May 29, 2020
While we have remaining concerns, we are pleased that Care19 took steps to reply to our questions and initial inquiries.
An updated version of the Care19 mobile application was released on Friday May 22nd, with an updated version of Care19’s privacy policy.
We have reviewed both, and our concerns with regards to data sharing still exist.
Google Firebase, Bugfender and Foursquare are now mentioned in the Privacy policy - but discrepancies still exist
Care19’s privacy policy now indicates data is shared with Google Firebase, Bugfender and Foursquare, in particular that:
The privacy policy mentions that “Foursquare, Google Firebase and Bugfender may have access to aspects your data for their specific data processing tasks. However, they will not collect this data in a form that allows themselves or others to access or otherwise use this data.”
Review of the app shows that the IDFA is still shared to Foursquare
We have reviewed the new release of the Care19 app to check if Care19’s above mention is accurate.
We found that the new release of the app still shares users’ IDFA to Foursquare as shown below. We do not see any indications that the app is still sharing IDFA with Google Firebase, or sending any data to Bugfender.
The screenshots below show network requests made by the Care19 app. We have confirmed that the requests originate from the app by looking at the http headers. What we see in the screenshot is the request being made on the left, and on the right, the data being sent as part of the request. This includes the adId
, as well as additional data.
Therefore, Care19’s privacy policy is not accurate since the IDFA of users is still shared with Foursquare, and the IDFA is in a form that allows third parties or others to access or otherwise use this data. Indeed, the IDFA is a form of identifier that was specifically created to enable companies such as Foursquare to aggregate data of a user from multiple services, and target them with advertising on other platforms/services using the same IDFA.
Foursquare has indicated to us that they do not use the users’ IDFAs for other purposes such as advertising, but they have not provided any proof of this statement.
We have asked Care19 for evidence that Foursquare is not authorized to, and does not, use the IDFA for any other purpose such as advertising. We have not been provided evidence of this.
In the app onboarding:
In the privacy policy:
We still do not recommend that users install the app until:
Jumbo Privacy will provide an update if and when such conditions are met.