Privacy Experts Warn Data From Period-Tracking Apps May Soon Be Used Against You

It’s estimated that millions of people in the U.S. use period-tracking apps to plan ahead, track when they are ovulating, and monitor other health effects. These apps can be used to help you know when your period is over.

After PoliticoPublished May 2, 2009. a draft opinionThe Supreme Court has indicated that Roe v. WadePeople took to social media to express their concern that the landmark decision, which guarantees constitutional rights to abortion, would be overturned. They were expressing concerns about the privacy of this information — especially for people who live in states with strict limits on abortion — and how it might be used against them.

Many users have recommended it. immediately deletingAll personal data from period-tracking applications.

“If you are using an online period tracker or tracking your cycles through your phone, get off it and delete your data,” activist and attorney Elizabeth McLaughlin said in a viral tweet. “Now.”

Eva Galperin, a cybersecurity expert and entrepreneur, is similarly impressed. said the data could “be used to prosecute you if you ever choose to have an abortion.”

That got us wondering — are these concerns warranted, and should people who use period-tracking apps delete the data or the app completely from their phones? We asked experts.

Is Your Period-Tracking App Data Shared?

Privacy policies — specifically, whether the apps sell information to data brokers, use the data for advertising, share it for research, or keep it solely within the app — vary substantially among companies.

“Does it encrypt? What’s its business model?” said Lucia Savage, chief privacy and regulatory officer for Omada Health, a digital therapeutics company. “If you can’t find terms of service or a privacy policy, don’t use that app.”

HIPAA does not cover period-tracking apps. However, if the company is billing health care services, it may be covered. Still, HIPAA doesn’t prevent the company from sharing de-identified data. If the app is free — and the company is monetizing the data — then “you are the product” and HIPAA does not apply, Savage said.

A 2019 study published in the BMJ found that 79% of health apps available through the Google Play store regularly shared user data and were “far from transparent.”

When it comes to marketing, a pregnant person’s data is particularly of high value and can be hard to hide from the barrage of cookies and bots. Some period-tracking applications, which often request information about health in addition to menstrual cycle details and menstrual cycle details for their users, also take part in the wider internet data economy.

“The data can be sold to third parties, such as big tech companies; or to insurance companies, where it could then be used to make targeting decisions, such as whether to sell you a life insurance policy, or how much your premium should be,” said Giulia De Togni, a researcher in health and artificial intelligence at the University of Edinburgh, Scotland.

Flo Health, based in London, is the company’s headquarters. settled with the Federal Trade Commission last yearAfter promising privacy, the company was accused of sharing user’s health data using its fertility-tracking application with outside data analysis companies such as Google and Facebook.

Ovia Health, 2019 drew criticism for sharing data — though de-identified and aggregated — with employers, who could purchase the period- and pregnancy-tracking app as a health benefit for their workers. This type of data-sharing is only available to employees who have opted in for the employer-sponsored version.

Ovia’s roughly 10,000-word privacy policyDetails how the company may share, sell, or trade de-identified data about health. Tracking technologies are used to advertise and analyze on the free, direct-to consumer version.

European residents require that European companies comply with stricter requirements General Data Protection RegulationThis gives the consumer data ownership and requires consent to collect and process personal data. Consumers have the right to have their online information deleted.

Companies have the option to extend those rights to U.S. residents by modifying their privacy policies or terms of service. If they do so, the FTC can then hold the companies accountable for those commitments, said Deven McGraw, Invitae’s head of data stewardship and the former deputy director for health information privacy at the Department of Health and Human Services Office for Civil Rights.

Perigee, a Swedish company, owns Cycles, a period-tracking application. The company assures its users that it does no advertising or sell data to third parties. According to Raneal Engineer, subscriptions are the only way it makes money.

Clue, an app for health that was developed by a Berlin-based company, has been a popular choice for customers who are worried. “We completely understand this anxiety, and we want to reassure you that your health data, particularly any data you track in Clue about pregnancies, pregnancy loss or abortion, is kept private and safe,” Clue co-CEO Carrie Walter said in an emailed statement.

Some states, such California Virginia, have state-level laws which give users ownership of their information and allow them to decide if it is sold.

Data brokers may also trade in information such as location-tracking data about Planned Parenthood visits. This could potentially be sold to law enforcement officials or government officials. SafeGraph announced earlier this month that it would no longer sell cellphone-tracking data mapping the movements and destinations of Planned Parenthood guests, including how long they stayed and their subsequent travels. Vice reported buying a week’s worth of data for $160.

Also of concern is a company’s level of data security, and how susceptible it is to a breach. “Hacking is criminal, there’s no question about it,” Savage said. “But once it’s hacked, information can be released.”

Could this data be used in a criminal prosecution?

The short answer is yes.

“It’s almost surreal that in some states using a period app could get you into trouble,” said McGraw. “But if an abortion is a crime, it could be accessed in building a case against you.”

