May 21, 2020

Jumbo Privacy Review: North Dakota's Contact Tracing App

Watch this announcement directly from Pierre here:

Dear Jumbo customers,

Our mission at Jumbo Privacy is to protect your privacy everywhere you go and to keep you aware of upcoming and new threats to your privacy. One of the most pressing privacy issues today is the use of contact tracing apps. They are designed to alert individuals when they have spent time near someone diagnosed with the coronavirus, in an effort to make it easier for potentially infected individuals to self-isolate.

As the CEO of a privacy company, I won’t tell you about the effectiveness of these apps as it relates to public health. We promise to stick to topics we know, and do what our customers expect us to do: analyze the privacy implications of such tools.

Today, we are sharing our first privacy review about Care19, the contact tracing app made by the state of North Dakota (US). We hope that these findings will help the health agencies that are currently working on similar apps to make sure privacy is respected.

If you are working for a health agency and want Jumbo Privacy to help review the privacy implications of your app, please contact: [email protected].

If you are a journalist and want more information from us, please contact: [email protected].

If you’re not yet a customer, download our app for iOS and Android to start protecting your privacy with Jumbo.

Pierre Valade, CEO Jumbo Privacy.

image credits: NYT.

Finding 1: App shares user location data with Foursquare

Users of the app are told, in the privacy policy, that their location data is private and only stored on the servers of the company building the app for the state (ProudCrowd, LLC).

“This location data is private to you and is stored securely on ProudCrowd, LLC servers. It will not be shared with anyone including government entities or third parties, unless you consent or ProudCrowd is compelled under federal regulations.”

Our research has found that the user location data is actually also shared with a third party, Foursquare.

Foursquare provides advertisers with tools to reach audiences who have been at specific locations. Foursquare claims they are tracking “25 million devices opted-in, always on”.

Users can ask Foursquare to stop selling their personal information by using this form.

Finding 2: App isn’t really anonymous

The Care19 privacy policy indicates that “Your data is identified by an anonymous code.” We were able to validate that the app, indeed, uses an anonymous code (in the format of US-84825167-5 or something similar). However, our research has found that the anonymous code was transmitted to:

Sharing what is supposed to be an anonymous code along with an Advertising Identifier (referred to as IDFA) has serious privacy risks. An IDFA is an identifier that is shared across all apps on your phone, and often leaked by third-party SDKs, along with personal information.

For example, the Facebook SDK, included in many popular apps, sends the IDFA back to Facebook’s servers, and Facebook maintains a database linking your IDFA and your Facebook personal information, for retargeting purposes.

We are not able to say, at this moment, how Foursquare is using the data received from Care19. We have asked Foursquare for more information (see Next Steps section below).

Our research also shows that Google (via Firebase) also receives the IDFA.

Recommendations for users

We recommend that users do not install the app until either:

Jumbo Privacy will provide an update if and when such conditions are met.

Jumbo Pro will soon block trackers

In the coming days, Jumbo will also release a “Block Trackers” feature, which will be available for all Jumbo Pro users.

Also, for iOS users, we recommend that users turn off IDFA. On Android, unfortunately users don’t have the option to completely turn off IDFA.

Recommendations for future contact tracing apps

We recommend that contact tracing apps should:

Next steps

Our next steps are:

Research Protocol

To start, we looked at what frameworks Care19 included. This gave some insight into third-party services used by the app.

Secondly, we inspected network requests originating from the device while running the application. It’s relatively simple to isolate the ones we’re interested in by looking at the User-Agent HTTP Header.

Finally, we evaluated individual requests and looked for PII (personally identifiable information) or even potential PII.

It’s not possible to say that the data we have outlined above is the only data that gets sent. The app could send additional data at other times (when we’re not watching.)

Disclosure

Pierre Valade, CEO of Jumbo Privacy, worked at Foursquare in 2011 and 2012 and currently holds shares of Foursquare. Jan Sichermann, CTO of Jumbo Privacy, was an employee at Foursquare in 2012 and 2013.

None of the research done in this review is based on information collected while Pierre and Jan were employed at Foursquare.

Our reviews are not an extensive legal review according to all potential applicable laws to users of the Care19 app, but a privacy review, in relation to our privacy standards.

Pierre Valade

CEO