As the battle over abortion continues in the United States, concerns have been raised over period tracking apps’ data practices and security.
You should stop using them, or at the least, only use a service with stringent data protection and encryption — and this is why.
What is Roe v. Wade?
For those unfamiliar with the current upheaval in the US, the 1973 Roe v. Wade case, brought forward against state laws restricting abortion, was a landmark ruling that effectively legalized the procedure in the US.
However, different US states still take varied views on abortion and when it is permissible.
Earlier this month, reports surfaced of a leaked draft majority opinion showing the US Supreme Court is likely set to overturn Roe v. Wade. The draft also cites a 1992 decision that further concreted the constitutional right to abortion services.
According to the Associated Press, Senate Democrats have tried to move quickly and enshrine the 50-year-old ruling into law through new legislation, which, if passed, would have made abortion rights far harder to overturn.
However, the proposed bill has been blocked.
A final ruling is reportedly to take place within months. If Roe v. Wade is overturned, the non-profit Guttmacher Institute suggests that at least 26 US states, including Texas, Alabama, and Louisiana, may be poised to trigger abortion bans or at least impose a minimal time frame for terminations.
Technology in the medical sector
Wearable health tech, hospital robots, and telehealth appointments with healthcare providers all have become commonplace. As we’ve seen during the pandemic, technology can be of great benefit to overstretched medical professionals, and we can use mobile technology, too, on a personal level — to track our activities, sleeping patterns, and more.
Millions of people with periods worldwide use menstruation tracking apps to track and monitor their monthly cycles, and the overarching “femtech” market is estimated to be worth roughly $49 billion by 2025.
What do period tracking apps do?
Menstruation apps log user input related to menstrual cycles over several months to predict when their next one is due.
These apps can also be used to record changes in flow, predict likely fertility windows, log symptoms such as mood swings and cramps, and record sexual activities.
Some apps focus on users attempting to become pregnant. Others offer general health and lifestyle advice. Some can quietly connect users to healthcare providers if they have questions or concerns.
Period tracking apps can be particularly useful for users entering puberty and for those with irregular cycles. However, they should not be used as a form of birth control and, as people with periods know all too well, accurately predicting your next cycle start date is far from an exact science.
Which are the most popular period trackers?
In the Android and iOS mobile ecosystems, some of the most popular menstruation trackers are Flo, Clue, Glow, MagicGirl, and Natural Cycles.
What do period tracker apps have to do with the US Supreme Court?
There are several emerging issues connecting the two. Period, fertility, and sexual activity trackers, by design, have to collect intimate information from their users, which is often stored and analyzed over time.
Users can then tap into their record for next-cycle estimates, the days they may be most fertile, and to find out if they are likely to be pregnant.
In a post-Roe world, and if some US states do choose to write their own laws surrounding terminations, data from these apps could be used to prosecute people.
Online information and digital records can make or break a criminal prosecution. This can include social networking posts, email records, conversations, location (GPS) data, and the user data collected by personal health mobile apps.
Keep in mind that such evidence may be flimsy, at best, considering how inaccurate these trackers can be. Should a user, for example, cross state lines to have a procedure done and their location or cycle records are known, investigators would need to prove beyond a reasonable doubt that the individual broke the law.
However, information obtained from reproductive health and monitoring apps could, in theory, be used to build up a case.
The Electronic Frontier Foundation puts it thus:
“Service providers can expect a raft of subpoenas and warrants seeking user data that could be employed to prosecute abortion seekers, providers, and helpers.
They can also expect pressure to aggressively police the use of their services to provide information that may be classified in many states as facilitating a crime.”
The case for criminality
If seeking an abortion becomes a criminal act in some states, then how app providers secure and manage user data has to become a priority — not just in terms of transparency, but what future legal US mandates may require.
User data that is fed through third-party infrastructure providers, for example, could become subject to warrants or subpoenas in criminal investigations if individuals are suspected of being pregnant or of seeking a termination. In addition, app providers themselves may be subject to user data requests or demands if the information they hold isn’t legally protected.
