Privacy and Security of Digital Opioid Addiction Treatment and Recovery Apps in the Google Play Store
Check out our first report completed in collaboration with:
- Sean O’Brien MA (ExpressVPN + Yale Law School/Yale Privacy Lab)
- Esther Onfroy (Defensive Lab Agency)
- Jacqueline Seitz JD (Legal Action Center)
- Jonathan Stoltman PhD (Opioid Policy Institute)
Our analysis (technical report detailed here) identified these 3 overarching issues with opioid addiction treatment and recovery services on the Google Play Store:
- The line between a clinical environment and an app is blurred. Apps frequently engage in tracking for ad purposes which violates basic patient privacy and the assumption of confidentiality. This runs contrary to established protocols in healthcare, especially where disclosure and patient records are concerned.
- Topics like drug addiction are extremely private because of potential legal, employment, and housing issues. Data about patients who use opioid addiction treatment and recovery apps should thus be handled with care similar to the expectations placed on traditional addiction treatment facilities. Patients would have a reasonable expectation that opioid addiction treatment and recovery apps abide by the same privacy and ethical principles as other addiction treatment providers. What we see “in the wild” is the encroachment of third-party data brokers, as well as potential data-sharing practices that seem to clash with established healthcare regulations. Some 3rd party SDKs (software development kits) are linked to app functionality such as payment processing or crash reporting; however, many are linked to advertising and “attribution” companies.
- Many opioid addiction treatment and recovery apps included in this analysis gather smartphone sensor information unrelated to treatment (e.g., geolocation data). This type of data collection may not be readily apparent to patients who use these apps and is outside of data needed to provide traditional clinical care. Privacy policies and terms of service agreements that may mention these disclosures are often filled with legal jargon and not readily accessible for patients seeking care.