• by Wendy Davis  @wendyndavis, May 22, 2020

Even though North Dakota's new COVID-19 contact-tracing app, Care19, promised to keep users' data confidential, the app actually transmitted some users' location data to Foursquare, according to a report by privacy company Jumbo.

App developer ProudCrowd confirmed the location-sharing to The Washington Post. The company reportedly said it will revise the app's privacy policy, and will share less data in the future.

A Foursquare spokesperson told the Post that the company sheds the data without using it.

Friday afternoon, North Dakota Governor Doug Burgum responded to Jumbo's report by stating that users' location data was not “shared or sold for commercial purposes.”

The governor also noted that the app's privacy policy was revised to “explicitly call out this usage and make it clear that Foursquare does not store or use the data for other purposes.” 

ProudCrowd CEO Tim Brookins also stated that the agreement with Foursquare doesn't allow it to collect Care19 data or use it, beyond determining nearby businesses.

Jumbo also reports that although Care19 says it identifies data by an “anonymous” code, the app combines that code with advertising identifiers when transmitting it to Foursquare.

“Sharing what is supposed to be an anonymous code along with an Advertising Identifier (referred to as IDFA) has serious privacy risks,” Jumbo writes. “An IDFA is an identifier that is shared across all apps on your phone, and often leaked by third-party [software development kits], along with personal information.”

The ad industry has argued that advertising identifiers -- typically alphanumeric strings -- are “pseudonymous,” but privacy advocates often argue that the identifiers can be combined with other data to piece together people's names.

Care19 is one of the first contact-tracing apps that aims to stem the spread of COVID-19.

Google and Apple are developing a separate system, designed to work in conjunction with public health apps.

The companies have said that system will be voluntary, and won't collect data from users -- although people who test positive reportedly will be able to upload information to the cloud.