Mobile apps are helping track the spread of Covid-19 to contain the outbreak, but the apps also raise concerns about personal privacy.

A study published in Nature analysed 50 Covid-19-related apps available in the Google Play store for their access to users' personal data and their privacy protections. It found that most of the apps required access to users' personal data, but only a handful indicated the data would be anonymous, encrypted and secured.

The study was conducted by information sciences professor Masooda Bashir and doctoral student Tanusree Sharma at the University of Illinois at Urbana-Champaign. 

They said: "What is disconcerting is that these apps are continuously collecting and processing highly sensitive and personally identifiable information, such as health information, location and direct identifiers (e.g., name, age, email address and voter/national identification).

"Governments' use of such tracking technology - and the possibilities for how they might use it after the pandemic - is chilling to many. Notably, surveillance mapping through apps will allow governments to identify people's travel paths and their entire social networks."

Do Covid-19 apps protect your privacy?

The functionalities of the Covid-related apps developed around the world include live maps and updates of confirmed cases, real-time location-based alerts, systems for monitoring home isolation and quarantine, direct reporting to the government of symptoms and education about Covid-19. Some also offer monitoring of vital signs, virtual medical consultations and community-driven contact tracing.

Of the 50 apps the researchers evaluated, 30 require users' permission to access data from their mobile devices such as contacts, photos, media, files, location data, the camera, the device's ID, call information, Wi-Fi connection, microphone, network access, the Google service configuration and the ability to change network connectivity and audio settings.

Some of the apps state they will collect users' age, email address, phone number and postal code; the device's location, unique identifiers, mobile IP address and operating system; and the types of browsers used on the device. Only 16 of the apps indicated such data will be anonymous, encrypted, secured and reported only in aggregate form.

Of the apps sampled, 20 were issued by governments, health ministries and other such official sources and the researchers acknowledged that mass surveillance measures may be necessary to contain the spread of the virus.

The authors said that the European Data Protection Board issued a statement on the importance of protecting personal data while fighting Covid-19 and flagged articles of the General Data Protection Regulation that provide the legal grounds for processing personal data in the context of epidemics.

In the USA, however, there is no structured or legal privacy framework in place. The only federal agency that oversees digital privacy protections is the Federal Trade Commission, which addresses mainly inconsistent privacy policies from the point of view of consumer protection.

They said: "Health care providers must absolutely use whatever means are available to save lives and confine the spread of the virus. But it is up to the rest, especially those in the field of information privacy and security, to ask the questions needed to protect the right to privacy."