#Privacy: North Dakota contact-tracing app ends data share with third-party services

North Dakota’s contact tracing app, Care19 makes security changes following allegations that user data was being shared. 

Created by ProudCrowd LLC, Care19 was created to help track the spread of COVID-19 in North Dakota, however, following its launch cybersecurity company Jumbo Privacy discovered that the app was sending user data to third-party services. 

Specifically the Identifier for Advertisers (IDFA) an ad-tracking device, that enables an advertiser to understand when a phone user has taken an action, was being shared. 

North Dakota stated that the app “does not have any information that is tied to an individual person” and all uploaded information is “100% anonymous,” however Jumbo found otherwise. The company discovered that those accessing the Care19 app via iOS could be identified through the IDFA on their device. 

Foursquare, a company connecting advertisers to people, was just one of the third-party services receiving Care19 users IDFA data. In a blog post, Jumbo explained that the app had been utilising Foursquare’s SDK, Pilgrim, “to translate geolocation coordinates into precise venues for contact tracing purposes”, however it was also discovered that Pilgrim was also being used to collect and send Care19 users’ IDFAs “unnecessarily” to Foursquare. 

Shortly after Jumbo published their findings, Care19 informed the company that the new version of the app (v3.3) no longer shares users’ IDFA to Foursquare. 

Jumbo CEO Pierre Valade told Infosecurity Magazine that the change was a “big win for privacy”, but other concerns still remain:

  • The app’s privacy policy does not indicate how a user can exercise their privacy rights, what officials intend to do with the data once recent contacts have been identified, and how long the data will be retained for. 
  • Care19 has not yet confirmed that pushing the deletion tab will also delete user data anywhere else it was stored, “notably in third party services.”

Registration now OPEN for PrivSec Global
Taking place across four days from 30 Nov to 3 Dec, PrivSec Global, will be the largest data protection, privacy and security event of 2020.

Reserve your place before 2nd October, and receive VIP access to PrivSec Global which includes priority access to limited space sessions, workshops, networking opportunities and exclusive content.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.