Privacy Matters Profile picture
Aug 31, 2018 34 tweets 11 min read Twitter logo Read on Twitter
An NHS app intended to get people from ‘couch to 5k’.

“Analytics and Advertising tracking SDKs. As these features are critical to Our ability to provide users with free, high quality mobile applications it is not possible to opt out from tracking features.” < WTH! No. No. No.
I don’t have time to go through this at the mo .. but I will, given that family has asked me “is it ok from a privacy perspective? .. it is the NHS after all.” <visions of #HanCocksApp
“We are also working closely with third parties (including, for example, business partners, sub-contractors, delivery services, analytics providers, search information providers) and may receive information about you from them” <much to dig into
“Information We collect about you.
We may use this information: to provide you with targeted advertising that We feel may be of interest to you.”
“We may share your information with selected third parties including but not limited to:

Business partners, suppliers and sub-contractors for the performance of any contract We enter into with you.” <business partners ?🤔
“We may share your information with selected third parties including but not limited to:

Local councils with which We collaborate to advise and support them in the delivery of their public health function, but only in an anonymised manner.”
“We may share your information with selected third parties including but not limited to:

Analytics and search engine providers that assist Us in the improvement and optimisation of Our Site(s).”
“Disclosure of your information
We may share your information with selected third parties”

We may disclose your personal information to third parties”

<‘share’ ‘disclose’
And wow. Real-time bidding for advertising.
“Advertising cookies. AppNexus

​This is a technology platform (Platform or AppNexus Platform) that We use to buy, sell, and deliver online advertising, including interest-based advertising, mostly through real-time bidding.”
“The AppNexus Platform is designed to enable other companies (their clients) to buy, sell, or deliver advertising using “Platform Data” that clients may collect using the Platform, derive from their use of the Platform, or acquire from other sources and then use on the Platform.”
When considering the stated intention to use people’s data for advertising, consider that this app, supports ‘family sharing’ for up to six people 🤔
But hey, PHE graciously advise how you can opt out of App nexus advertising “You can click below to opt out of having the Platform used to select ads for your browser based on your online web browsing behaviour. “ <Except that involves more Ad tracking by AppNexus.
And let’s not forget that the OneYou site leaks referrers .. 🤦‍♂️
More “Interest-based advertising SDKs - RhythmOne

To identify the interests of users, so that We can deliver advertising that is more relevant to your interests. For more information on RhythmOne and its privacy practices, please visit:….
And, you guessed it, the opt-out involves more Ad tracking .. & quite how the @PHE_uk thinks people will discover all this let alone understand it is beyond me
“Analytics and Advertising tracking SDKs

As these features are critical to Our ability to provide users with free, high quality mobile applications it is not possible to opt out from tracking features.” < stay with me twitter ... you may feel like popping a pill right now but ..
But, “Downloading Our Apps is deemed acceptance of these terms”… but don’t worry, cos, “if you are concerned about this type of tracking having downloaded Our App(s) We would recommend deletion of the app” <cos they care about you and your privacy innit
“Interest-based advertising SDKs

You can opt out from receiving Targeted Advertising based on data collected via your mobile applications by following your Device maker’s most current published instructions” 🤦‍♂️🤦‍♂️👇
☝️ how many people downloading the app will (a) reasonably expect a public health app to track their behaviour for targeted advertising? (B) discover the information about Ad tracking (c) are aware of and set anti Ad tracking OS settings? I’m kind of flabbergasted TBH
“When you opt out, We will stop (a) collecting information about your interests via Our Apps and (b) serving you Targeted Ads based on the data collected via Our Apps”

