Tech privacy firm warns contact tracing app violates policy

The Care19 app is seen on a cell phone screen, Friday, May 22, 2020, in Sioux Falls, S.D. Care19, a contact tracing app is being pushed by the governors of North Dakota and South Dakota as a tool to trace exposure to the coronavirus. But tech firm Jumbo Privacy points out the app violated its own privacy policy by sharing location and identification information with third-party companies like Foursquare, BugFender and Google. (AP Photo/Stephen Groves)
The Care19 app is seen on a cell phone screen, Friday, May 22, 2020, in Sioux Falls, S.D. Care19, a contact tracing app is being pushed by the governors of North Dakota and South Dakota as a tool to trace exposure to the coronavirus. But tech firm Jumbo Privacy points out the app violated its own privacy policy by sharing location and identification information with third-party companies like Foursquare, BugFender and Google. (AP Photo/Stephen Groves) (Copyright 2020 The Associated Press. All rights reserved.)

SIOUX FALLS, S.D. – A contact tracing app pushed by the governors of North Dakota and South Dakota as a tool to trace exposure to the coronavirus violated its own privacy policy by sharing location and user identification information with third-party businesses, according to a report from a tech privacy company.

The Care19 app, developed by ProudCrowd, of North Dakota, was one of the first contact tracing apps endorsed by state governments in response to the coronavirus. Governors from both states promoted it as a way to help health officials stop outbreaks and retrace the steps of people with infections, while assuring people that their data is protected. But tech privacy company Jumbo Privacy reported this week that developers included lines of code that send users' location and identification data to third-party companies including Foursquare, BugFender and Google.

Concerned citizens have been eyeing the tradeoff between controlling outbreaks using apps and intrusions on privacy. Civil liberty groups and tech watchdogs have warned about contact tracing apps, saying governments and companies should not be able to access personal data.

The Care19 app shared location data with Foursquare, an advertising company that markets to people based on their location.

ProudCrowd CEO Tim Brookins said his company sends data to Foursquare to determine which businesses a user has visited, but the data is discarded and not used for commercial purposes.

"The simple overarching fact here is that we have stated, and Foursquare has confirmed, that they have not, nor will not, collect data from Care19 users. Period,” Brookins said.

The app generates an anonymous code for every user. The Jumbo Privacy report noted that the code, along with the phone's identification, was sent to BugFender, a Barcelona-based company that helps developers track malfunctions. The app also sent an advertising identifier linked with the user's phone to Google's Firebase service. That adds up to “serious privacy risks,” Jumbo said.

“It’s really an oversight from them,” said Jumbo Privacy CEO Pierre Valade. “It’s not a bad intention. They were rushing to build this product.”