JMIR Publications

ABSTRACT

Background:

COVID-19 digital contact tracing apps were created to assist public health authorities in curbing the pandemic. Contact tracing apps require users’ permissions to access specific functions on their mobile phones, such as geolocation, Bluetooth or Wi-fi connections, or personal data to work correctly. As these functions have privacy repercussions, it is essential to establish how contact tracing apps respect users’ privacy.

Objective:

To systematically map existing contact tracing apps and evaluate the permissions required and their privacy policies. Specifically, we evaluated the type of permissions and the privacy policies’ readability and information included.

Methods:

We used custom Google searches and existing lists of contact tracing apps to identify potentially eligible apps between May 2020 and November 2021. We included contact tracing or exposure notification apps with a Google Play web page, from which we extracted app characteristics (e.g., sponsor, number of installs, ratings, etc.), permissions, and privacy policy information. We used Exodus Privacy web-service to systematically identify permissions and trackers to classify them as ‘dangerous’ or ‘normal.’ Based on this information, we computed a Permission Accumulated Risk Score (PARS), representing the threat level to the user’s privacy. We assessed the privacy policies’ readability and evaluated their content using a 13-item checklist, which we used to calculate a privacy transparency index (PTI). Finally, we explored the relationships between app characteristics’, PARS, and PTI, using correlations, Chi-square, or ANOVA tests.

Results:

We identified 180 contact tracing apps across 152 countries, states, or territories. Of these, we included 154 apps with a working Google Play page, 132 (86%) of which had a related privacy policy document. Most apps were developed by governments (116/154, 75%) and totaled 264.5 million installs. The average rating was 3.5 (SD=0.7) on Google Play and 3.6 (SD=0.9) on the AppStore (n=120). The number of installs was positively related to the number of reviews but not to average ratings. Across the included apps, we identified 94 individual permissions (17 dangerous) and 30 trackers, with considerable variability in the PARS (Md=16, IQR=26, range: 4-74) and in the PTI (Md=56, IQR=22, range: 5-95). The privacy documents were overall difficult to read (Md grade level 12, IQR=3, range: 7-23); 67% of these mentioned that apps collected personal identifiers. PARS was negatively associated with the average AppStore ratings (r=-0.20, p=0.03, n=120) and with PTI (r=-0.25, p<0.001, n=132), suggesting that the highest the risk for one’s data, the lowest the apps’ ratings, and their transparency index.

Conclusions:

Many contact tracing apps were developed in a year, covering most of the planet but with a relatively limited number of installs. Even though installs were not related to PARS or PTI scores, privacy-preserving apps scored high in transparency and AppStore ratings, suggesting that users appreciate these apps. Nevertheless, privacy policy documents were difficult to read. Therefore, we recommend following privacy-preserving and transparency principles to improve contact tracing uptake while making the privacy documents more readable for a wider public.