Wednesday, March 06, 2024

 

Research exposes security, privacy and safety issues in female technology apps used to track fertility, menopause and monthly cycle


Peer-Reviewed Publication

NEWCASTLE UNIVERSITY





Academics are calling for regulatory action after their research highlighted security and privacy risks  in female-oriented technologies (FemTech), such as  period-tracker mobile apps, and fertility and menopause smart and connected devices.

Experts at Royal Holloway, University of London, Newcastle University, University of London and ETH Zurich, have identified significant security, privacy, and safety issues surrounding FemTech, which can pose a potential threat to users.

These threats include the apps accessing users’ personal contacts, camera, microphone, location and other personal data (e.g., medical scans), as well as system settings and other accounts that expose security and privacy risks.

These apps and IoT (Internet of Things) devices collect a wide range of data about users, their relatives (children, partner, family), their bodies and environments via embedded sensors.

The research showed that such practices can reveal very sensitive and intimate information about users (such as gender, fertility, and medical data) to third parties.

FemTech is a term applied to the collection of digital technologies focused on women’s health and wellbeing. FemTech includes applications, software and wearable devices, and can range from mobile period apps and fertility-tracking wearables to IVF services.

Publishing the findings in the journal Frontiers in the Internet of Things and Symposium on Usable Privacy and Security Workshop, the authors are calling on policymakers to explicitly acknowledge and accommodate the risks of these technologies in the relevant regulations.

The market is estimated to reach more than $75b by 2025. The devices and apps reviewed in this study include a breast smart pump, cycle and fertility trackers (such as bracelets and rings), a smart bottle, Kegel trainers, sex toys, menopause management solutions, a digital pill organiser, and general health trackers.

The research team reviewed the existing regulations related to FemTech in the UK, EU, and Switzerland to identify gaps in regulations, compliance practices of the industry and enforcements by running experiments on a range of FemTech smart devices, apps, and websites.

Their analysis of FemTech-related regulations shows they are inadequate in addressing the risks associated with these technologies. The EU and UK medical devices regulations don’t currently have any references to FemTech data and user protection. The GDPR and Swiss FADP have references to sensitive and special category data, which overlap with FemTech data. However, the industry practices include many non-complaint practices in data collection and sharing.

The study also focused on industry non-compliance. The team identified a range of inappropriate security and privacy practices in a subset of FemTech systems. The research shows that these systems do not brand as medical devices, do not present valid consent and do not give extra protection to sensitive data, and track users without consent.

The authors show that, not only is such intimate data collected by FemTech systems, but also this data is processed and sold to third parties.

The findings have exposed a lack of research and guidelines for developing cyber-secure, privacy-preserving and safe products.

Dr Maryam Mehrnezhad, lead author of the research and Senior Lecturer at Royal Holloway said: “We have identified multiple threat-actors interested in FemTech data such as fertility and sex information.

“We have been conducting security and privacy research on this topic since 2019. Apart from our system studies, our user studies also highlight that end-users are indeed concerned about their intimate and sensitive data being handled by FemTech products. We constantly share our research results with the industry and related regulatory bodies, such as the Information Commissioner's Office. We hope to see better collaborative efforts across the stakeholders to enable the citizens to use FemTech solutions to improve the quality of their lives without any risk and fear.”

Professor Mike Catt of Newcastle University, one of the study authors, added: “We urge regulatory bodies to update and strengthen guidelines to ensure the development and use of secure, private, and safe FemTech products.


“Many of the apps surveyed access mobile and device resources too. Some of these permissions are marked as dangerous, according to Google’s protection levels. Such access potentially exposes contacts, camera, microphone, location and other personal data. Some specific permissions, such as access to system Settings and other Accounts on the device, also impose security and privacy risks. Access to sensors on the mobile phone can also be used to break user privacy. Users deserve better protection, especially where this relates to sensitive personal health and gender data.”

This research was supported by the UKRI EPSRC PETRAS CyFer and AGENCY projects. These multi-disciplinary research teams are working with other stakeholders on the complex risks and harms of modern technologies such as FemTech to mitigate these risks and to design privacy-preserving, cyber-secure, and safe products which are inclusive.

Ends

Note to editors:

According to data from the German online platform, Statista, which specialises in data gathering, the FemTech market is worth almost $65 billion and is projected to grow to more than$100 billion in 2030. 

[1] Mehrnezhad, van der Merwe, Catt, Mind the FemTech Gap: Regulation Failings and Exploitative Systems, Journal of Frontiers in IoT, 2024, earlier version at: Privacy Engineering in Practice (PEP), Symposium on Usable Privacy and Security Workshop, USA, 2023

Open access link: https://pep23.com/assets/pdf/pep23-paper6.pdf

[2] Mehrnezhad, and Almeida. "" My sex-related data is more sensitive than my financial data and I want the same level of security and privacy": User Risk Perceptions and Protective Actions in Female-oriented Technologies." The European Symposium on Usable Security, ACM, Denmark, 2023

Open access link: https://dl.acm.org/doi/fullHtml/10.1145/3617072.3617100

No comments:

Post a Comment