As noted by Slate, the data held by period trackers might not have any intrinsic value now to government agencies or investigators, but if Roe v. Wade is dissolved, these records could be used as evidence in a prosecution.
The state of Louisiana is already considering treating abortions as homicides. Perhaps some states will follow the example of El Salvador, which recently prosecuted a woman for homicide after she suffered a miscarriage.
If this is the future, other data sets gathered by these apps — such as smoking habits and alcohol intake, as Slate reports — could also be of interest to prosecutors.
Isn’t this being overblown?
Not necessarily.
It wasn’t so long ago that whistleblower Edward Snowden landed the US National Security Agency (NSA) in hot water over its mass digital surveillance programs.
Last year, Flo drew the ire of the US Federal Trade Commission (FTC) for allegedly misleading users by “sharing the health information of users with outside data analytics providers.” In response, Flo said:
We understand that our users place trust in our technology to keep their sensitive information private and the responsibility we have to provide a safe and secure platform for them to use […] Our agreement with the FTC is not an admission of any wrongdoing. Rather, it is a settlement to avoid the time and expense of litigation and enables us to decisively put this matter behind us.
In a 2020 study conducted by Privacy International, the civil rights group found that menstruation apps stored a “dizzying” amount of data on their users. For example, after requesting a copy of their information under GDPR, out of five apps surveyed, only two provided records — and these revealed data concerning menstruation, their sexual lives, diseases, orgasm rates, masturbation habits, medication intake, and how many children they have, and more.
According to Privacy International, some of this information was shared with third parties. (It should be noted that some of the apps have reviewed their data policies since the report went live.)
The issue is that some period tracking apps may have vague data protection policies, share information — unaware that it could be used against its users — or may outright sell information to third parties.
If an investigator can’t secure a warrant or subpoena to demand this data, they could buy it instead, if they knew where to look.
You just need to look to Texas and the so-called Heartbeat Bill, which allows citizens to effectively become bounty hunters by suing anyone for up to $10,000 who assists an individual in receiving an abortion, to understand that there may also be some people out there who would try to purchase this information to line their pockets.
Data management: The US vs. Europe
How mobile app developers, across every sector, handle data is often questionable and is not necessarily protected under laws such as the EU’s GDPR.
The EU’s General Data Protection Regulation (GDPR) requires organizations in the bloc to adhere to basic data protection standards, only hold “necessary” user information, and submit to strict rules depending on whether they are processors or controllers.
When it comes to medical information, this is defined as “physical or mental health of an individual, including the provision of health care services, which reveals information about their health status.” Some period trackers may be protected under GDPR, and in general, medical data can be exempt from disclosure when a data request is made if being compliant is “likely to cause serious harm to the physical or mental health of any individual.”
Clue told Slate that it is “obligated under European Law (GDPR) to apply special protections to our users’ reproductive health data.”
GDPR-bound apps may offer more protection, but this isn’t guaranteed. Apps in the EU may not be exempt from subpoenas, and future US laws could be proposed that force EU firms to hand over data (think the Patriot Act.)
Read on: What is GDPR? Everything you need to know about the new general data protection regulations
The US’ HIPAA laws, too, do not necessarily apply to the information gathered by period tracker apps as the law only deals with Protected Health Information (PHI). PHI is defined as “individually identifiable health information that is transmitted or maintained in electronic, written, or oral form,” but unless an app connects to healthcare providers for medical monitoring, it is unlikely to be HIPAA-compliant.
Many period trackers also deal with lifestyle-based information and as these datasets are not inherently focused on health, these datasets would not be protected as PHI.
The developers of apps under GDPR are required to clearly lay out how information is managed and used in privacy policies, and these should be checked if you choose to use a period tracker.
However, as Privacy International found in a 2019 study, developers can still fall short of GDPR and other data protection standards.
In other words, whether or not an app is said to be HIPAA/GDPR-compliant, in real-world scenarios there is no cast-iron guarantee your data is safe — unless, for example, it is encrypted and stored locally on your device, and so developers themselves have no access rights.
