introduction

Mobile leisure, health, and wellness applications (apps) are ubiquitous. A recent study reveals that there are approximately 97,000 varieties of inexpensive and easy to use mobile health apps available in the market; at such a pace numbers are becoming outdated almost as soon as they are published (Privacy Clearinghouse, 2013). It is predicted that by 2017 half of the world’s more than 3.4 billion smart phone users will have downloaded health and fitness apps (Comstock, 2013), which raises the question: what happens to the sensitive data consumers enter into these apps?

Indeed, a hot topic in both Canada and the U.S., concerns exactly what third parties, such as insurance companies, can legally do with personal data. American law dictates that health insurance companies cannot discriminate based on a history of illness. However, while data held by a health plan, health care provider, or lab may be protected by the federal Health Insurance Portability and Accountability Act (HIPAA), legal scholars warn that if a patient is going to upload health or wellness data to a mobile application (app), it may not be covered by those laws (Rogers, 2014; Whitman & Mattord, 2012). Such legal ambiguities have implications for Canadian users of health and wellness apps, because many of these devices are based in the U.S., with the data being stored on U.S. servers and thus they may not conform to privacy requirements (Akkad, 2013).

There are some other important concerns with privacy and security issues related to mobile health and fitness applications. For example, personal apps collect all sorts of personal information like name, email address, age, height, weight, and in some cases detailed health information. When using such apps, many users may trustfully log everything from diet to sleep patterns in the apps. By sharing such personal information end- users may make themselves targets to misuse of this information by unknown third parties. Moreover, according to Gralla et al. (2011), apps can gather the phone number and the unique ID number of each type of phone: the Unique Device Identifier (UDID) on an iPhone, the International Mobile Equipment Identity (IMEI) number on a BlackBerry, and (depending on the make) the IMEI or the Mobile Equipment Identifier (MEID) on an Android phone. In this way, personal information that apps gather about an end-user can be matched to these IDs, which means that ad networks can easily combine various pieces of information collected by multiple apps to build a sophisticated profile about a given end-user and thereby posing a major privacy risk to personal data. Therefore, uninformed decision making by end-users raises important concerns regarding the ethics around sharing personal data gathered from health and fitness apps to third parties. These concerns can be much graver when Martínez-Pérez and colleagues (2014), in a review of privacy and security in mobile health apps, found evidence of insecure handling of clinical and medical data.

To summarize, the issues raised above may be broken down to the following concerns:

• 1.

  Ownership and veracity of sensitive data shared on personal apps;

• 2.

  What end users really understand about the use of their data (what data is collected and the specifics of how it may be used);

• 3.

  The ethics of sharing end-users' personal information and sharing it with third-parties.