Apps that store sensitive health data aren’t rare anymore. Besides the apps from my actual health providers (which have to comply with HIPAA laws), I’ve used apps that track my weight, my fitness habits, my mental health, my periods, and more. In many cases, the apps are sharing or selling your data, and it’s linked to you—even if you sign up with a dummy email.
How is that possible? Well, first of all, if you use the same fake email everywhere, it still identifies you even if you think of it as fake. When companies swap data, they often want to figure out who’s who, and they match whatever data they have. Even if you manage to use a different throwaway email address for every app, there are other identifiers they can use.
If you log in to anything with a Facebook or Google account, that identifies you. If you provide a phone number—and it’s not a different burner every time—that identifies you, too.
But even a steady supply of fake emails and phone numbers won’t keep you private. One recent study of depression and smoking cessation apps on both Android and iOS found that some of the apps use device identifiers, which are tied to your actual phone. Another study of Android health apps found that 45% connect device identifiers to your data, and many of these transmit that data without encryption.