Period tracking apps are no longer safe. Delete them
The battle over abortion and women’s rights to healthcare reached a peak in the United States the moment the landmark Roe v. Wade case was overturned by the Supreme Court.
In a number of states, both now and expected in the coming weeks, providing abortion healthcare services will be made illegal, or so restricted they will be almost impossible to obtain.
Concerns have now been raised over period tracking apps’ data practices and security, and what their use could mean for those able to get pregnant in the future.
The message is simple: You should stop using them. As warned by Professor Gina Neff, you should “delete every digital trace of any menstrual tracking.”
This is why.
The Electronic Frontier Foundation puts it thus:
“Service providers can expect a raft of subpoenas and warrants seeking user data that could be employed to prosecute abortion seekers, providers, and helpers.
They can also expect pressure to aggressively police the use of their services to provide information that may be classified in many states as facilitating a crime.”
We understand that our users place trust in our technology to keep their sensitive information private and the responsibility we have to provide a safe and secure platform for them to use […] Our agreement with the FTC is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to decisively put this matter behind us.
In a 2020 study conducted by Privacy International, the civil rights group found that menstruation apps stored a “dizzying” amount of data on their users. For example, after requesting a copy of their information under GDPR, out of five apps surveyed, only two provided records — and these revealed data concerning menstruation, their sexual lives, diseases, orgasm rates, masturbation habits, medication intake, and how many children they have, and more.
According to Privacy International, some of this information was shared with third parties. (It should be noted that some of the apps have reviewed their data policies since the report went live.)
The issue is that some period tracking apps may have vague data protection policies, share information — unaware that it could be used against its users — or may outright sell information to third parties.
“Americans lack fundamental privacy protections. Post-Roe makes that tragically clear. For many women, post-Roe privacy is more urgent. But privacy is even more important for ALL of us now,” Neff says, adding:
Pay attention to your apps. They are an easy target, and they affect many of us. What are their data policies? How are companies protecting their users? What are their data retention policies? What do app companies do with law enforcement subpoenas?.
Every time Mozilla releases its Privacy Not Included guide, we find that apps providing sensitive services, including health apps, are lax or fail spectacularly at security. It’s not just about an app provider’s intentions; you also need to assess the vendor’s technical expertise and understanding of cybersecurity.
“Privately-owned user data cannot be protected from state-mandated legal action,” commented Issy Towell, Wearables Analyst at CCS Insight. “Unless that changes, it is the responsibility of apps to demonstrate a genuine duty of care for users by rethinking the kind of data it collects on them.”
There may be some apps out there that are more secure than others, where data is protected due to where it is stored and the legal requirements in that area.
For example, Natural Cycles, while FDA-cleared, stores its data in Europe and is, therefore, subject to GDPR requirements. Furthermore, the app’s developers told us that data is encrypted both in transit and at rest, and “we have never — and never will — sell user data.”
Prior to the ruling, Natural Cycles told ZDNet:
Natural Cycles is not a covered entity by HIPAA, not by choice, but because we do not handle medical electronic records. It is important to note, however, that HIPAA is not the only data safeguard. As potential legislation changes arise, we remain focused on being a company committed to doing the right thing for our users vs. relying on specific laws that are subject to change.
On June 24, the company’s chief executive, Elina Berglund Scherwitzl said that an anonymization feature was being developed to mask user identities.
Flo also says it will never sell personal data and is following suit with an upcoming “anonymous mode.”
Glow said that “doing anything that violates their [user] trust would go against our core values, we’ll always do our very best to get things right and serve our users well,” but beyond this boilerplate statement, has not announced any concrete changes to its product.
On June 26, the iOS Stardust menstruation tracking app said it was working “around the clock” to improve user privacy. Stardust says that there is an “encrypted wall” separating user PII and activities and they are working on a no-account and no-PII signup option. However, without a transparent, public, and external audit conducted by a reputable cybersecurity expert, the mention of encryption is not necessarily enough.
Clue is based in Berlin. On June 25, the organization said it would not respond to any subpoena requests made by US authorities and emphasized that it is EU duty-bound not to disclose private health data.
“As a European company, Clue is obliged under European Union law (GDPR) to apply special protections to our users’ reproductive health data,” the company says. “We will not disclose it. We will stand up for our users […] We repeat: we would not respond to any disclosure request or attempted subpoena of our users’ health data by US authorities. But we would let you and the world know if they tried.”
For all the latest Technology News Click Here