Even though North Dakota's new COVID-19 contact-tracing app, Care19, promised to keep users' data confidential, the app actually transmitted some users' location data to Foursquare, according to a
report by privacy company Jumbo.
App developer ProudCrowd confirmed the
location-sharing to The Washington Post. The company reportedly said it will revise the
app's privacy policy, and will share less data in the future.
A Foursquare spokesperson told the Post that the company sheds the data without using it.
Friday afternoon, North
Dakota Governor Doug Burgum responded to Jumbo's report by stating that users' location data was not
“shared or sold for commercial purposes.”
The governor also noted that the app's privacy policy was revised to “explicitly call out this usage and make it clear that
Foursquare does not store or use the data for other purposes.”
ProudCrowd CEO Tim Brookins also stated that the agreement with Foursquare doesn't allow it to collect Care19 data or
use it, beyond determining nearby businesses.
Jumbo also reports that although Care19 says it identifies data by an “anonymous” code, the app combines that code with advertising
identifiers when transmitting it to Foursquare.
“Sharing what is supposed to be an anonymous code along with an Advertising Identifier (referred to as IDFA) has serious privacy
risks,” Jumbo writes. “An IDFA is an identifier that is shared across all apps on your phone, and often leaked by third-party [software development kits], along with personal
information.”
The ad industry has argued that advertising identifiers -- typically alphanumeric strings -- are “pseudonymous,” but privacy advocates often argue that the
identifiers can be combined with other data to piece together people's names.
Care19 is one of the first contact-tracing apps that aims to stem the spread of COVID-19.
Google and Apple
are developing a separate system, designed to work in conjunction with public health apps.
The companies have said that system will be voluntary, and won't collect data from users -- although
people who test positive reportedly will be able to upload
information to the cloud.