Period Tracking Apps And Digital Privacy In A Post-Roe World
After the leak of the Supreme Court’s pending decision on Roe v. Wade law, digital privacy experts have been raising an alarm about digital privacy.
Millions of people use apps to track their menstrual cycles—the popular app Flo has 43 million active users. And Clue, a similar company, says they have 12 million monthly active users. But in recent weeks, many on social media have been urging others to delete their period tracking apps, saying that the data you share on them could be potentially be used against you if abortion becomes criminalized in states across the country.
Guest host John Dankosky talks with Laura Lazaro Cabrera, legal officer at Privacy International, about what kinds of data period tracking apps collect, how personal health data can be used in court, and how to protect your digital privacy.
This interview is a continuation of our coverage of the science of reproductive health and abortion access.
Invest in quality science journalism by making a donation to Science Friday.
Laura Lazaro Cabrera is a legal officer at Privacy International in London, England.
JOHN DANKOSKY: This is Science Friday. I’m John Dankosky. Our next story is a continuation of our coverage of reproductive health and abortion access. This week, we’re taking a look at the implications for digital privacy in a post Roe v. Wade era.
You may have seen people on social media saying that you should delete apps that help you track your period. What’s the concern? Well, the data you share on them could be potentially used against you if abortion becomes criminalized in states across the nation. And millions of people use these apps to track their menstrual cycles. The app Flo says it has 43 million active users. And Clue says they have 12 million.
But what kind of data do period tracking apps collect? Who can access this data? How worried should you be about entering your personal health information into an app? Joining me now to answer some of these questions and more is Laura Lazaro Cabrera, legal officer at Privacy International, based in London, England. Welcome to Science Friday, Laura.
LAURA LAZARO CABRERA: Thank you very much, John.
JOHN DANKOSKY: In 2019, you looked into the privacy practices of period tracking apps, including two of the biggest on the market, those that we mentioned, Clue and Flo. You put in some personal information and then asked for copies of your data back. So what did you find?
LAURA LAZARO CABRERA: Well, we not only reviewed Flo and Clue, but we also looked at a range of different period tracking apps, including Maya by Plackal Tech, MIA by Mobapp Development Limited, and many others. And what we found is that pretty much all the information that we were putting into the app ourselves was then being stored in the company servers. And so what we saw ranged from information about our cycle, the date of our last period, as well as information relating to our sexual activity and information related to our diary entries, which could contain virtually any information that the user would want to put into it.
JOHN DANKOSKY: So this data was saved on servers shared with third parties. I assume that this is an expectation that the users of these apps, including yourself, didn’t have.
LAURA LAZARO CABRERA: Exactly. It wasn’t all the apps that shared the data with third parties, but a couple of them did. And concerningly, they shared that data with Facebook, and they shared it nearly verbatim. So we would put in the data, and the data would get shared as it was put in with Facebook through, we then learned, the software development kit that Facebook often makes available to software developers and app developers.
JOHN DANKOSKY: Did this surprise you to learn this?
JOHN DANKOSKY: For people who haven’t used these apps before, maybe you can explain what types of data we’re talking about here.
LAURA LAZARO CABRERA: We’re talking about data relating to the entirety of the menstrual cycle. So you put in the day of the first day of your period. You put in the last day of your period. You also add additional information, such as your moods, how you’re feeling on a particular day, whether or not you’re experiencing any cramping. And indeed, some period tracking apps make available the option of the user declaring at the outset whether or not they’re looking to get pregnant, because it can also be used to monitor how your cycle is doing and how likely you are to get pregnant in the near or short future.
JOHN DANKOSKY: So some of this is quantitative data. But some of it’s very qualitative. It’s people’s moods. It’s how people are feeling about this particular moment in their lives.
LAURA LAZARO CABRERA: Absolutely.
JOHN DANKOSKY: Explain exactly what happens when you enter some personal health information into a period tracking app. And I understand each app works differently, but maybe you could give us an overview of what happens exactly.
LAURA LAZARO CABRERA: Yes. So things will happen in one of two ways. Either the data used by the app is stored locally– that means that it is stored on your device– or it is stored in the company’s servers. The moment that you put information into the app, that’s considered an event. And so information of that event will be recorded by the company’s servers, if indeed that’s how the app is built in.
It may well be that the app is built in a way where all the information is stored locally. Indeed, that would be ideal for privacy purposes. But most of the time, of course, it will get shared with the servers. And that is tied to the app’s functionality itself. And that is a reason that period tracking apps rely on when stating that they share data with third parties, or indeed that they store the data in their own servers.
JOHN DANKOSKY: After your findings were published back in 2019, two of the big period tracking apps actually changed their data privacy policies. Tell us about what changes they made.
