Assessing the privacy of mHealth Apps for self tracking: A heuristic evaluation approach

Luke Hutton, Blaine Price, Ryan Kelly, Ciaran McCormick, Arosha Bandara, Tally Hatzakis, Maureen Meadows, Bashar Nuseibeh

Research output: Contribution to journalArticle

6 Citations (Scopus)
4 Downloads (Pure)

Abstract

Background: The recent proliferation of self-tracking technologies has allowed individuals to generate significant quantities of data about their lifestyle. This data can be used to support health interventions and to monitor outcomes. However, this data is often stored and processed by vendors who have commercial motivations, and thus it may not be treated with the sensitivity of other medical data. As the sensors and applications which enable self-tracking continue to become more sophisticated, the privacy implications become more severe in turn. However, methods for systematically identifying privacy issues in such applications are currently lacking.
Objective: The aim of this work is to understand how current mass-market applications perform with respect to privacy. We do this by introducing a set of heuristics for evaluating privacy characteristics of self-tracking services.
Methods: We conduct an analysis of 64 popular self-tracking services, using our heuristics to determine the extent to which the services satisfy various dimensions of privacy. We then use descriptive statistics and statistical models to explore whether any particular categories of app perform better than others in terms of privacy.
Results: The majority of services examined (a) fail to provide users with full access to their own data, (b) do not acquire sufficient consent for use of the data, or (c) inadequately extend controls over disclosures to third parties. We found that the type of app, in terms of the category of data collected, was not a useful predictor of its privacy. However, we found that apps which collect health-related data (e.g. exercise, weight) perform worse for privacy than apps designed for other types of self-tracking.
Conclusions: Our study draws attention to the poor performance of current self-tracking technologies in terms of privacy, motivating the need for standards that can ensure future self-tracking applications are stronger with respect to upholding users’ privacy. Our heuristic evaluation method supports retrospective evaluation of privacy in self-tracking apps and can be used as a prescriptive framework to achieve privacy-by-design in future applications.
Original languageEnglish
Article numbere185
JournalJMIR mHealth and uHealth
Volume6
Issue number10
DOIs
Publication statusPublished - 22 Oct 2018

Fingerprint

Ego
Telemedicine
Privacy
Heuristics
Technology
Health
Disclosure
Statistical Models
Life Style
Motivation

Cite this

Hutton, L., Price, B., Kelly, R., McCormick, C., Bandara, A., Hatzakis, T., ... Nuseibeh, B. (2018). Assessing the privacy of mHealth Apps for self tracking: A heuristic evaluation approach. JMIR mHealth and uHealth, 6(10), [e185]. https://doi.org/10.2196/mhealth.9217

Assessing the privacy of mHealth Apps for self tracking : A heuristic evaluation approach. / Hutton, Luke; Price, Blaine; Kelly, Ryan; McCormick, Ciaran; Bandara, Arosha; Hatzakis, Tally; Meadows, Maureen; Nuseibeh, Bashar.

In: JMIR mHealth and uHealth, Vol. 6, No. 10, e185, 22.10.2018.

Research output: Contribution to journalArticle

Hutton, L, Price, B, Kelly, R, McCormick, C, Bandara, A, Hatzakis, T, Meadows, M & Nuseibeh, B 2018, 'Assessing the privacy of mHealth Apps for self tracking: A heuristic evaluation approach' JMIR mHealth and uHealth, vol. 6, no. 10, e185. https://doi.org/10.2196/mhealth.9217
Hutton L, Price B, Kelly R, McCormick C, Bandara A, Hatzakis T et al. Assessing the privacy of mHealth Apps for self tracking: A heuristic evaluation approach. JMIR mHealth and uHealth. 2018 Oct 22;6(10). e185. https://doi.org/10.2196/mhealth.9217
Hutton, Luke ; Price, Blaine ; Kelly, Ryan ; McCormick, Ciaran ; Bandara, Arosha ; Hatzakis, Tally ; Meadows, Maureen ; Nuseibeh, Bashar. / Assessing the privacy of mHealth Apps for self tracking : A heuristic evaluation approach. In: JMIR mHealth and uHealth. 2018 ; Vol. 6, No. 10.
@article{569e2121794d41c7a6a56a64f0cde9de,
title = "Assessing the privacy of mHealth Apps for self tracking: A heuristic evaluation approach",
abstract = "Background: The recent proliferation of self-tracking technologies has allowed individuals to generate significant quantities of data about their lifestyle. This data can be used to support health interventions and to monitor outcomes. However, this data is often stored and processed by vendors who have commercial motivations, and thus it may not be treated with the sensitivity of other medical data. As the sensors and applications which enable self-tracking continue to become more sophisticated, the privacy implications become more severe in turn. However, methods for systematically identifying privacy issues in such applications are currently lacking.Objective: The aim of this work is to understand how current mass-market applications perform with respect to privacy. We do this by introducing a set of heuristics for evaluating privacy characteristics of self-tracking services. Methods: We conduct an analysis of 64 popular self-tracking services, using our heuristics to determine the extent to which the services satisfy various dimensions of privacy. We then use descriptive statistics and statistical models to explore whether any particular categories of app perform better than others in terms of privacy. Results: The majority of services examined (a) fail to provide users with full access to their own data, (b) do not acquire sufficient consent for use of the data, or (c) inadequately extend controls over disclosures to third parties. We found that the type of app, in terms of the category of data collected, was not a useful predictor of its privacy. However, we found that apps which collect health-related data (e.g. exercise, weight) perform worse for privacy than apps designed for other types of self-tracking.Conclusions: Our study draws attention to the poor performance of current self-tracking technologies in terms of privacy, motivating the need for standards that can ensure future self-tracking applications are stronger with respect to upholding users’ privacy. Our heuristic evaluation method supports retrospective evaluation of privacy in self-tracking apps and can be used as a prescriptive framework to achieve privacy-by-design in future applications.",
author = "Luke Hutton and Blaine Price and Ryan Kelly and Ciaran McCormick and Arosha Bandara and Tally Hatzakis and Maureen Meadows and Bashar Nuseibeh",
year = "2018",
month = "10",
day = "22",
doi = "10.2196/mhealth.9217",
language = "English",
volume = "6",
journal = "JMIR mHealth and uHealth",
issn = "2291-5222",
publisher = "JMIR Publications",
number = "10",

