The fertility app Premom has shared data with third-party Chinese companies without user permission, according to the International Digital Accountability Council (IDAC).
The Android app collects health data of its users to provide advice to women trying to conceive. However, according to IDAC, its data-sharing with three companies is deceptive and may have breached data security laws.
'We believe there are material differences between what Premom states in its privacy policies and what our technical tests reveal,' claimed IDAC in a letter sent to the Federal Trade Commission and the Illinois attorney general, where the app's headquarters are based. IDAC stated that Premom shared user data with Chinese advertising companies without allowing users to opt out, as required by Google regulations.
There is currently no evidence that health data specifically has been passed on to third parties by Premom. However, the app can collect non-essential information such as user location and unique identifiers on user devices, which relay internet browsing activity and a log of app downloads. This information can then be used to personalise advertisements to the user and could potentially identify them in the event of a security breach.
Speaking to the Washington Post, president of IDAC Quentin Palfrey said: 'There's pretty extensive and sensitive data collection going on here with respect to a large number of users'. Palfrey added: 'It's particularly concerning when we see this behaviour with respect to an app that's targeted at women trying to become pregnant.'
Google Play removed Premom from its store while it investigated the allegations. The app has since been reinstated having revoked the access of one third-party company, Jiguang. The company countered in a statement that all of its methods are 'in compliance with Apple App store and Google Play store data collection rules and regulations.' It is unclear whether Premom is still sharing data with the remaining two Chinese companies identified by IDAC, Umeng and UMSNS.
Dr Serge Egelman, computer security expert and Research Director at the Usable Security and Privacy Group at the University of Berkeley, California, commented on IDAC's findings. He told The Washington Post that 'the techniques are the ones you see with malware.'
While security concerns have caused some users to delete the app, others are conflicted. One Premom user told the Washington Post: 'You put all your data into it for months, you're kind of stuck with it.' She explained: 'I want the data to be there for my doctor.'
A spokesperson and legal counsel for Premom, Desiree Moore, assured that the app 'prioritises the safety of its users' data above all', and is compliant with global data privacy laws.