Monday, July 04, 2022

Period tracking apps are no longer safe. Delete them

Opinion: The convenience isn't worth the risk.


Written by Charlie Osborne, ZDNET Contributor on June 29, 2022

The battle over abortion and women's rights to healthcare reached a peak in the United States the moment the landmark Roe v. Wade case was overturned by the Supreme Court.

In a number of states, both now and expected in the coming weeks, providing abortion healthcare services will be made illegal, or so restricted they will be almost impossible to obtain.

Concerns have now been raised over period tracking apps' data practices and security, and what their use could mean for those able to get pregnant in the future.

The message is simple: You should stop using them. As warned by Professor Gina Neff, you should "delete every digital trace of any menstrual tracking."

This is why.

What is Roe v. Wade?

For those unfamiliar with the current upheaval in the US, the 1973 Roe v. Wade case, brought forward against state laws restricting abortion, was a landmark ruling that effectively legalized the procedure in the United States.

Different US states still take varied views on abortion and when it is permissible, but those who can become pregnant had a constitutional right to the healthcare service.

In May, reports surfaced of a leaked draft majority opinion showing the US Supreme Court was likely set to overturn Roe v. Wade.

As reported by the Associated Press, Senate Democrats tried to enshrine the 50-year-old ruling into law through new legislation, which, if passed, would have made abortion rights far harder to overturn. However, the proposed bill was blocked by the Republican party.

On June 24, the Supreme Court overturned the ruling and the impact was felt almost instantaneously, with some states enacting so-called 'trigger' laws prepared with the possibility of the case being overturned in mind. Clinics in other states have paused services to assess the changing legal landscape.

Approximately half of US states are expected to tighten abortion rules, whereas others including California, Oregon, and Washington have vowed to protect abortion access.

Amnesty International has called the decision a "grim milestone" in the history of the United States, with individuals "now facing a future where they will not be able to make deeply personal choices that affect their bodies, their future, and the well-being of their families."

There is concern that in the aftermath of Roe v. Wade, other landmark cases may be scrutinized involving issues including the right to contraception and same-sex marriage. Furthermore, there is the worry that other countries may follow suit and reexamine their abortion laws.

Technology in the medical sector

Wearable health tech, hospital robots, and telehealth appointments with healthcare providers all have become commonplace. As we've seen during the pandemic, technology can be of great benefit to overstretched medical professionals, and we can use mobile technology, too, on a personal level -- to track our activities, sleeping patterns, and more.

Millions of people with periods worldwide use menstruation tracking apps to track and monitor their monthly cycles, and the overarching "femtech" market is estimated to be worth roughly $49 billion by 2025.

What do period tracking apps do?

Menstruation apps log user input related to menstrual cycles over several months to predict when their next one is due.

These apps can also be used to record changes in flow, detect cycle irregularities, predict likely fertility windows, log symptoms such as mood swings and cramps, and record sexual activities.

Some apps focus on users attempting to become pregnant. Others offer general health and lifestyle advice. Some can quietly connect users to healthcare providers if they have questions or concerns.

Period tracking apps can be particularly useful for users entering puberty and for those with irregular cycles. However, they should not be used as a form of birth control and, as people with periods know all too well, accurately predicting your next cycle start date is far from an exact science.

Which are the most popular period trackers?

In the Android and iOS mobile ecosystems, some of the most popular menstruation trackers are Flo, Clue, Stardust, Glow, MagicGirl, and Natural Cycles.

What do period tracker apps have to do with the US Supreme Court?

There are several emerging issues connecting the two. Period, fertility, and sexual activity trackers, by design, have to collect personal and intimate information from their users, which is stored and analyzed over time.

Users can then tap into their record for next-cycle estimates, the days they may be most fertile, and to find out if they are likely to be pregnant.

In a post-Roe world, and if a large number of US states choose to clamp down on abortion services, data from these apps could be used in prosecutions.

Online information and digital records can make or break a criminal case. This can include social networking posts, email records, conversations, location (GPS) data, and user data collected by personal health mobile apps.

Keep in mind that such evidence may be flimsy, at best, considering how inaccurate these trackers can be. Should a user, for example, cross state lines to have a procedure done and their location or cycle records are known, investigators would need to prove beyond a reasonable doubt that the individual broke the law.

However, information obtained from reproductive health and monitoring apps could, in theory, be used to build up a case.

Prosecutors could combine data from a period tracker app indicating a potential pregnancy with movement across a state line gathered from GPS and phone signal data, and payment records, for example.

The Electronic Frontier Foundation puts it thus:


"Service providers can expect a raft of subpoenas and warrants seeking user data that could be employed to prosecute abortion seekers, providers, and helpers.

They can also expect pressure to aggressively police the use of their services to provide information that may be classified in many states as facilitating a crime."


The case for criminality

If seeking an abortion becomes a criminal act in some states, then how app providers secure and manage user data has to become a priority -- not just in terms of transparency, but what future legal US mandates may require.

