Care19 Research Update

Care19 has updated its App and Privacy Policy: some concerns remain

While we have remaining concerns, we are pleased that Care19 took steps to reply to our questions and initial inquiries.

An updated version of the Care19 mobile application was released on Friday May 22nd, with an updated version of Care19’s privacy policy.

We have reviewed both, and our concerns with regards to data sharing still exist.

Google Firebase, Bugfender and Foursquare are now mentioned in the Privacy policy - but discrepancies still exist

Care19’s privacy policy now indicates data is shared with Google Firebase, Bugfender and Foursquare, in particular that:

• Google Firebase Messaging stores the token of the user in order to send a push notification (on an opt-in basis);
• Foursquare is used to pinpoint named venues if location services are permitted by the user.

The privacy policy mentions that “Foursquare, Google Firebase and Bugfender may have access to aspects your data for their specific data processing tasks. However, they will not collect this data in a form that allows themselves or others to access or otherwise use this data.”

Review of the app shows that the IDFA is still shared to Foursquare

We have reviewed the new release of the Care19 app to check if Care19’s above mention is accurate.

We found that the new release of the app still shares users’ IDFA to Foursquare as shown below. We do not see any indications that the app is still sharing IDFA with Google Firebase, or sending any data to Bugfender.

The screenshots below show network requests made by the Care19 app. We have confirmed that the requests originate from the app by looking at the http headers. What we see in the screenshot is the request being made on the left, and on the right, the data being sent as part of the request. This includes the adId , as well as additional data.

Therefore, Care19’s privacy policy is not accurate since the IDFA of users is still shared with Foursquare, and the IDFA is in a form that allows third parties or others to access or otherwise use this data. Indeed, the IDFA is a form of identifier that was specifically created to enable companies such as Foursquare to aggregate data of a user from multiple services, and target them with advertising on other platforms/services using the same IDFA.

Foursquare has indicated to us that they do not use the users’ IDFAs for other purposes such as advertising, but they have not provided any proof of this statement.

We have asked Care19 for evidence that Foursquare is not authorized to, and does not, use the IDFA for any other purpose such as advertising. We have not been provided evidence of this.

Other important issues :

In the app onboarding:

• The following consent tab does not indicate what data is collected for such “Location Services”, if third parties such as Foursquare are used to build them, and for how long is the users’ data is retained.

In the privacy policy:

• Erasure: “Users may also choose to delete their data stored on ProudCrowd servers by pushing the “Erase Data” button on the Care19 About screen at any time”: We have not obtained confirmation that such deletion will also delete data of users anywhere else it was stored, notably in third-party servers.
• Use of the data by officials: “if you share this code, these officials will have consent to access your recent locations for the express intent of identifying recent contacts with other people in your area.” We have not obtained information from Care19 on what these said officials intend to do with the data once recent contacts have been identified, and how long will this data be retained for.
• Privacy Rights: There is still no mention on how can users exercise their right to privacy.

Recommendations for users remain unchanged

We still do not recommend that users install the app until:

• Care19’s privacy policy is updated to accurately represent how the app shares data with third parties and how they can exercise their privacy rights
• Care19 discloses what the officials intend to do with the data once recent contacts have been identified, and how long will this data be retained for
• Care19 proves Foursquare is not allowed to use the IDFA for any other purpose than to provide their location service to Care19
• Care19 confirms that pushing the deletion tab will also delete data of users anywhere else it was stored, notably in third party servers.

Jumbo Privacy will provide an update if and when such conditions are met.