I think serous questions need to be asked of @PHE_uk
At no point in the app installation process is a person given any privacy information, especially about ad tracking and targeting.
A privacy policy is linked the bottom of a page found under the ‘support’ icon
The thread so far is based on the privacy policy. Just looking at the ToS “By downloading the App(s) or clicking on the "accept" button below you agree to the terms of this EULA which will bind you. The terms of this EULA include, in particular, the privacy policy” <ooh ‘bind’
Ooh ToS. Using a phone provided by your employer? Asked them for permission to download the app? “You will be assumed to have obtained permission from the owners of the mobile telephone or handheld devices that are controlled, but not owned, by you”
Ooh ToS. “Additionally, by using the App(s) or any Service(s), you acknowledge and agree that internet transmissions are never completely private or secure. “ erm
ToS “By using the App(s) or any of the Service(s), you consent to us collecting & using technical information about the Devices & related software, hardware & peripherals for Services that are internet-based or wireless to improve our products & to provide any Service(s) to you.”
👆very problematic ... consent eh? 🤔 consent is not always required to make processing lawful. But where consent is required .. then this app ain’t meeting the legal standard 🙇‍♂️
Oh my. “the outcome of any study completed on the data collected (which shall be aggregated and anonymised) may form part of one or more scientific publications and may inform research and policies related to health and wellbeing, mobility, computer science, and related fields”
☝️THAT wasn’t mentioned in the privacy policy. ‘Aggregated’ ‘anonymised’ - which is it as they’re not the same. What standard? What ethics review board are studies and research subject to .... 🤔
Ooh Tos. Bless em. 👀 “In consideration of you agreeing to abide by the terms of this EULA, we grant you a non-transferable, non-exclusive licence to use the App(s) on the Devices, subject to these terms, the Privacy Policy and the Appstore Rules” < far too kind.
Ooh Tos. “Acceptable use restrictions
You must:
(a) not use the App(s) or any Service(s) in any unlawful manner, for any unlawful purpose” <talking of lawful .. I haven’t even started analysing this against ePrivacy & GDPR. 😮
👆All this because family asked me if the “NHS app .. couch to 5K” was ok from a privacy perspective.

Well, no. It isn’t ok if the processing set out in the privacy policy is taking place - such as behavioural targeted advertising and real time bidding - in a PUBLIC health app.
But what I’m hoping is that the tracking and ad targeting and real time Ad bidding are not true and also that the use of data for research etc is subject to various controls and oversight.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Privacy Matters

Privacy Matters Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @PrivacyMatters

Sep 29, 2018
1/ I note the issues around the conservative party conference app .. BUT OMG! I took a peek at the Conservative Campaigner app - "the official mobile app for supporters of The Conservative Party” and OH BOY …
2/ the app was developed by Social Political Media, the same entity behind the anti-abortion apps LoveBoth & MY8 used in the Irish referendum on abortion, .. but Social Political Media also developed the …. Vote Leave app, the Trump-Pence 2016 app, the French Renaissance app
and the same ‘developer’ is behind the NRA’s official app. Oh boy.

Yep, the UK @Conservatives official campaign app is developed by a US based political campaigning app platform UCampaign

OK need to go make Son’s supper - back soon. and Oh boy
Read 36 tweets
May 31, 2018
Ohh look @DPCIreland look at the term ‘consent’ in the URL. Now let’s consider consent under the GDPR, I know. In know. It’s not really consent
Ooh. Choice. Not really. Take it or leave it says Facebook
Facebook Terms first. I’m sure the majority of people will be able to immediately comprehend the suite of Facebook Products .. and Business Tools that they are ageeeing to 🤔
Read 8 tweets
Apr 17, 2018
April 13. Bulgarian Presidency updated working dc on the #ePrivacy Regulation.…

"recital 21 now provides an example where making access to a website conditional on the acceptance of cookies is not considered justified"
But much to review and .. hmmmm

"Access to specific website content may still be made conditional on the well-informed acceptance of the storage of a cookie or similar device identifier, if it is used for a legitimate purpose ,,"
“… This will for example not be the case of a cookie which is recreated after the deletion by the end-user."
Read 16 tweets
Mar 6, 2018
So @AskLloydsBank is using legitimate interests under the GDPR to seek consent to contact customers 🤔
It’s one of the most confusing updates I’ve seen. What precisely is LloydsBank relying on for ‘consent’ and what for ‘legitimate interests’ for marketing/direct marketing/product development for example? #GDPR
Many other things are wrong. Its of ‘please contact us’ but no hyperlink with info on how/mechanism to contact.
Read 6 tweets
Feb 1, 2018
Oooh 👀
whoah! OMG. You’d think the Digital Minister and one responsible for data protection package would get privacy right.
1/ Hold me twitter. Here goes. (1) no Privacy Policy on the App landing page which doesn't meet Apples guidelines (2) The app is promoted as the 'Official App for Matt Hancock' but the 'seller' is Disciple Media Ltd (3) Individuals must tick to 'accept' a Privacy Policy and ToS
Read 43 tweets
Sep 8, 2017
🤔 Sorry, the breach of 143m people’s data #equifax does not make today a good day to be a DPO. It’s a day when potentially 143m people will
will be concerned and anxious. They’ll be starting a journey that may last years or their lifetime in seeking to address the impact
of “identity theft” as which can have adverse impacts on multiple dimensions of their lives. It’s not a good day to be a DPO. It’s a bad day
Read 11 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!


0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy


3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!