User data that is fed through third-party infrastructure providers, for example, could become subject to warrants or subpoenas in criminal investigations if individuals are suspected of being pregnant or of illegally seeking a termination. In addition, app providers themselves may be subject to user data requests or demands if the information they hold isn't legally protected.

As noted by Slate, the data held by period trackers might not have any intrinsic value to government agencies or investigators, but now Roe v. Wade is dissolved, these records could be used as evidence in a prosecution in the future.

While the state of Louisiana has withdrawn a bill treating abortions as homicides and the current governing body's attempt at implementing a trigger law on abortion has been temporarily blocked, we are yet to see how states, on the whole, manage the new legal landscape and how far criminality will enter the equation for both abortion healthcare providers and their patients in 'unsafe' states.

If this is the future, other data sets gathered by these apps -- such as smoking habits and alcohol intake, as Slate reports -- could also be of interest to prosecutors.

Isn't this being overblown?


Not necessarily.


It wasn't so long ago that whistleblower Edward Snowden landed the US National Security Agency (NSA) in hot water over its mass digital surveillance programs.

Last year, Flo drew the ire of the US Federal Trade Commission (FTC) for allegedly misleading users by "sharing the health information of users with outside data analytics providers." In response, Flo said:

We understand that our users place trust in our technology to keep their sensitive information private and the responsibility we have to provide a safe and secure platform for them to use [...] Our agreement with the FTC is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to decisively put this matter behind us.

In a 2020 study conducted by Privacy International, the civil rights group found that menstruation apps stored a "dizzying" amount of data on their users. For example, after requesting a copy of their information under GDPR, out of five apps surveyed, only two provided records -- and these revealed data concerning menstruation, their sexual lives, diseases, orgasm rates, masturbation habits, medication intake, and how many children they have, and more.

According to Privacy International, some of this information was shared with third parties. (It should be noted that some of the apps have reviewed their data policies since the report went live.)

Published on June 29, a new study conducted by Atlas VPN examines how apps dedicated to women's health, including pregnancy or period trackers, "heavily collect sensitive data and share it with third parties."

After conducting an analysis of Android and iOS apps, Atlas VPN found that many apps contain trackers which send data to third parties, require a large number of permissions, and -- in some cases -- even ask permission from users to access their search histories and contact information.

The issue is that some period tracking apps may have vague data protection policies. These apps may share information -- unaware that it could be used against its users -- or may outright sell information to third parties.

"Americans lack fundamental privacy protections. Post-Roe makes that tragically clear. For many women, post-Roe privacy is more urgent. But privacy is even more important for ALL of us now," Neff says, adding:

Pay attention to your apps. They are an easy target, and they affect many of us. What are their data policies? How are companies protecting their users? What are their data retention policies? What do app companies do with law enforcement subpoenas?.

Data management: The US vs. Europe

How mobile app developers, across every sector, handle data is often questionable and is not necessarily protected under laws such as the EU's GDPR.

The EU's General Data Protection Regulation (GDPR) requires organizations in the bloc to adhere to basic data protection standards, only hold "necessary" user information, and submit to strict rules depending on whether they are processors or controllers.

When it comes to medical information, this is defined as "physical or mental health of an individual, including the provision of health care services, which reveals information about their health status." Some period trackers may be protected under GDPR, and in general, medical data can be exempt from disclosure when a data request is made if being compliant is "likely to cause serious harm to the physical or mental health of any individual."

GDPR-bound apps may offer more protection, but this isn't guaranteed.

Even if an EU-based app does not comply with US data requests, that data is still up for grabs if law enforcement obtains your device.

Furthermore, as Roe v. Wade highlighted, existing laws can change at any time. While a company may not be compelled today to hand over your personal information, this does not mean they won't be in the future.


The US' HIPAA laws, too, do not necessarily apply to the information gathered by period tracker apps as the law only deals with Protected Health Information (PHI). PHI is defined as "individually identifiable health information that is transmitted or maintained in electronic, written, or oral form," but unless an app connects to healthcare providers for medical monitoring, it is unlikely to be HIPAA-compliant.

Many period trackers also deal with lifestyle-based information and as these datasets are not inherently focused on health, these datasets would not be protected as PHI.

The developers of apps under GDPR are required to clearly lay out how information is managed and used in privacy policies, and these should be checked if you choose to use a period tracker.

However, as Privacy International found in a 2019 study, developers can still fall short of GDPR and other data protection standards.

In other words, whether or not an app is said to be HIPAA/GDPR-compliant, in real-world scenarios there is no cast-iron guarantee your data is safe -- unless, for example, it is encrypted and stored locally on your device, and so developers themselves have no access rights.

What can period tracking app vendors do?

As the EFF says: "If you build it, they will come -- so don't build it, don't keep it, dismantle what you can, and keep it secure."