It depends on where you live. However, there are no federal privacy protections. The legislation was introduced by Sen. Ron Wyden (D-Ore.) last year. Fourth Amendment Is Not For Sale ActThe legislation would prohibit data brokers selling personal information to intelligence agencies or law enforcement agencies without court oversight. The legislation has not yet been voted on.

Wyden told KHN he was “absolutely” worried about the chance that people who seek an abortion could be incriminated by their phone data.

“It is really an ominous prospect of women having their personal data weaponized against them,” said Wyden. “These big data outfits,” he said, “gotta decide — are they going to protect the privacy of women who do business with them? Or are they basically going to sell out to the highest bidder?”

If a federal law is not in force, it can be difficult to resist a court-ordered subpoena from law enforcement.

“Given the breadth of surveillance laws in the U.S., if a company collects and keeps information, that information is susceptible to being compelled by law enforcement,” said Amie StepanovichThe Future of Privacy Forum’s vice president of U.S. policies is a privacy lawyer. “They don’t necessarily have the ability to legally keep that information from law enforcement once the proper process has been undertaken.”

Even states with strict abortion laws, much depends on how they are structured. Last month, for instance, a murder charge against a Texas woman for a “self-induced abortion” was dismissedAfter the district attorney ruled it was not in violation of state law, it is now criminalized for providers performing abortions and not patients.

If Roe v. Wade is struck down, 14 states have so-called trigger laws that would automatically go into effect and ban abortion outright or after set windows of time — for instance, six weeks or 15 weeks, according to a KFF analysis.

“It’s really complicated under the hood, but I don’t think people should blindly assume their data is safe from legal process,” Savage said. It can depend on the company’s approach to subpoenas, she added. Some will fight them and others will not.

Apple is a great example. repeatedly resistedUnlocking iPhones for law enforcement in high profile cases such as the 2015 San Bernardino shooting. Data in Apple’s health app, which includes its period tracker, is “encrypted and inaccessible by default,” according to the company’s privacy policy. All the health data in the app is kept on a person’s phone, not stored on servers. But at the same time, Savage said, people who are in low-income communities don’t always have an iPhone because it is an expensive piece of equipment.

Ovia’s privacy policy says the company may give data to law enforcement if required by law or subpoena. The company, however, said in a statement that it has “never provided Ovia user data to any government, nor have we ever received any government requests for access to Ovia user data.” There is also an option in Ovia’s account settings to delete account data “entirely and permanently.”

Despite the GDRP safeguards, period trackers based within Europe can still face subpoenas. Lee Tien, a Senior Staff Attorney at the Electronic Frontier Foundation.

“Even [European Union] companies are subject to the U.S. legal process, though it would take longer,” said Tien. “The U.S. has mutual legal treaties with other countries, including E.U. countries, and law enforcement knows how to exchange information.”

Is this the first time that this type of information has been used by law enforcement or public officials?

In the past, officials who held anti-abortion views used period-tracking data. Dr. Randall Williams, former Missouri state health director, obtained the following: a spreadsheetTracking the menstrual periods and visits to Planned Parenthood by women to help identify those who have had an abortion that did not terminate their pregnancy.

Scott Lloyd, a former refugee resettlement chief who was also an anti-abortion activist, admitted to doing so during the Trump administration. keeping track of the menstrual cycles of teen migrantsIn an effort to prevent them from having abortions.

“We are now thinking of period trackers the way we’ve been thinking of facial recognition software for years,” Savage said.

Do You Need to Delete Your Period-Tracking Application?

Experts said it’s unlikely that a period-tracking app would be the sole piece of evidence used if someone were building a case against you for seeking an abortion.

“Frankly, I think if law enforcement or a civil investigator were trying to figure out who is having an abortion, there are probably several other venues that are more realistic or more immediately useful,” said Stepanovich. “They would likely get a dump of information for the relevant data,” she continued, “such as trying to get the location information of everyone that got dropped off close to an abortion center, which is a much smaller set of data, or getting people who called abortion hotlines at certain times.”

Stepanovich stated that anyone using a smartphone that has any app on it, there is a chance that data could be accessed and used in criminal or civil proceedings. Bottom line: You can avoid any risk by not using a smartphone.

But McGraw took a more cautious approach: “If I lived in a state where I thought that data might end up in the hands of law enforcement, I wouldn’t track [my period] at all.”

Period-tracking app users should be aware that they are taking a risk with their lives, but also consider the benefits it offers.

“You have to think about what you need in terms of period tracking,” said Tien. “You have to weigh and ask yourself, ‘How much does this convenience really matter to me?’”

KHN (Kaiser Health News)This national newsroom produces in-depth journalism on health issues. In conjunction with Policy Analysis and Polling KHNThis is one of three major operating programs. KFF(Kaiser Family Foundation). KFF is an endowed, nonprofit organization that provides information on health issues for the nation.

SubscribeTo KHN’s Free Morning Briefing