All Eyes on my Period? Period tracking apps and the future of privacy in a post-Roe world
Privacy International investigated eight of the most popular period-tracking apps to analyse how they function and process users’ reproductive health data. Their findings raised concerns for users’ privacy, given the sensitive nature of the health data involved. These findings come within the context of the global roll back on reproductive rights and fears over law enforcement forcing apps to hand over data.
Implications of a global rollback of reproductive rights for our sensitive health data on digital tools
Many menstruating individuals use period-tracking apps as a convenient digital tool to manage and track their menstruation and correlating symptoms. However, since the overturning of Roe v. Wade, we’ve seen a global rollback of reproductive rights which has put sexual and reproductive health data in a more precarious position than ever before. Additionally, there have been numerous examples of law enforcement using people’s online data for investigation purposes, such as US law enforcement using Facebook chat logs to prosecute an abortion-seeker in Nebraska, or UK law enforcement reportedly obtaining a woman’s Google search history and sentencing her for taking abortion pills beyond the legal limit. As a result,some users are outright deleting their period tracking apps over privacy fears.
Together with changes over the past several years in the political landscape, we have also seen technological changes such as the expansion of cloud-based services and the AI industry, as well as with data protection and privacy regulations, increased expectations for user privacy protection. With all of these developments in mind, EDRi member Privacy International (PI) undertook a technical investigation into how period tracking apps are handling user data and the implications of this for users’ privacy.
Findings of PI’s latest research on period-tracking apps: Better than before, but crucial issues remain
In 2019, PI’s research on period-tracking apps exposed serious concerns about the apps’ compliance with GDPR obligations, especially around consent and transparency. At that time, one app in particular was found to be sharing users’ information with Facebook.
In PI’s latest research, they did not find instances of user’s personal data about their menstruation cycle being sent to Facebook. However, in the web traffic of several apps that were investigated, they observed several categories of third parties that many apps were integrating for different purposes, such as advertising software development kits (SDKs) or application programming interfaces (APIs) to service certain app functionalities. These third parties often processed some degree of the user’s personal or device data. This poses risks around device fingerprinting, a practice which potentially makes a user identifiable.
The research also revealed different approaches to privacy from various apps. Some apps were configured to store user data locally on the device, rather than storing the data on servers managed by the developer and/or third parties. Another method was allowing users to use an app without creating an account, which helps to keep them potentially anonymous, as their input data may not be easily linked to their profile. However, certain other identifying information – like their device information and even unique account IDs assigned to the user – nonetheless established a form of unique identification that could potentially be traceable.
Overall, the various technical approaches that period-tracking apps use to service their platforms warrant scrutiny given the sensitive nature of the information during a politically volatile time.
In their full report, PI explore the various technical methods built into period tracking apps, such as integrating third party deployers and storing user data on servers, and raise crucial questions for the future of privacy in the femtech space.
What next? Higher standard of privacy protection on period-tracking apps
It is difficult to say what the future of privacy holds. Will period-tracking apps turn to more privacy-enhancing features and services with a privacy-forward mission due to public pressure, or will the payoffs (and ease) of exploiting users’ data be too lucrative for some apps to sacrifice?
When it comes to sexual and reproductive data, which is sensitive health data, and given the increasingly hostile environment for reproductive rights and the risks of this data being used against an individual, period tracking apps should be held to a higher standard of privacy protection. Users should not have to sacrifice privacy for period-tracking, nor should apps risk users’ data in a way that leaves them vulnerable to violations of their rights.
The current regulatory landscape must be prepared to enforce a more privacy-forward deployment of period tracking apps considering the shifting political tides that are putting women’s right to health at risk. PI’s report offers recommendations for app developers, regulators and users.
PI will continue to monitor and scrutinise the risks to privacy from some apps’ embedded practices, a risk further exacerbated due to the volatile legal landscape that is threatening people’s reproductive rights. On the basis of these findings, menstruation apps should be encouraged to give users complete and easy access to and control of their data. Moreover, extra scrutiny should be applied to these apps because they may process and collect highly sensitive health data that requires additional protections and safety measures.
Contribution by: EDRi member, Privacy International