Serviceteam IT Security News
The operators of a North Dakota contact tracing app have had a rethink when it comes to sharing users’ data with third-party services.

Care19 was created by ProudCrowd LLC to track the spread of COVID-19 in the Peace Garden State. Following the app’s launch, cybersecurity company Jumbo Privacy discovered that Care19 was sending user data to third-party services.

The information being shared was the Identifier for Advertisers (IDFA), an ad-tracking device that enables an advertiser to understand when a phone user has taken an action like a click or an app install.

North Dakota stated that the Care19 app “does not have any information that is tied to an individual person” and information uploaded via the app is “100% anonymous.”

However, Jumbo found that users accessing the Care19 app via the iOS on their iPhone could be unmasked through the IDFA on their device.

One of the third-party services receiving Care19 users’ IDFA data was Foursquare, a location service that provides advertisers with tools to reach people who have visited specific locations. That arrangement has now ceased.

Jumbo CEO Pierre Valade told Infosecurity Magazine: “Care19 shared with us on June 3rd that the new version of their app (v3.3) was no longer sharing users’ IDFA to Foursquare. We’ve reviewed the app and can confirm this is true.”

Care19 and Foursquare told Jumbo that the IDFA data was collected automatically by using Foursquare’s SDK, Pilgrim, and there was no way for developers to disable this collection.

Valade said: “After you published our research and in response to our concerns, Foursquare made an important change to its geolocation SDK ‘Pilgrim’ to permit developers to disable collection of a user’s IDFA and prevent it from being shared with Foursquare.”

Jumbo’s CEO described the change of heart as “a big win for privacy” but said that there were still concerns about Care19 that needed to be addressed.

“Care19’s privacy policy does not indicate how a user can exercise their privacy rights, what the officials intend to do with the data once recent contacts have been identified, and how long will this data be retained for,” said Valade.

In addition, Care19 has not yet confirmed that pushing the deletion tab will also delete user data anywhere else it was stored, notably in third-party servers.

Source: Infosecurity Magazine

With over 20 years of experience, Serviceteam IT design and deliver sophisticated connectivity, communication, continuity, and cloud services, for organisations that need to stay connected 24/7. We take the time to fully understand your current challenges, and provide a solution that gives you a clear understanding of what you are purchasing and the benefits it will bring you.

To find out how we can help you, call us on 0121 468 0101, use the Contact Us form, or why not drop in and visit us at 49 Frederick Road, Edgbaston, Birmingham, B15 1HN.

We’d love to hear from you!