What can period tracking app vendors do?
As the EFF says: “If you build it, they will come — so don’t build it, don’t keep it, dismantle what you can, and keep it secure.”
The non-profit has published a list of recommendations for period trackers, women’s health, and healthcare service provider app developers to follow:
- Allow users pseudonymous access, so you don’t even know their names
- Do not track the behavior of your users, and if this must happen, make it opt-in and clear there may be ramifications
- Check data retention policies and ask yourself: do we need to collect all this data, and for so long?
- Delete logs regularly
- Encrypt data in transit
- Enable end-to-end encryption by default
- Do not allow your apps to become location broker havens
- Do not share user data, but if you must, only with trusted and vetted partners – and make this clear to users
- Consider interoperability with third parties if they can provide the security for users that you cannot
Every time Mozilla releases its Privacy Not Included guide, we find that apps providing sensitive services, including health apps, are lax or fail spectacularly at security. It’s not just about an app provider’s intentions; you also need to assess the vendor’s technical expertise and understanding of cybersecurity.
“Privately-owned user data cannot be protected from state-mandated legal action,” commented Issy Towell, Wearables Analyst at CCS Insight. “Unless that changes, it is the responsibility of apps to demonstrate a genuine duty of care for users by rethinking the kind of data it collects on them.”
There may be some apps out there that are more secure than others, where data is protected due to where it is stored and the legal requirements in that area.
For example, Natural Cycles, while FDA-cleared, stores its data in Europe and is, therefore, subject to GDPR requirements. Furthermore, the app’s developers told us that data is encrypted both in transit and at rest, and “we have never — and never will — sell user data.”
Natural Cycles told ZDNet:
“Natural Cycles is not a covered entity by HIPAA, not by choice, but because we do not handle medical electronic records. It is important to note, however, that HIPAA is not the only data safeguard. As potential legislation changes arise, we remain focused on being a company committed to doing the right thing for our users vs. relying on specific laws that are subject to change.
We’re closely monitoring the ongoing situation with legal counsel to make sure that no matter the outcome, we will achieve our goal of remaining regulatory compliant as a medical device, while never turning over personal, sensitive data. We will be evolving our privacy policy to make sure our users are protected against unimaginable potential legal situations.”
Should I delete my period tracking app?
Yes.
(Author’s note: This is my personal recommendation.)
It may not be a popular opinion, and it’s certainly one that will raise the ire of some developers, but in the interests of future safety, those with periods in the US should delete these apps from their mobile devices.
The convenience is simply not worth the risk of your data being used against you — not unless you are 100% sure that the period tracker you use is protected from laws outside the US and won’t be subject to future legislative changes that could force the developers to hand over your sensitive data. Either that or records held in the app cannot be connected to your name or identifying information.
There are rallies and protests, certainly, but one thing many of us can do is to take control of our data privacy in small, marginal ways. Close off as many channels for law enforcement or government bodies to obtain data on your cycles, fertility, or any signs of pregnancy in the future, especially if you live in a state most likely to trigger a bill when (or if) Roe v. Wade is overturned.
The data you generate to monitor your cycle, activities, sexual activity, and lifestyle habits, in some states, could become a weapon against you.
It is up to period tracker software providers to examine the data they hold, for how long, and how best to protect their users.
How else can I track my menstrual cycle?
The most secure option is the old-fashioned way — pen and paper.
We may eventually see changes in app functionality, too. Towell believes that some apps with users in regions impacted by Roe v. Wade could “help users avoid stating an intention to avoid pregnancy, [but] this will come at the expense of the overall app functionality and experience.”
“At the very least, if brands want to maintain the trust of users they will need to clearly communicate the potential legal implications of using their app to users,” Towell added. “Unless reproductive rights are protected at the federal level, females will be forced to sacrifice personalized period prediction algorithms for the family-planning method that women have been using for centuries — pen, paper, and a calendar.”