LAURA LAZARO CABRERA: So one of the big changes that we were really happy to see was by Maya. So Maya changed its policies, and it changed the way the app worked by removing Facebook’s core software development kit, which was the primary way in which data was shared with Facebook.
There were other types of data that were still shared with Facebook after these changes were introduced. But at least the user was given the opportunity to consent before the data sharing actually happened. And that is a big change insofar as the users now have a better knowledge of who is likely to get the data, and they are at least offered the option not to share it with this other company and still use and enjoy the benefits of the app.
JOHN DANKOSKY: What do we know about what Facebook has done with data that it’s gotten from these apps?
LAURA LAZARO CABRERA: Well, sadly, we don’t know very much. And that’s pretty much what we always say about Facebook. We just don’t know enough. There isn’t enough transparency about the ways in which this data is handled.
The reality is that the data gets shared with Facebook whether or not you have an account or whether or not you are logged in to any of their products if the software development kit is allowed to operate in that way. And so at the time we carried out this research, the default implementation of the Facebook software development kit was designed to automatically transmit event data to Facebook. However, Facebook places the sole responsibility on app developers to ensure that they have the lawful right to collect, use, and share people’s data before providing Facebook with any data.
But then again, we don’t know what sort of due diligence Facebook applies to make sure that the data uploader, which in this case would be the period tracking apps– we don’t know how they’ve been made to comply with data protection laws in force. We don’t know how Facebook exercises their oversight in a way that they can be sure that people’s privacy rights are preserved.
JOHN DANKOSKY: So let’s get to the crux of this. In a post Roe v. Wade era in the US where abortion is banned or criminalized in several states in the US, would Facebook likely provide user data to those who are seeking it, law enforcement officials or others?
LAURA LAZARO CABRERA: I don’t know that it’s likely, but it’s certainly possible. And in the past, we’ve seen lots of stories about not just Facebook or Meta or many other big tech companies sharing data with law enforcement at their request. In practice, there is very little a company can do to refuse to comply, and certainly there are consequences.
And recently, earlier in 2022, we even saw an example where hackers impersonated law enforcement authorities and submitted data requests. And Apple and Meta ended up providing subscriber data in response to a fake law enforcement request. So this does happen. And one could even say that when these law enforcement requests arrived, there isn’t much due diligence that is applied to see whether they come from legitimate authorities, or indeed if they are legitimate.
JOHN DANKOSKY: What are the concerns in terms of law enforcement getting access to other third-party data?
LAURA LAZARO CABRERA: We know that the US government, for instance, has purchased datasets before in the context of immigration control enforcement. So if we’re talking about the data marketplace, it’s not impossible for the US government to be accessing data brokers’ datasets to get more information about particular individuals.
JOHN DANKOSKY: Are there certain apps that provide period tracking services that are more secure that you found than others?
LAURA LAZARO CABRERA: Well, we’ve always been uncomfortable about reaching that sort of conclusion because that, in a way, signifies full access, full transparency, and full understanding of an app. And it’s very hard to achieve that. However, we feel that, of course, the legal framework under which an app operates is an important point of reference, because even if it does not prevent wrongdoing in the first place, at least it provides individual users with a remedy or some accountability if something goes wrong, if there is any data misuse. And since we’re based in London, it’s worth saying that for us, the General Data Protection Regulation, which covers all of Europe, is a primary reference.
So that is an important thing for people to bear in mind. What sort of legal framework does this app fall under? Where is it headquartered? Where are its servers located? Those are all relevant questions to ascertaining which law will apply. And then users are able to decide whether or not they’re happy with the level of protections provided by the legal system or whether they’re not.
JOHN DANKOSKY: I mean, how much does it matter where an app company is headquartered, whether it’s in the EU or in the US or someplace else?
LAURA LAZARO CABRERA: Well, the key thing here is the legal regime that applies. So if you’re headquartered in the EU, it’s very likely that you will fall under the General Data Protection Regulation. And that means that additional responsibilities and obligations will apply on period tracking apps or companies in general, whether they be data processors or data controllers.
And not just that, but the GDPR also imposes additional obligations and safeguards when it comes to health data at large. So it doesn’t matter so much who’s doing the processing of the information. What matters is the type of data that has been shared, and additional requirements apply if that data is considered to be sensitive. And of course, health data is considered to be sensitive under the GDPR.
JOHN DANKOSKY: If you’re just joining us, I’m talking with Laura Lazaro Cabrera, legal officer at Privacy International, about data privacy in a post Roe v. Wade world. This is Science Friday from WNYC Studios.
So looping back to these legal questions, if a court was successfully able to acquire your personal data from your period tracking app or some third party that it gives the data to, would people be able to know if you were, say, pregnant or if you had a miscarriage?
