MapsSource: iMore

What you need to know

  • North Dakota's contact tracing app is sharing user data without their knowledge.
  • Privacy company Jumbo reported that the app shares user location data.
  • Data is being shared with Foursquare and Google.

North Dakota is one of the first states in the U.S. to release its own contact tracing app, Care19. While the app says that it does keep its user's information private, it appears that it may not be true. Jumbo, the creators of the Jumbo privacy app, has discovered some concerning data-sharing practices that its CEO shared in a blog post.

"Today, we are sharing our first privacy review about Care19, the contact tracing app made by the state of North Dakota (US). We hope that these findings will help the health agencies that are currently working on similar apps to make sure privacy is respected."

The first thing that the company found was that, while the app only stores data on the servers of the company who built the app, it is also sharing user location data with Foursquare.

"Users of the app are told, in the privacy policy, that their location data is private and only stored on the servers of the company building the app for the state (ProudCrowd, LLC). "This location data is private to you and is stored securely on ProudCrowd, LLC servers. It will not be shared with anyone including government entities or third parties unless you consent or ProudCrowd is compelled under federal regulations." Our research has found that the user location data is actually also shared with a third party, Foursquare."

The second thing that the company found was that the anonymous code that identifies you is was also being transmitted to Foursquare, as well as Bugdefender and Google.

"The Care19 privacy policy indicates that "Your data is identified by an anonymous code." We were able to validate that the app, indeed, uses an anonymous code (in the format of US-84825167-5 or something similar). However, our research has found that the anonymous code was transmitted to ... Foursquare, along with the phone's Advertising Identifier ... Bugfender, along with the phone's Name (probably including your first name) ... Google (via Firebase)."

The company behind the app, ProudCrowd, has updated the privacy policy to indicate those companies have access to the data.

"Third parties that we use (Foursquare, Google Firebase, and Bugfender) may have temporary access to aspects of your data for their specific data processing tasks. However, they will not collect this data in a form that allows themselves or others to access or otherwise use this data."

Apple and Google, in contrast, have just released their API for Exposure Notification that does not collect user location data and uses Bluetooth instead.