Apps that store sensitive health data aren’t rare anymore. Besides the apps from my actual health providers (which have to comply with HIPAA laws), I’ve used apps that track my weight, my fitness habits, my mental health, my periods, and more. In many cases, the apps are sharing or selling your data, and it’s linked to you—even if you sign up with a dummy email.
How is that possible? Well, first of all, if you use the same fake email everywhere, it still identifies you even if you think of it as fake. When companies swap data, they often want to figure out who’s who, and they match whatever data they have. Even if you manage to use a different throwaway email address for every app, there are other identifiers they can use.
If you log in to anything with a Facebook or Google account, that identifies you. If you provide a phone number—and it’s not a different burner every time—that identifies you, too.
But even a steady supply of fake emails and phone numbers won’t keep you private. One recent study of depression and smoking cessation apps on both Android and iOS found that some of the apps use device identifiers, which are tied to your actual phone. Another study of Android health apps found that 45% connect device identifiers to your data, and many of these transmit that data without encryption.
There isn’t a good solution to this problem yet. Fake emails might help a little, or at least they probably don’t hurt. You can reset your phone’s advertising identifier from time to time, but there are several types of identifier and not all of them are resettable. You can try changing your email or phone number in your health app, but they may still hang on to the data you’ve already entered rather than deleting it. For now, the best solution may just be to be judicious in your use of health related apps, and aware of the risk.