Survey results that the new coronavirus infection tracking application is transmitting location information etc.

Jumbo Privacy , a security company related to smartphone privacy, said, `` The official new coronavirus infectious disease (COVID-19) tracking app in North Dakota, USA is the third party that identifies device location information, advertisement ID , device name etc. contrary to the privacy policy. I am sending it to someone. ”

Jumbo Blog: Your privacy is everything to us

North Dakota's contact-tracing app shares location data

The issue has been pointed out to the official North Dakota COVID-19 tracking app, Care19 . According to a Jumbo Privacy survey, Care19 sends 'device location' to Foursquare , a major location data provider, 'advertising ID' to Foursquare and Google, and 'device name' to remote log collection service Bugfender . It became clear. Below is some of the information we are sending to Foursquare. The 'll' item is the device location information and the 'userinfo' is a random ID assigned by Care19.

The 'adid' has been sent to Foursuqare and Google. According to Junbo Privacy, the advertising ID is an identifier shared by all apps on the device, and it is often leaked along with personal information. In one example, the Facebook SDK, which is used in a large number of application and sends the ad ID on the server, personal information and advertising ID on Facebook

has been linked . Care19 sends advertisement ID and location information, so personal information and location information may be linked by advertisement ID.

In addition, Care19 is sending 'device name' to Bugfender. If you look at the image below, you can see that the 'name' in the 'device' item contains the device name 'Jan's iPhone' and the device you are using. Users who use their own names or other names as device names are at risk of personal identification by leaking device names.

Similarly, the device-specific ID 'device ID' is also sent to Bugfender. In the image below you can see that the information being sent to Bugfender includes a 'device_id'.

Care19's privacy policy states: 'Location information is stored only on the servers of Care19's producer, ProudCrowd. It will not be disclosed unless you agree or ProudCrowd is enforced by federal law. There is not '. Jumbo Privacy pointed out that Care19 is sending various information contrary to this privacy policy. We encourage users to not install Care19 until the problem is fixed.

In response to a survey by Jumbo Privacy, ProudCrowd said, 'The agreement with Foursquare does not allow Foursquare to collect or use Care19 data in any way. There is no harm. ' Foursquare also commented, 'We receive some data from Care19, but that data is not used in any way and will be destroyed immediately.' However, in response to this criticism, ProudCrowd promised to change the specifications and update the privacy policy in the future, saying 'It is easy to remove the data transmission function'.

Care19 will use the ' new coronavirus infection notification API ' developed by Apple and Google in a future update. Apple and Google's new Coronavirus Infectious Disease Contact Notification API prohibits tracking user location.

Prohibiting tracking of location information in apps that implement the `` new corona virus tracking system '' of Apple and Google-GIGAZINE

in Mobile,   Security, Posted by darkhorse_log