Cargando…
Data Management and Privacy Policy of COVID-19 Contact-Tracing Apps: Systematic Review and Content Analysis
BACKGROUND: COVID-19 digital contact-tracing apps were created to assist public health authorities in curbing the pandemic. These apps require users’ permission to access specific functions on their mobile phones, such as geolocation, Bluetooth or Wi-Fi connections, or personal data, to work correct...
Autores principales: | , , , , |
---|---|
Formato: | Online Artículo Texto |
Lenguaje: | English |
Publicado: |
JMIR Publications
2022
|
Materias: | |
Acceso en línea: | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9278406/ https://www.ncbi.nlm.nih.gov/pubmed/35709334 http://dx.doi.org/10.2196/35195 |
_version_ | 1784746179266871296 |
---|---|
author | Bardus, Marco Al Daccache, Melodie Maalouf, Noel Al Sarih, Rayan Elhajj, Imad H |
author_facet | Bardus, Marco Al Daccache, Melodie Maalouf, Noel Al Sarih, Rayan Elhajj, Imad H |
author_sort | Bardus, Marco |
collection | PubMed |
description | BACKGROUND: COVID-19 digital contact-tracing apps were created to assist public health authorities in curbing the pandemic. These apps require users’ permission to access specific functions on their mobile phones, such as geolocation, Bluetooth or Wi-Fi connections, or personal data, to work correctly. As these functions have privacy repercussions, it is essential to establish how contact-tracing apps respect users’ privacy. OBJECTIVE: This study aimed to systematically map existing contact-tracing apps and evaluate the permissions required and their privacy policies. Specifically, we evaluated the type of permissions, the privacy policies’ readability, and the information included in them. METHODS: We used custom Google searches and existing lists of contact-tracing apps to identify potentially eligible apps between May 2020 and November 2021. We included contact-tracing or exposure notification apps with a Google Play webpage from which we extracted app characteristics (eg, sponsor, number of installs, and ratings). We used Exodus Privacy to systematically extract the number of permissions and classify them as dangerous or normal. We computed a Permission Accumulated Risk Score representing the threat level to the user’s privacy. We assessed the privacy policies’ readability and evaluated their content using a 13-item checklist, which generated a Privacy Transparency Index. We explored the relationships between app characteristics, Permission Accumulated Risk Score, and Privacy Transparency Index using correlations, chi-square tests, or ANOVAs. RESULTS: We identified 180 contact-tracing apps across 152 countries, states, or territories. We included 85.6% (154/180) of apps with a working Google Play page, most of which (132/154, 85.7%) had a privacy policy document. Most apps were developed by governments (116/154, 75.3%) and totaled 264.5 million installs. The average rating on Google Play was 3.5 (SD 0.7). Across the 154 apps, we identified 94 unique permissions, 18% (17/94) of which were dangerous, and 30 trackers. The average Permission Accumulated Risk Score was 22.7 (SD 17.7; range 4-74, median 16) and the average Privacy Transparency Index was 55.8 (SD 21.7; range 5-95, median 55). Overall, the privacy documents were difficult to read (median grade level 12, range 7-23); 67% (88/132) of these mentioned that the apps collected personal identifiers. The Permission Accumulated Risk Score was negatively associated with the average App Store ratings (r=−0.20; P=.03; 120/154, 77.9%) and Privacy Transparency Index (r=−0.25; P<.001; 132/154, 85.7%), suggesting that the higher the risk to one’s data, the lower the apps’ ratings and transparency index. CONCLUSIONS: Many contact-tracing apps were developed covering most of the planet but with a relatively low number of installs. Privacy-preserving apps scored high in transparency and App Store ratings, suggesting that some users appreciate these apps. Nevertheless, privacy policy documents were difficult to read for an average audience. Therefore, we recommend following privacy-preserving and transparency principles to improve contact-tracing uptake while making privacy documents more readable for a wider public. |
format | Online Article Text |
id | pubmed-9278406 |
institution | National Center for Biotechnology Information |
language | English |
publishDate | 2022 |
publisher | JMIR Publications |
record_format | MEDLINE/PubMed |
