North Dakota's COVID-19 contact tracing app leaks location data to Foursquare and a Google Ads ID: Report

Hackers. [Shutterstock]

Your concerns about the privacy and security risks of using state-run coronavirus contact tracing apps? They're reasonable concerns.

This new report from mobile privacy firm Jumbo Privacy says the official North Dakota contact-tracing app is sharing location data with Foursquare and an advertising ID with Google.

Writes Steven Melendez for Fast Company:

The app, called Care19, and produced by a company called ProudCrowd that also makes a location-based social networking app for North Dakota State sports fans, generates a random ID number for each person who uses it. Then, it can “anonymously cache the individual’s locations throughout the day,” storing information about where people spent at least 10 minutes at a time, according to the state website. If users test positive for the coronavirus, they can provide that information to the North Dakota Department of Health for contact-tracing purposes so that other people who spent time near virus patients can potentially be notified.

According to the app’s privacy policy, “location data is private to you and is stored securely on ProudCrowd, LLC servers” and won’t be shared with third parties “unless you consent or ProudCrowd is compelled under federal regulations.”

But according to the Jumbo report, the app sends the random ID number, along with a phone ID used for advertising purposes and apparent latitudes and longitudes of places visited by the user, to Foursquare, a leading location-data provider. The app also sends the random ID to servers run by Bugfender, a Barcelona-based service used by app makers to track and diagnose software malfunctions, according to Jumbo, which monitored internet traffic generated by the app. It’s accompanied by the phone’s name, which often includes the device owner’s first name, according to the report. The phone’s advertising ID is also sent to Google servers that appear to be affiliated with Google’s Firebase service, Jumbo found.

More at Fast Company:
North Dakota’s COVID-19 app has been sending data to Foursquare and Google

[via Techmeme]