}

TY - JOUR

T1 - Assessing the privacy of mHealth Apps for self tracking

T2 - A heuristic evaluation approach

AU - Hutton, Luke

AU - Price, Blaine

AU - Kelly, Ryan

AU - McCormick, Ciaran

AU - Bandara, Arosha

AU - Hatzakis, Tally

AU - Meadows, Maureen

AU - Nuseibeh, Bashar

PY - 2018/10/22

Y1 - 2018/10/22

N2 - Background: The recent proliferation of self-tracking technologies has allowed individuals to generate significant quantities of data about their lifestyle. This data can be used to support health interventions and to monitor outcomes. However, this data is often stored and processed by vendors who have commercial motivations, and thus it may not be treated with the sensitivity of other medical data. As the sensors and applications which enable self-tracking continue to become more sophisticated, the privacy implications become more severe in turn. However, methods for systematically identifying privacy issues in such applications are currently lacking.Objective: The aim of this work is to understand how current mass-market applications perform with respect to privacy. We do this by introducing a set of heuristics for evaluating privacy characteristics of self-tracking services. Methods: We conduct an analysis of 64 popular self-tracking services, using our heuristics to determine the extent to which the services satisfy various dimensions of privacy. We then use descriptive statistics and statistical models to explore whether any particular categories of app perform better than others in terms of privacy. Results: The majority of services examined (a) fail to provide users with full access to their own data, (b) do not acquire sufficient consent for use of the data, or (c) inadequately extend controls over disclosures to third parties. We found that the type of app, in terms of the category of data collected, was not a useful predictor of its privacy. However, we found that apps which collect health-related data (e.g. exercise, weight) perform worse for privacy than apps designed for other types of self-tracking.Conclusions: Our study draws attention to the poor performance of current self-tracking technologies in terms of privacy, motivating the need for standards that can ensure future self-tracking applications are stronger with respect to upholding users’ privacy. Our heuristic evaluation method supports retrospective evaluation of privacy in self-tracking apps and can be used as a prescriptive framework to achieve privacy-by-design in future applications.

AB - Background: The recent proliferation of self-tracking technologies has allowed individuals to generate significant quantities of data about their lifestyle. This data can be used to support health interventions and to monitor outcomes. However, this data is often stored and processed by vendors who have commercial motivations, and thus it may not be treated with the sensitivity of other medical data. As the sensors and applications which enable self-tracking continue to become more sophisticated, the privacy implications become more severe in turn. However, methods for systematically identifying privacy issues in such applications are currently lacking.Objective: The aim of this work is to understand how current mass-market applications perform with respect to privacy. We do this by introducing a set of heuristics for evaluating privacy characteristics of self-tracking services. Methods: We conduct an analysis of 64 popular self-tracking services, using our heuristics to determine the extent to which the services satisfy various dimensions of privacy. We then use descriptive statistics and statistical models to explore whether any particular categories of app perform better than others in terms of privacy. Results: The majority of services examined (a) fail to provide users with full access to their own data, (b) do not acquire sufficient consent for use of the data, or (c) inadequately extend controls over disclosures to third parties. We found that the type of app, in terms of the category of data collected, was not a useful predictor of its privacy. However, we found that apps which collect health-related data (e.g. exercise, weight) perform worse for privacy than apps designed for other types of self-tracking.Conclusions: Our study draws attention to the poor performance of current self-tracking technologies in terms of privacy, motivating the need for standards that can ensure future self-tracking applications are stronger with respect to upholding users’ privacy. Our heuristic evaluation method supports retrospective evaluation of privacy in self-tracking apps and can be used as a prescriptive framework to achieve privacy-by-design in future applications.

U2 - 10.2196/mhealth.9217

DO - 10.2196/mhealth.9217

M3 - Article

VL - 6

JO - JMIR mHealth and uHealth

JF - JMIR mHealth and uHealth

SN - 2291-5222

IS - 10

M1 - e185

ER -