Data management and privacy policy of COVID-19 contact-tracing apps: systematic review and content analysis

Marco Bardus, Melodie Daccache, Noel Maalouf, Rayan Al Sarih, Imad Elhajj

Research output: Contribution to journalReview articlepeer-review

111 Downloads (Pure)

Abstract

Background: COVID-19 digital contact-tracing apps were created to assist public health authorities in curbing the pandemic. These apps require users’ permission to access specific functions on their mobile phones, such as geolocation, Bluetooth or Wi-Fi connections, or personal data, to work correctly. As these functions have privacy repercussions, it is essential to establish how contact-tracing apps respect users’ privacy.

Objective: This study aimed to systematically map existing contact-tracing apps and evaluate the permissions required and their privacy policies. Specifically, we evaluated the type of permissions, the privacy policies’ readability, and the information included in them.

Methods: We used custom Google searches and existing lists of contact-tracing apps to identify potentially eligible apps between May 2020 and November 2021. We included contact-tracing or exposure notification apps with a Google Play webpage from which we extracted app characteristics (eg, sponsor, number of installs, and ratings). We used Exodus Privacy to systematically extract the number of permissions and classify them as dangerous or normal. We computed a Permission Accumulated Risk Score representing the threat level to the user’s privacy. We assessed the privacy policies’ readability and evaluated their content using a 13-item checklist, which generated a Privacy Transparency Index. We explored the relationships between app characteristics, Permission Accumulated Risk Score, and Privacy Transparency Index using correlations, chi-square tests, or ANOVAs.

Results: We identified 180 contact-tracing apps across 152 countries, states, or territories. We included 85.6% (154/180) of apps with a working Google Play page, most of which (132/154, 85.7%) had a privacy policy document. Most apps were developed by governments (116/154, 75.3%) and totaled 264.5 million installs. The average rating on Google Play was 3.5 (SD 0.7). Across the 154 apps, we identified 94 unique permissions, 18% (17/94) of which were dangerous, and 30 trackers. The average Permission Accumulated Risk Score was 22.7 (SD 17.7; range 4-74, median 16) and the average Privacy Transparency Index was 55.8 (SD 21.7; range 5-95, median 55). Overall, the privacy documents were difficult to read (median grade level 12, range 7-23); 67% (88/132) of these mentioned that the apps collected personal identifiers. The Permission Accumulated Risk Score was negatively associated with the average App Store ratings (r=−0.20; P=.03; 120/154, 77.9%) and Privacy Transparency Index (r=−0.25; P<.001; 132/154, 85.7%), suggesting that the higher the risk to one’s data, the lower the apps’ ratings and transparency index.

Conclusions: Many contact-tracing apps were developed covering most of the planet but with a relatively low number of installs. Privacy-preserving apps scored high in transparency and App Store ratings, suggesting that some users appreciate these apps. Nevertheless, privacy policy documents were difficult to read for an average audience. Therefore, we recommend following privacy-preserving and transparency principles to improve contact-tracing uptake while making privacy documents more readable for a wider public.
Original languageEnglish
Article numbere35195
Number of pages20
JournalJMIR mHealth and uHealth
Volume10
Issue number7
DOIs
Publication statusPublished - 12 Jul 2022

Bibliographical note

©Marco Bardus, Melodie Al Daccache, Noel Maalouf, Rayan Al Sarih, Imad H Elhajj. Originally published in JMIR mHealth and uHealth (https://mhealth.jmir.org), 12.07.2022.

Funding Information:
The authors would like to acknowledge the help of Ms Dalia Sarieldine, a graduate research assistant in the Department of Health Promotion and Community Health, Faculty of Health Sciences, the American University of Beirut, who helped verify the inclusion of selected apps and update the data on the selected apps.

Publisher Copyright:
© Marco Bardus, Melodie Al Daccache, Noel Maalouf, Rayan Al Sarih, Imad H Elhajj.

Keywords

  • COVID-19
  • mobile applications
  • contact tracing
  • Policy
  • Privacy
  • Mobile Applications
  • Humans
  • Data Management
  • Contact Tracing/methods

ASJC Scopus subject areas

  • Health Informatics

Fingerprint

Dive into the research topics of 'Data management and privacy policy of COVID-19 contact-tracing apps: systematic review and content analysis'. Together they form a unique fingerprint.

Cite this