In the past year, the U.S. CDC has advised the usage of apps as part of its social distancing guidance, recommending that healthcare facilities and providers offer clinical services through virtual means.
This increased adoption of telehealth services brings with it new and unprecedented privacy and security challenges. In particular, patient records for addiction treatment and recovery are extremely sensitive. Millions of Americans are impacted by addiction, inflicting a heavy toll on communities in the U.S. in the past two decades. As the opioid crisis continues, people seeking treatment for addiction will be increasingly drawn to telehealth solutions delivered by their smartphones.
With this in mind, our team at the ExpressVPN Digital Security Lab set out to identify privacy and security issues that affect telehealth solutions for opioid addiction treatment and recovery. We partnered with the Opioid Policy Institute (OPI) and the Defensive Lab Agency. Additionally, we engaged researchers from Yale University and the Legal Action Center (LAC) for their feedback and input. All of the contributors agree that the findings include troubling and conspicuous signs of privacy and, potentially, security issues.
The apps we studied have a vast reach, coverage in all 50 states, and more than 300 million USD in funding from investment groups and the federal government. In some cases, these apps represent growing and influential social networks. Loosid alone claims over 100,000 users and 1.4 million “dating interactions” and is marketed as “the world’s most popular sobriety and recovery app,” while Sober Grid is branded “the world’s most popular mobile sober community.”
Access of unique identifiers in opioid telehealth apps
Perhaps the most alarming revelation from our study of ten opioid addiction treatment and recovery apps is the consistent access of unique identifiers. These range from software-defined IDs to those that are tied strongly to the smartphone’s hardware and the consumer’s account with a cell provider. For example:
- 7 out of 10 apps access the advertising ID.
- 5 apps access the phone number.
- 8 apps access other telephony information such as the carrier name.
- 3 apps access the IMEI and IMSI from the cell provider.
- 1 app accesses the serial number from the cell SIM card.
- 3 apps access the network information/IP address.
- 1 app accesses the hardware address/MAC address.
Why such information is collected for addiction treatment and recovery is uncertain, but it should certainly be considered sensitive in that context. Other smartphone data collected by many of these apps offers opportunities for identification and surveillance. This includes logs of device activity, the list of other apps installed on the device, and both coarse and fine location data.
As the ExpressVPN Digital Security Lab revealed in Investigation Xoth, some Software Development Kits (SDKs) are designed specifically to track location data. In our current study, we have also discovered a high prevalence of tracker SDKs. Though their approaches to data collection and processing vary, many have the capability to ingest location data and correlate it with other information from smartphone sensors.
Though some of the opioid addiction recovery and treatment apps we analyzed did not require detailed sensor input, such as PursueCare, others requested permission for detailed sensor data. For example, 7 out of the 10 apps we studied request permission to make Bluetooth connections and 7 out of 10 apps also access location data, if available. Correlated with data from other smartphones and IoT hardware such as beacon devices, smart speakers, and even the sidewalks in smart cities, this information can be utilized to compile data profiles on an individual person.
Better privacy for a valuable tool
Though each app may differ in its implementation, the sheer amount of data available to the majority of the apps we studied raises questions about the privacy and security practices of telehealth apps.
That said, we wish to emphasize the central role that addiction treatment and recovery apps may play in the lives of people with an opioid addiction. The availability of telehealth is perhaps more prescient than ever, and traditional brick-and-mortar addiction treatment facilities face unprecedented budget crises and closures related to Covid-19.
For this reason, it is paramount that criticism of telehealth apps not be misconstrued as calls for their removal from distribution or bans on their usage. Instead, we wish to place emphasis on the importance of patient and end-user privacy, shining a light on growing and prescient concerns within the domain of telehealth treatment.