A recent study conducted by the Federal Trade Commission examined 12 mobile health and fitness apps and found them sending users’ personal information to 76 different third parties.

Jah-Juin Ho, an attorney in the FTC’s Mobile Technology Unit shared the research yesterday during a seminar regarding the privacy of consumer-generated health data in Washington, D.C.

According to Ho these third parties receive a handful of technical information about the users’ phones but also a variety of precise metrics and characteristics about their bodies.

“Who are these third parties and what kind of information are they receiving about our bodies?” Ho asked during his part of the seminar.

All of the third parties were found receiving phone information like the device’s screen size, device model, language setting – while 18 of the 76 collected exact information like the phone’s Unique Device Identifier (UDID), the phone’s media access control address (MAC address) and its International Mobile Station Equipment Identity (IMEI).

Meanwhile, other third party companies received detailed consumer information, including users’ running routes, eating habits, sleeping patterns and even the cadence of how they walk or run; 22 of the 76 third parties received information about users’ exercise information, meal and diet information, symptoms, gender, geo-location information, zip codes.

Four of the 12 apps were found sending data to one specific ad company and some of them didn’t even bother anonymizing the information.

“It wasn’t uncommon for third parties to identify users by their first name, last initial and then a stream of identifiers,” Ho said Wednesday.

In some instances, Ho adds, the same third party received the same identifier from multiple apps, meaning it’d be even easier for the third party group, usually an advertising company, to be able to lump together data from the same customer.

Ho wouldn’t name any of the apps the FTC looked at and claims the project was meant to be a small snapshot in time. The experiment examined two daily activity apps connected to wearables, two exercise apps, two dietary and meal apps and three system checker apps.

“We were as permissive as possible, meaning that if an app asked us for permission to access a certain feature or to sync with another app, we always accepted and opted in,” Ho said, discussing the research.

Ho’s research is in line with a handful of studies from the past year.

In July 2013 a Privacy Rights Clearinghouse study looked at 43 paid fitness and exercise apps. A large percentage of those apps did not have privacy policies and only 13 percent of them encrypted all data between the app and the developer’s website. On top of that, similar to Ho’s study, a third of the apps were found transmitting user information to a party not disclosed by the developer or the developer’s website.

Joseph Lorenzo Hall, the Chief Technologist for the Center for Democracy & Technology, pointed out later in the seminar that these leaky apps could be putting user’s physical safety at risk.

“If you’re talking about running routes and things like that, you may be able to predict where someone is alone and when they’re not at home and that can be extremely sensitive given your own personal context,” Hall said.

Categories: Government, Mobile Security, Privacy