By Khadeeja Safdar and Kevin Poulsen
When users open the Contact Tracing app on their phones, they
expect to see an alert saying where they were exposed to the new
coronavirus.
Less expected: ads for a house roofer and a crossword game,
based on their online activity.
The app, which lets users report virus test results and track
contact with others, is a rare example of a developer earning ad
revenue with a Covid-19 app.
Alexander Desuasido said he created the app in his free time
after two earlier versions were rejected from app stores. The
44-year-old coding teacher in Foster City, Calif., said he was
upfront with users about the ads and that they were his "only way
of providing a free service to people."
Apple Inc. said that contact tracing apps are prohibited from
displaying ads or offering in-app purchases and that it is working
with the developer to resolve the issue. Google, which removed the
app from its store last month, said the ads don't comply with its
policy.
The listing of Mr. Desuasido's app in Google and Apple app
stores alongside apps produced by state health departments
underscores a growing challenge: There is no national standard for
how coronavirus apps should work or which details are shared, even
as state governments reopening their economies turn to the apps to
trace contacts of people who test positive for the coronavirus.
According to a new study of more than 100 apps in the Google app
store by the International Digital Accountability Council, a
watchdog group, and an analysis by The Wall Street Journal, some of
the emerging contact tracers and symptom trackers aren't
transparent about what they are doing with user data, potentially
allowing the use of private health-care data for advertising.
Others share information such as location data with third-party
services.
A Covid-19 tracker created by Medinin, a developer in India, has
been transmitting user geolocation and phone numbers without proper
security safeguards, potentially exposing the information to
hackers, the IDAC researchers found.
Medinin didn't respond to a request for comment.
"We've seen bad privacy practices," said Quentin Palfrey,
president of the IDAC. "The fact that we have not yet observed
those bad privacy practices translating into demonstrable ongoing
harm doesn't mean that the harm isn't happening or might not be
happening in the future."
He said the only way the apps can slow the spread of a virus
that has already caused more than 100,000 deaths in the U.S. is if
enough people trust them to download. "Undermining public trust by
failing to live up to best practices could hamper pandemic
response," he said.
A spokesman for Google said that "if an app doesn't comply with
our policies, we will work with the developer to identify and
address any issues." The spokesman declined to respond to specific
cases.
The number of Covid-19 apps has surged over the past two months
as developers join with local governments and health-care
professionals. U.S. lawmakers are trying to rein in the market:
Federal bills proposed recently aim to limit data for public health
use and increase security measures, such as mandating deletion of
data by tech firms after the pandemic.
"It's a different category of apps that deserves a different
category of criteria," said Mike Sax, founder and chairman of the
App Association, a trade group for app makers. "This deals with
very sensitive data."
Google and Apple have meanwhile become de facto regulators of
virus apps, deciding which of the many developers can offer
services in their stores. For contact tracing, the main requirement
for entry is proof of a relationship with a government entity or
health-care organization.
There are still lapses.
Some Covid-19 trackers have no privacy policy listed in the
Google app store, violating its rules, according to the IDAC. The
researchers also found that some of the apps included computer code
that could be used to interact with social media, allowing them to
target advertising or process online purchases.
CG Covid-19 ePass, which was created by a developer in India,
requested camera permission to take selfies of users to prove they
are complying with quarantine rules. But it isn't clear what the
app developers plan to do with those photos, according to IDAC
researchers. The developer for CG Covid-19 ePass didn't respond to
a request for comment.
Mr. Desuasido, who launched the ad-supported Contact Tracing,
said his app has been used in several countries with thousands
downloading it daily. He said he had no health-care experience but
had created other apps, including one to manage cryptocurrency.
When Contact Tracing was first approved by the Apple and Google
stores, Mr. Desuasido began drawing revenue through Google's AdMob
mobile ad platform, which allows Google to link the app user to
other data on the user.
In its privacy policy, the app discloses that it uses the Google
ad network and outside analytics services "that may collect
information used to identify you." A Journal analysis showed that
the app is also allowing Facebook to link app users with their
accounts. Mr. Desuasido said he made an oversight by not mentioning
Facebook in the privacy policy.
Mr. Desuasido showed the Journal letters from the vice mayor of
Daly City, Calif., and from a representative from the Ilocos Norte
province in the Philippines that he had submitted to Apple and
Google to show that he was working with government entities.
Juslyn Manalo, the vice mayor, said that she vouched for Mr.
Desuasido and that local officials are still deciding how to
proceed with the contact tracing app. "I thought, why not work with
someone locally?" she said. "When I first heard of it, he was one
of the only ones doing it." The representative from Ilocos Norte
didn't respond to requests for comment.
Mr. Desuasido has recently encountered some confusing
headwinds.
Last month, Google removed his app from the store because it
appeared to "profit from a tragic event," according to an email
that Google sent him, viewed by the Journal.
But later, the search giant told him that it could be reinstated
if he produced documentation from the executive branch such as the
governor, an email from Google shows.
Meanwhile, Mr. Desuasido said his app in the Apple store
continued to use Google's ad network, meaning the search giant has
been potentially profiting from the app it banned and sharing the
revenue with Mr. Desuasido.
Mr. Desuasido said he has been reinvesting the revenue to
improve and market the app and was only just starting to break
even.
That could also change now.
On Thursday, after the Journal's inquiry, Google said it was
demonetizing the app in the Apple store.
Mr. Desuasido said he would have to comply with Apple's recent
request that he remove ads. All this, he said, will require him to
remove features in the current app like alerts that require costly
servers.
"The rules for this keep changing depending on the day," he
said. "The key is to be persistent and keep following up."
Write to Khadeeja Safdar at khadeeja.safdar@wsj.com
(END) Dow Jones Newswires
June 05, 2020 10:13 ET (14:13 GMT)
Copyright (c) 2020 Dow Jones & Company, Inc.