Primal Wijesekera, ICSI and UC Berkeley
The regulatory landscape surrounding sharing personal health information is complex and constantly evolving. Given that a host of regulations could be relevant to mobile health applications, it is not surprising that many developers and organizations are confused about or unaware of the applicability of such regulations and how to comply. This misunderstanding may cost consumers privacy protection for highly sensitive health data. We examined the data handling practices of 408 Android telehealth apps from 36 countries. We found that a significant portion deployed event reporting, which exposes highly sensitive health data to domains not equipped to handle health data. Such practices demonstrate a clear gap between the operational, technical, and regulatory realms. In our pool of US-based telehealth apps, 48.09% potentially violate at least one applicable regulation. We also uncover three main patterns of violations among the U.S.-based apps, including the potential culpability of the Android Platform.
Liam Webster have contributed significantly in the course of the analysis to analyze apps and understand the legal context of this telehealth apps. This work was supported by the U.S. National Science Foundation NSF (under grant CNS-2055772 & CNS-2217771 ).
Primal Wijesekera is a research scientist in the Usable Security and Privacy Research Group at ICSI and also holds an appointment in the EECS at the University of California, Berkeley. His research focuses on exposing current privacy vulnerabilities and providing systematic solutions to meet the privacy expectations of consumers. He has extensive experience in mobile app analysis for privacy violations and implementing privacy protections for Android. He has published in top-tier security venues (IEEE S&P, USENIX Security and usable security and privacy venues (ACM CHI, SOUPS, PETS). He received his Ph.D. from the University of British Columbia, although he carried out his Ph.D. research at U.C. Berkeley. He also has a Masters from UBC in Distributed Systems and a BSc in CS from the University of Colombo, Sri Lanka. His research on privacy on mobile platforms has received the Caspar Bowden Award for Outstanding Research in Privacy Enhancing Technologies, the USENIX Security Distinguished Paper Award, the AEPD Emilio Aced Personal Data Protection Research Award, and the CNIL-INRIA Privacy Award. He has been a PI & Co-PI on multiple NSF Projects focusing on privacy and regulations.
author = {Primal Wijesekera},
title = {Demystifying the Android Telehealth Ecosystem},
year = {2025},
address = {Santa Clara, CA},
publisher = {USENIX Association},
month = jun
}