Reprimands & Commendation (2019)

Apps, Health Data, Cameras

Reprimands in 2019 go to mood tracker apps, Berlin’s Public Transport Company and the Edeka-Center supermarket in Porta Westfalica. A commendation is given to the physicians’ association Freie Ärzteschaft together with IT service provider Jens Ernst.

Mood Trackers

The number of people diagnosed with depression is continually rising. Several reasons can be identified. Depression is no longer such a strong taboo, for once. But for many the issue is still a cause for embarrassment: they regard it as a weakness to feel sad, lack drive, or be in despair. Which is why some people seek assistance from so-called Mood Tracker apps: these help to reflect one’s own frame of mind and assess whether one is suffering from depression.

It might seem enticing at first to only share such vulnerabilities with my smartphone, which is only seen by myself, in confidence and anonymity. Unfortunately, sometimes it is not an anonymous experience at all: Companies such as Google or Facebook won’t stop looking even at sensitive health data.

One popular mood tracker is Mood Path1. According to its website the app “accompanies you on your way out of depression” and is CE certified. The site also claims that use of the app is anonymous: no registration via e‑mail or Facebook is required. The latter claim is correct, but there is no anonymity.

Tech blogger Mike Kuketz has given the app a closer look2 and found out which data is still shared with no other data leech but – wait for it – Facebook:

  • IP address

  • Google ad ID (82bbc559-8c1d-4202-a9f0-deb029f62a45)

  • App package name (de.moodpath.android)

  • App version number (1.0.5)

  • Android version (6.0.1)

  • Device (Nexus 5)

  • display resolution (1080, 1800)

  • […]

That is enough to identify you – yes, you personally – as a user of this app.

The picture is similar for the online service Selfapy3. The platform is advertised as a way of bridging the gap until a therapist is found who can take on the new client, or to support an ongoing therapy. The offer includes counselling and online trainings with qualified psychotherapists. The problem is: the website is infested with Google trackers.

Various data scandals have shown that even the largest companies cannot be trusted with data security. Only in April 2019 it became known that passwords of millions of Instagram users had gone astray, in May a security gap in WhatsApp was announced that facilitates installation of spyware – both these services are owned by Facebook4.

And even if our own data might not get stolen – do we really want to share information about our psychological health and illness with a company that won’t even shy away from offering psychologically insecure teens as a target group to advertising customers5?

Berlin’s Public Transport Company, BVG

There is a particular lie that has been around for so long and so prevalent in everyday life that people have started to believe it: “This area is under video surveillance for your protection”. All studies suggest that video surveillance is no effective protection from violence and terror6. And there is grave collateral damage: People who feel that they are being watched change their behaviour. This surveillance pressure and self-censorship affects everyone who moves around in an inner city area. There is hardly a place where we are not being goggled at and filmed by cameras.

There is no transparency: nobody tells me whether a camera’s images are stored or not. I do not know when stored footage will be deleted. I do not know if the camera is on a network and where the data is sent. We are exposed to this whenever we are in a public space, and we can’t do anything but hope that the people operating the surveillance equipment will adhere to the law and know how IT security is done.

Berlin’s Public Transport Company (Berliner Verkehrsgesellschaft, BVG) ups the ante: A question to the State government of Berlin (the Senate) revealed that new cameras in BVG trains and stations can record and transfer sound as well as images7.

While BVG assures us that the microphones are disabled, no passenger is able to verify this. And experience shows that where surveillance technology is installed, it will get used at some point in time. Surveillance equipment, once it is acquired, is never written off as a failure and removed. Normally it gets extended and used for more and more purposes.

To ask so much trust from one’s passengers seems absurd. In particular if the company in question apparently distrust its passengers so much that it monitors them at all times using cameras from various angles.

It should have been clear for long that security requires neither cameras nor microphones. People who look out for each other and have the courage to step in if a situation calls for it are more effective.

“Smart Cart” – Edeka supermarket in Porta Westfalica

“The most modern shopping trolley in the world!” This slogan from a data-collecting start-up together with the Edeka-Center in Porta Westfalica seems a bit forced. It refers to the so-called “EASY Shopper”, a shopping trolley that promises ultimate comfort to customers: self-scanning will avoid long queues at the check-out. Enter the product into a built-in tablet and be guided towards it via GPS. Great discount campaigns, and: submit your shopping list at home and all you need to do in the shop is push the trolley where it tells you to go.

How the trolley knows your shopping list? Exactly, that is the catch: Via a connected app, or using the “DeutschlandCard” – a loyalty card just like Payback, which is only worthwhile to the involved companies via trading the data that is stored, that is, the shoppers’ preferences: coffee or tea, cheap sausages or vegan sandwich spread, menstrual cup or sanitary pads, toilet paper from recycled tissue or extra soft …

To register these data and then store and sell it is shameless – to even advertise such practices using superlatives of the word “modern” even more so.

We have said it before – back then it was with regard to face recognition and personalised advertising8: Dear retailers, we prefer to do our shopping without monitoring and surveillance. Unfortunately this is almost impossible online, but you can do it in offline shops – so far! We want it to stay that way. Please don’t wreck this unique selling point through your own misguided actions!

Commendation: physicians’ association “Freie Ärzteschaft” and Jens Ernst

An infrastructure named telematics to exchange health data between surgeries, health insurances and pharmacies is under development in Germany. This is related to the switch to the electronic health card, or eCard. Tasked with the implementation is a company called Gematik, “„Gesellschaft für Telematikanwendungen der Gesundheitskarte” (company for telematics applications of the health card).

Exchanging health data via the Internet is a problem in itself. We only mention this general issue in passing.

Our main point here is due diligence regarding IT security. To be linked to the telematics infrastructure. surgeries and hospitals must purchase certified connectors and have them installed. Unfortunately this has gone badly wrong.

As the connectors were installed, a misconfiguration caused the firewall and antivirus software to be deactivated in hundreds of surgeries. All patients’ data was exposed to the net without strong protections. Gematik wants to shift the responsibility for the error onto the implementing service providers and the individual doctors. These are under enormous pressure because they are facing fines if they are not linked to the infrastructure until the end of June 2019 – the end of this month.

This grave error only became known where competent IT employees in surgeries double-checked what the telematics admins were doing. Above all, Jens Ernst: he maintains IT in several surgeries and made these sloppy practices known. That is courage! Praise is due to Jens Ernst and all other people in independent surgeries who observe reckless practices and go to the trouble of informing the public as well as resolving the individual issues.

Jahr

About BigBrotherAwards

In a compelling, entertaining and accessible format, we present these negative awards to companies, organisations, and politicians. The BigBrotherAwards highlight privacy and data protection offenders in business and politics, or as the French paper Le Monde once put it, they are the “Oscars for data leeches”.

Organised by (among others):

BigBrother Awards International (Logo)

BigBrotherAwards International

The BigBrotherAwards are an international project: Questionable practices have been decorated with these awards in 19 countries so far.