News broke Friday that North Dakota's first COVID-19 contact-tracing app, Care19, shares data with Foursquare, but Microsoft's ProudCrowd Developer Tim Brookins says the allegation by security firm JumboPrivacy is not entirely true.
The Care19 app -- created and designed by Brookins at ProudCrowd in Fargo -- relies on GPS. Brookins originally designed the tracing app to track North Dakota State University football fans. He altered the concept to apply it to contact tracing for COVID-19.
The issues JumboPrivacy points out in its report do not involve the proximity app, with technology designed by Apple and Google, which will be a separate app, he said. That app will be called Care19 Exposure.
The app that Brookins created, although he now works on both, will be renamed Care19 Diary. Both will become available under the Care19 Collection of apps for tracing COVID-19.
Brookins said the notification exposure apps are not allowed to use location data.
It turns out JumboPrivacy was founded by Foursquare alumni.
North Dakota Governor Doug Burgum issued a statement Friday in response to reports on data and privacy related to the Care19 contact-tracing app.
“Care19 does not require or utilize names, addresses, emails, phone numbers or other direct personal information, and data on places visited by the user is held securely in the ProudCrowd servers using a randomly assigned, anonymous 32-digit number,” Burgum said. “None of this data is being shared or sold for commercial purposes.”
JumboPrivacy.com’s business model is to sell consumers a paid IOS app that informs them of dangerous apps. While that may be a valuable consumer service, the company has a financial incentive to declare apps dangerous.
Search & Performance Marketing Insider (SPMI) caught up with Brookins to discuss the allegations that Care19 shares data with Foursquare and other apps. What follows are excerpts from the discussion.
Search & Performance Marketing Insider: How did JumboPrivacy get the impression that Care19 shares data with Foursquare?
Tim Brookins: While there are certain things in the JumboPrivacy report we can improve on, we dispute their core assertion that we are "sharing" data with Foursquare.
SPMI: What are some of the things you can improve on?
Brookins: Currently we use a third-party service called BugFender, which captures diagnostic info from the phone. We need this for support purposes. For example, a user contacts support -- me -- and says "I went to place XYZ yesterday and Care19 didn’t work." I go to the Bugfender and look at their diagnostics to see whether it helps shed light on this issue.
It doesn’t contain any location data or any other sensitive user data other than a date here and there, but it is helpful to see whether or not the phone has a problem.
The change we are making is moving this data collection to an opt-in model. Right now it happens automatically. With this change, it will mean that if a user has problems, they will have to go in and change a setting to start sending this info. This is arguably better because it collects less data. On the other hand, it will stop us from providing retroactive support.
For example, if a user says we missed something yesterday, they will have to turn on the option and wait until we get data collection.
We shipped a version of the iOS app today that removed collection entirely, and then we re-add it once we get the opt-in switch set up and tested.
SPMI: I know the technology was initially used to build a tracing app for North Dakota State University football fans. Did this app share data with Foursquare?
Brookins: Yes, the NDSU app does use Foursquare APIs, though not the same exact APIs that Care19 uses.
Foursquare is a major player in the reverse geolocation area. Apple, Google, and Microsoft Bing offer solutions also.
SPMI: When did JumboPrivacy contact you about the data-sharing concerns?
JumboPrivacy contacted the Washington Post and Fast Company before they contacted us on Wednesday night telling us they were going to release a “report” on us Thursday afternoon. I received an email from the Washington Post at 9:58 pm MT on Wednesday, and my first communication from JumboPrivacy at 1:52 am MT on Thursday.
SPMI: How did JumboPrivacy get the impression you are violating consumer privacy?
Brookins: The simple overarching fact is we have stated, and Foursquare has confirmed that they have not, nor will not, collect data from Care19 users.
We do send data to Foursquare, which we use to determine which business is most likely to have been where you went. Foursquare takes that data, looks for nearby businesses, and returns the most likely place. But Foursquare doesn't store that data.
JumboPrivacy used a network tracer to see us sending that data to Foursquare, and incorrectly, claimed or implied that Foursquare was collecting data on our users. Which they are not.
We have revised our privacy policy to be 100% transparent that we call Foursquare. It makes it clear that they do not store or use our data:
The ProudCrowd privacy policy states: “Your location data is private to you and is stored securely on ProudCrowd, LLC servers. Third parties that we use (Foursquare, Google Firebase and Bugfender) may have temporary access to aspects of your data for their specific data processing tasks. However, they will not collect this data in a form that allows themselves or others to access or otherwise use this data.”
Foursquare's official statement reads: ‘Foursquare receives some data from Care19, a free user of our SDK, but we do not use the data in any way and it is promptly discarded. For free users of our SDK, Foursquare does not use, repackage or resell the data. Essentially, any data we might receive is immediately discarded. Here is our license agreement for developers using our SDK.’
‘We appreciate that JumboPrivacy, (which was founded by Foursquare alumni, and we are proud of their mission) commits to protecting consumer privacy — we deeply believe in the same principle.
In ensuring due diligence on our end, I can confirm that when reviewing Care19 as a free user, we are adhering to our commitment that no data is used in our downstream products.’