LAURA LAZARO CABRERA: The way that law enforcement can access this data is not only if you directly disclose it on the app. Indeed, it’s possible for people to say, to type in, for instance, on the diary function, I had a miscarriage yesterday, or I had a spontaneous abortion, et cetera, et cetera. That’s only one way, but it’s not the only way.
For example, it would be possible for some of the data processed by these apps– not necessarily period tracking apps, but also others– which could be construed as a proxy for someone having been pregnant or someone having undergone a termination of their pregnancy. So proxy data would refer to data from which other data can be inferred, and these links aren’t always obvious.
JOHN DANKOSKY: And along those lines, are all the other ways that you might communicate about your reproductive health– using Google to search for abortion providers or texting friends and family about your concerns– are these things that can be used against you?
LAURA LAZARO CABRERA: Absolutely. I mean, in and of themselves, perhaps they wouldn’t be able to be used as conclusive evidence that a crime has taken place, if indeed abortion goes on to be criminalized. But then again, taken as a whole and looked at in light of other coexisting information, then it might be enough to then prove that someone has undergone an abortion in circumstances where it was prohibited. And indeed, we know that browsing history has been used as evidence in legal proceedings before. And in particular, in the US, there are federal offenses that can be incurred if a person decides to delete their browsing history all of a sudden. So all of these are relevant considerations for people to bear in mind.
JOHN DANKOSKY: How can people better protect their reproductive health data? I mean, should they, as we said at the top, be deleting these period tracking apps altogether?
And sometimes it won’t be as easy as pressing a button. Sometimes it will involve finding out an email address, then sending an email and explicitly requesting for data to be deleted. So I would urge people, before they stop any engagement with the app, just consider what you need to do to make sure that that app is no longer processing your data.
JOHN DANKOSKY: But honestly, just reading these privacy policies is enough to give you a headache. I mean, if you don’t have a legal background, it’s kind of hard to parse what exactly these privacy policies are saying.
LAURA LAZARO CABRERA: That’s absolutely correct. And even if you do have a legal background, it’s still very difficult to try and make sense of exactly what data is being shared with whom. And in general, privacy policies are being kept vague enough that you can’t be 100% sure of what’s happening with your data.
That being said, there is, I think, a responsibility on companies in general, but now particularly on period tracking apps companies, considering the current context in the US, to make sure that their privacy policies are easy to access, that they’re readable, that they’re understandable, particularly understandable by their own audience.
JOHN DANKOSKY: Do you think that questions like these, specifically surrounding some of the reproductive health questions that have come up just now– do you think that this is going to fundamentally change how we think about medical privacy overall in the United States?
LAURA LAZARO CABRERA: Definitely. Health data is perceived as something relevant only to hospitals and health care facilities in general. And we associate health data with professional health care services, which means that there is a baseline level of trust. And that’s because we subsume the concept of privacy and data protection under the broader patient-doctor confidentiality doctrine.
And it’s important to distinguish those concepts. Doctor-patient confidentiality is grounded in the relationship you have with a regulated health service provider. But data protection is grounded in the nature of the data regardless of who you share it with. And I believe that the current conversation happening right now will help people to realize that they have a lot more agency in this process that they thought. But that also means that there’s a lot more responsibility and that we, to an extent, have to hold ourselves accountable for the data that we share with others.
JOHN DANKOSKY: Is there a policy solution that you think the United States needs to adopt in order to address some of these issues? And is it purely a federal policy solution as opposed to state by state, which is how we are tackling these other reproductive health issues?
LAURA LAZARO CABRERA: It’s important to have some consistency, and it’s important to have, let’s say, a baseline level of protection for privacy and data protection at large, which could be achieved in the form of federal regulation. And one way to do it would be to put the type of data that has been shared front and center instead of making any regulation or oversight subject to formal accreditation or formal licensing requirements.
And I know that to be the case for some states in the US, where additional data protection obligations apply that’s often tied to the nature of the health service provider. So again, it’s grounded in the relationship that a patient may have with a service provider and not so much grounded in the type of data that’s being shared. If you put health data front and center, or sensitive data in general front and center, then that means that people can be protected and their rights can be exercised regardless of who gets the data.
JOHN DANKOSKY: Laura Lazaro Cabrera is legal officer at Privacy International, based in London, England. Thank you so much for your time. I really appreciate it.
LAURA LAZARO CABRERA: Thank you so much, John.
JOHN DANKOSKY: We have to take a quick break. And when we come back, a conversation about encouraging girls to become scientists and why it’s important to talk about the highs and the lows that go along with the job. Stay with us. This is Science Friday from WNYC Studios.
John Dankosky works with the radio team to create our weekly show, and is helping to build our State of Science Reporting Network. He’s also been a long-time guest host on Science Friday. He and his wife have three cats, thousands of bees, and a yoga studio in the sleepy Northwest hills of Connecticut.