The non-profit has published a list of recommendations for period trackers, women's health, and healthcare service provider app developers to follow:Allow users pseudonymous access, so you don't even know their names
Do not track the behavior of your users, and if this must happen, make it opt-in and clear there may be ramifications
Check data retention policies and ask yourself: do we need to collect all this data, and for so long?
Delete logs regularly
Encrypt data in transit
Enable end-to-end encryption by default
Do not allow your apps to become location broker havens
Do not share user data, but if you must, only with trusted and vetted partners – and make this clear to users
Consider interoperability with third parties if they can provide the security for users that you cannot


Every time Mozilla releases its Privacy Not Included guide, we find that apps providing sensitive services, including health apps, are lax or fail spectacularly at security. It's not just about an app provider's intentions; you also need to assess the vendor's technical expertise and understanding of cybersecurity.

"Privately-owned user data cannot be protected from state-mandated legal action," commented Issy Towell, Wearables Analyst at CCS Insight. "Unless that changes, it is the responsibility of apps to demonstrate a genuine duty of care for users by rethinking the kind of data it collects on them."

There may be some apps out there that are more secure than others, where data is protected due to where it is stored and the legal requirements in that area.

For example, Natural Cycles, while FDA-cleared, stores its data in Europe and is, therefore, subject to GDPR requirements. Furthermore, the app's developers told us that data is encrypted both in transit and at rest, and "we have never -- and never will -- sell user data."

Prior to the ruling, Natural Cycles told ZDNet:

Natural Cycles is not a covered entity by HIPAA, not by choice, but because we do not handle medical electronic records. It is important to note, however, that HIPAA is not the only data safeguard. As potential legislation changes arise, we remain focused on being a company committed to doing the right thing for our users vs. relying on specific laws that are subject to change.

We're closely monitoring the ongoing situation with legal counsel to make sure that no matter the outcome, we will achieve our goal of remaining regulatory compliant as a medical device, while never turning over personal, sensitive data. We will be evolving our privacy policy to make sure our users are protected against unimaginable potential legal situations.

On June 24, the company's chief executive, Elina Berglund Scherwitzl said that an anonymization feature was being developed to mask user identities.

Flo also says it will never sell personal data and is following suit with an upcoming "anonymous mode."

Glow said that "doing anything that violates their [user] trust would go against our core values, we'll always do our very best to get things right and serve our users well," but beyond this boilerplate statement, has not announced any concrete changes to its product.

On June 26, the iOS Stardust menstruation tracking app said it was working "around the clock" to improve user privacy. Stardust says that there is an "encrypted wall" separating user PII and activities and they are working on a no-account and no-PII signup option. However, without a transparent, public, and external audit conducted by a reputable cybersecurity expert, the mention of encryption is not necessarily enough.

Clue is based in Berlin. On June 25, the organization said it would not respond to any subpoena requests made by US authorities and emphasized that it is EU duty-bound not to disclose private health data.

"As a European company, Clue is obliged under European Union law (GDPR) to apply special protections to our users' reproductive health data," the company says. "We will not disclose it. We will stand up for our users [...] We repeat: we would not respond to any disclosure request or attempted subpoena of our users' health data by US authorities. But we would let you and the world know if they tried."

Should I delete my period tracking app?
Yes.

(Author's note: This is my personal recommendation.)


It's an opinion to raise the ire of menstruation app developers, but in the interests of future safety, those with periods in the US should delete these apps from their mobile devices: no exceptions.

Technology is meant to make our lives easier, but the convenience of menstruation tracker apps is now not worth the potential risk to users in light of Roe v. Wade.

You cannot be 100% sure that the period tracker you use is protected legally from data demands and won't be subject to current or future legislative changes that could force the developers to hand over your sensitive data.

It might go against the grain to reject technology in 2022 and go back to pen and paper. If you're not willing to do so, at least go for an open source and auditable option such as drip, a menstrual cycle & fertility tracking app which stores information locally on your device. (This is available on Android but an iOS version is in the works.)

Close off as many channels for law enforcement or government bodies to obtain data on your cycles, fertility, or any signs of pregnancy in the future, especially if you live in a state considered 'unsafe.'

The data you generate to monitor your cycle, activities, sexual activity, and lifestyle habits, in some states, could one day become a weapon against you. If the constitutional right to this procedure has now been dissolved, we can't know just how far some states will go to either prevent those seeking an abortion from succeeding or how prosecutions will come into play.

It is up to period tracker software providers to examine the data they hold, for how long, and how best to protect their users. However, while some are now promising immediate privacy upgrades and future anonymization modes to salvage their user bases, these apps can still leak data -- whether accidentally or when installed on a mobile device in the hands of an investigator -- and you should still consider them unsafe.

Delete them, and do so now.

How else can I track my menstrual cycle?

The most secure option is the old-fashioned way -- pen and paper.

We may eventually see changes in app functionality, too. Issy Towell, Wearables Analyst at CCS Insight told us that some apps with users in regions impacted by Roe v. Wade could "help users avoid stating an intention to avoid pregnancy, [but] this will come at the expense of the overall app functionality and experience."

"At the very least, if brands want to maintain the trust of users they will need to clearly communicate the potential legal implications of using their app to users," Towell added. "Unless reproductive rights are protected at the federal level, females will be forced to sacrifice personalized period prediction algorithms for the family-planning method that women have been using for centuries -- pen, paper, and a calendar."

No comments:

Post a Comment