Contact-tracing apps aren't meant to share location data, but Care19's does

The developer says it uses Foursquare's API to collect the names of places where its users have been. But doing so may violate Apple and Google's rules.

SOPA Images/LightRocket/Getty Images

Care19, a contact tracing app developed for use in North and South Dakota, has quietly been sending data on its users' location to Foursquare. This despite the fact that its own privacy policy explicitly states that Care19 doesn't share data with any third party without the user granting it permission to do so. Apple and Google's rules for contact tracing apps forbid developers from collecting location data, meaning Care19 is in violation. It also doesn't set a good precedent for contact tracing apps generally.

Apple told The Washington Post that it is investigating the situation. Care19 says it encrypts location data on its servers so only users themselves can see it, but sending any data to Foursquare flies in the face of the guidelines.

What Care19 does — Care19 creates a log of all the places a person has visited in the previous 14 days so health officials can retrace the steps of infected individuals and warn others who've been near them of potential exposure. If a user has tested positive for coronavirus they can voluntarily provide their log to health officials directly through the app. Care19's developer, North Dakota-based ProudCrowd, says that it uses Foursquare's location API to convert latitude and longitude data it collects into the specific names of businesses its users might have visited.

Foursquare is a leading provider of location services to app developers. When you open Uber and type in the name of a restaurant you'd like to visit, for instance, that app is using Foursquare's database to determine the exact address of the business.

This is what Apple and Google tried to prevent — ProudCrowd's reasoning for using Foursquare isn't bad. But Apple and Google made a big deal of emphasizing that any contact tracing apps would be required to have strict privacy measures in place and that they would closely vet every app submitted. The effectiveness of contact tracing to help curb the coronavirus pandemic relies heavily on the public's willingness to download the apps (or enable tracing once it's built directly into the operating system), and learning that one such app is quietly sending sensitive data to an obscure company that could use it however it wishes certainly won't help with adoption.

Some people are understandably concerned their self-reported infection status could reach third parties and lead to consequences like discrimination or targeted advertising that exploits fears about the virus. Meanwhile, privacy worries have led some governments, like the U.K.'s, to avoid Apple and Google's solution entirely.

Foursquare told The Washington Post that once it receives location data for a Care19 user, it identifies nearby places and sends that information back to the app. It immediately deletes all such data from its servers afterward, and Foursquare says it doesn't charge Care19 for the service. But that's not really the point.

Contract tracing's dubious impact — The actual efficacy of contracting tracing is still up for debate. Besides the hurdle of getting users to voluntarily enable it, experts warn that the process could lead to many false positives. If someone below you in your apartment building tested positive for coronavirus, for instance, you likely won't get it from them but you'll likely still be alerted to a potential contact.

ProudCrowd says it's updating its terms of service and working on a new version of Care19 that will comply with Apple and Google's rules.