"You Are The Product": Your Data on Apps Is Not Private

Privacy Rights Declining

The privacy rights of consumers in the U.S. are limited, Karim Hijazi, CEO of Prevailion, a Houston-based cyber intelligence company, told TheStreet.

“American consumers don’t have that many data privacy rights or protections, particularly when compared with European consumers,” he said. “When it comes to apps, there are few protections on how your information is collected or used.”

Companies that collect a person’s medical information will “likely” have to comply with Health Insurance Portability and Accountability Act’s (HIPAA) privacy protections.

One major catch is that not all health information is considered private.

“Apps that are focused on health or fitness may not be covered,” Hijazi said.

Deleting Apps Not a Solution

Simply deleting an app from your smartphone will not eliminate the data.

Most U.S. consumers don’t have the ‘right to delete’ except for states that have passed laws such as the California Consumer Privacy Act, Colorado Privacy Act and Virginia Consumer Data Protection Act, so the residents may be able to petition a company to delete their data, Hijazi said.

“For most people in the U.S., however, there is little recourse when it comes to the collection of your personal information, once you’ve agreed to the terms of service,” he said.

Consumers need to realize that deleting an app does not remove the data the company has collected, Scott Gerlach, chief security officer at StackHawk, a Denver-based provider of API Security Testing, told The Street.

Some companies have the ability to digitally delete a user's data upon request due to regulations like GDPR, the European Union’s data protection law that was put into place in 2018, but the U..S. does not have its own version.

The alarming problem is that there is no unified approach on how customers ask for their data to be deleted, he said. Some companies require written requests, others have separate portals on their websites.

“It is up to the user to figure out how to submit and the complexity grows if someone is trying to delete data across multiple apps or services,” Gerlach said.

Consumers are “pretty much” on their own when it comes to their digital breadcrumbs, Jason Glassberg, co-founder of Casaba Security, a Redmond, Wash.-based ethical hacking company, told TheStreet. Many companies will probably turn down consumer requests to delete their data.

“I doubt any of them will,” he said. “They may also claim that they aren’t able to erase the data either because they do not store it themselves, which is partly true for many of these companies. They may use third-party services or partner with other providers to actually handle the consumer’s data.”

Another major issue is that once the data is collected, it is usually shared with multiple other parties, who may also share it with other several other parties.

“The personal data business is a complex and murky ecosystem with a lot of different animals all drinking from the same trough,” Glassberg said.

Anonymous Mode

Flo, a period tracking app, said consumers can deactivate their account and erase their personal data by emailing them at support@flo.health.

“If you choose to deactivate your account, Flo will generally delete all your Personal Data and it will not be recoverable should you later create another account,” the company said.

A growing number of companies such as Flo also offer people the ability to use the “‘anonymous mode” which does not require any personally identifiable information, such as a name, email address and technical identifier being associated with the account.

“Any data we do collect is fully encrypted, and this will never change,” said Susanne Schumacher, Flo’s Data Protection Officer.

The feature can be used for iOS and Android devices, Flo said on June 30.

“While the Anonymous Mode feature had already been underway, the development has been accelerated in the wake of the U.S. Supreme Court's ruling to overturn the landmark case Roe v. Wade,” the company said. “Some users have expressed concern about how third parties might be able to access user health data from digital services.”

The company will be unable to provide names or emails to any groups seeking identifying information with this mode enabled.

“... Anonymous Mode will prevent Flo from being able to connect data to an individual, meaning Flo would not be able to satisfy the request,” Flo said.

Before Using An App

Most apps require that consumers accept a variety of “permission requests” in order to use them, such as enabling geolocation access, Hijazi said.

“There is a well-worn saying that if the service is free, you are the product,” he said. “However, when it comes to apps, this is basically true of any of them – even the paid apps still collect and monetize your personal information.”

HIPAA isn’t an “iron-clad protection on your personal health information and is mostly confined to protected medical information from healthcare providers and the personally identifiable information (PII) that goes with it,” Glassberg said.

Apps that track your menstrual cycle or where you have been physically could be problematic for people living in states where helping someone or undergoing an abortion is not legal.

“If you’re using an app that tracks your menstrual cycle or logs your physical location when you stop by a Planned Parenthood facility or any doctor’s office, that is not privileged or protected information,” he said.

Data Can Be Turned Over to Law Enforcement

Companies will have to comply with law enforcement subpoenas even though some of them may choose to challenge the, Glassberg said.

"Ultimately, everyone has to comply if the subpoena is legally valid," he said.

Companies “could potentially be compelled” to turn over user data by law enforcement if they are investigating a case, Gerlach said.

“That may or may not be known to the end user until a court case was brought against them,” he said.