spelling | pubmed-92784062022-07-14 Data Management and Privacy Policy of COVID-19 Contact-Tracing Apps: Systematic Review and Content Analysis Bardus, Marco Al Daccache, Melodie Maalouf, Noel Al Sarih, Rayan Elhajj, Imad H JMIR Mhealth Uhealth Original Paper BACKGROUND: COVID-19 digital contact-tracing apps were created to assist public health authorities in curbing the pandemic. These apps require users’ permission to access specific functions on their mobile phones, such as geolocation, Bluetooth or Wi-Fi connections, or personal data, to work correctly. As these functions have privacy repercussions, it is essential to establish how contact-tracing apps respect users’ privacy. OBJECTIVE: This study aimed to systematically map existing contact-tracing apps and evaluate the permissions required and their privacy policies. Specifically, we evaluated the type of permissions, the privacy policies’ readability, and the information included in them. METHODS: We used custom Google searches and existing lists of contact-tracing apps to identify potentially eligible apps between May 2020 and November 2021. We included contact-tracing or exposure notification apps with a Google Play webpage from which we extracted app characteristics (eg, sponsor, number of installs, and ratings). We used Exodus Privacy to systematically extract the number of permissions and classify them as dangerous or normal. We computed a Permission Accumulated Risk Score representing the threat level to the user’s privacy. We assessed the privacy policies’ readability and evaluated their content using a 13-item checklist, which generated a Privacy Transparency Index. We explored the relationships between app characteristics, Permission Accumulated Risk Score, and Privacy Transparency Index using correlations, chi-square tests, or ANOVAs. RESULTS: We identified 180 contact-tracing apps across 152 countries, states, or territories. We included 85.6% (154/180) of apps with a working Google Play page, most of which (132/154, 85.7%) had a privacy policy document. Most apps were developed by governments (116/154, 75.3%) and totaled 264.5 million installs. The average rating on Google Play was 3.5 (SD 0.7). Across the 154 apps, we identified 94 unique permissions, 18% (17/94) of which were dangerous, and 30 trackers. The average Permission Accumulated Risk Score was 22.7 (SD 17.7; range 4-74, median 16) and the average Privacy Transparency Index was 55.8 (SD 21.7; range 5-95, median 55). Overall, the privacy documents were difficult to read (median grade level 12, range 7-23); 67% (88/132) of these mentioned that the apps collected personal identifiers. The Permission Accumulated Risk Score was negatively associated with the average App Store ratings (r=−0.20; P=.03; 120/154, 77.9%) and Privacy Transparency Index (r=−0.25; P<.001; 132/154, 85.7%), suggesting that the higher the risk to one’s data, the lower the apps’ ratings and transparency index. CONCLUSIONS: Many contact-tracing apps were developed covering most of the planet but with a relatively low number of installs. Privacy-preserving apps scored high in transparency and App Store ratings, suggesting that some users appreciate these apps. Nevertheless, privacy policy documents were difficult to read for an average audience. Therefore, we recommend following privacy-preserving and transparency principles to improve contact-tracing uptake while making privacy documents more readable for a wider public. JMIR Publications 2022-07-12 /pmc/articles/PMC9278406/ /pubmed/35709334 http://dx.doi.org/10.2196/35195 Text en ©Marco Bardus, Melodie Al Daccache, Noel Maalouf, Rayan Al Sarih, Imad H Elhajj. Originally published in JMIR mHealth and uHealth (https://mhealth.jmir.org), 12.07.2022. https://creativecommons.org/licenses/by/4.0/This is an open-access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work, first published in JMIR mHealth and uHealth, is properly cited. The complete bibliographic information, a link to the original publication on https://mhealth.jmir.org/, as well as this copyright and license information must be included. |
spellingShingle | Original Paper Bardus, Marco Al Daccache, Melodie Maalouf, Noel Al Sarih, Rayan Elhajj, Imad H Data Management and Privacy Policy of COVID-19 Contact-Tracing Apps: Systematic Review and Content Analysis |
title | Data Management and Privacy Policy of COVID-19 Contact-Tracing Apps: Systematic Review and Content Analysis |
title_full | Data Management and Privacy Policy of COVID-19 Contact-Tracing Apps: Systematic Review and Content Analysis |
title_fullStr | Data Management and Privacy Policy of COVID-19 Contact-Tracing Apps: Systematic Review and Content Analysis |
title_full_unstemmed | Data Management and Privacy Policy of COVID-19 Contact-Tracing Apps: Systematic Review and Content Analysis |
title_short | Data Management and Privacy Policy of COVID-19 Contact-Tracing Apps: Systematic Review and Content Analysis |
title_sort | data management and privacy policy of covid-19 contact-tracing apps: systematic review and content analysis |
topic | Original Paper |
url | https://www.ncbi.nlm.nih.gov/pmc/articles/PMC9278406/ https://www.ncbi.nlm.nih.gov/pubmed/35709334 http://dx.doi.org/10.2196/35195 |
work_keys_str_mv | AT bardusmarco datamanagementandprivacypolicyofcovid19contacttracingappssystematicreviewandcontentanalysis AT aldaccachemelodie datamanagementandprivacypolicyofcovid19contacttracingappssystematicreviewandcontentanalysis AT maaloufnoel datamanagementandprivacypolicyofcovid19contacttracingappssystematicreviewandcontentanalysis AT alsarihrayan datamanagementandprivacypolicyofcovid19contacttracingappssystematicreviewandcontentanalysis AT elhajjimadh datamanagementandprivacypolicyofcovid19contacttracingappssystematicreviewandcontentanalysis |