The private testing has started!

Blog How health and well-being apps are tracking you, with a real-world example

Please, mind this article is being drafted or rewritten and may contain imperfections. It has not been yet reviewed for final publication.

Consumer data is an invaluable tool for companies to better understand their customers' needs, wants and desires. In fact, all big tech companies engage in some form of data collection and even smaller ones do it. The problem, however, is when data collect...

Consumer data is an invaluable tool for companies to better understand their customers' needs, wants and desires.

In fact, all big tech companies engage in some form of data collection and even smaller ones do it.

The problem, however, is when data collection turns into data harvesting.

Almost all mHealth Apps on Google Play Engage in Bad Data Collection Practices, Study Finds

According to the research paper "Mobile Health and Privacy: Cross-Sectional Study" which was written by the Optus Macquarie Univesity Cyber Security Hub in Sydney and published by the British Medical Journal, most medical, health and fitness apps on Google Play engage in unhealthy data harvesting habits.

The analysis covered 21,000 mHealth apps available on Google Play from Australia, including 13,000 "health and fitness" and 8,000 "medical", and discovered that as much as 88% of them include a code that can access and share users personal data with third parties.

It was found that every two out of three apps collected cookies and MAC identifiers, every third collected user's email addresses and every fourth was able to deduce user location based on the cell tower they were connected to.

The study reads:

The main types of data collected by mHealth apps include contact information, user location and several device identifiers. Parts of these identifiers (specifically, international mobile equipment identity (IMEI), a unique identifier used for fingerprinting mobile phones; and international mobile subscriber identity (IMSI), a unique identifier that uniquely identifies every user of a cellular network) are unique and persistent (ie, they are immutable and cannot be changed or replaced) and can be used by third parties to track users across networks and applications.

What are Unhealthy Data Harvesting Habits by Companies That You Should be Cautious of?

All companies are collecting data. However, there is a big difference between that do it transparently and those who engage in shady data collection practices.

For example, Privacy International conducted an in-depth analysis of data collection practices in the diet industry websites in September 2021 and found that the majority encourage their users to share their sensitive data, without giving much explanation about what happens to their data and how it is used.

So how can you tell whether a company is collecting your sensitive data ethically or unethically?

There are four main factors to consider here:

  1. What data is the company collecting and is this data necessary for them to provide their service?
  2. In what format is the stored data kept?
  3. How long do they store data after collecting it?
  4. What third parties and vendors do they share this data with?

Let's say that a mHealth app wants to collect data from you. This can be your name, email address, age, gender, weight, height, etc. All of this data is necessary for these apps to function properly and provide their service.

However, would they need some other sensitive data such as your home address for instance? This data would not be necessary to provide their service.

Next, how is the data stored?

The format in which the company stores its users' data directly affects the likelihood of a data breach. If the company stores the email addresses and credit card information of their customers in plaintext, without any encryption, they are effectively inviting data breaches to happen.

Also, it is important to know how long is the data collected. Data should only be collected for as long as the company needs it to provide its service to the customer.

Now, this is obviously a bit of a gray area since a company can just claim they need the data indefinitely, but a good rule of thumb here is that if you have received their service or no longer need it, the company no longer needs your data and sensitive information.

Finally, we've come to the data sharing practices. Almost all mHealth apps on the Google's app marketplace are sharing data they collected from their users.

They might share this data with partners, vendors, advertisers, or other 3rd parties, but the difference is whether they're doing it transparently (ie. telling the users who they're sharing their data with) or keeping this a secret.


Again, data collection is something that most companies today do and it's very hard to get away from it completely. The problem is that some of those companies engage in bad data collection practices that put their customers' sensitive data at risk.

This is why you should be familiar with the privacy practices of any company or app that wants to collect your data before you do any business with them.

Ready to join Liverado? Start your free 14-day trial today.