If you’re the kind of person who tracks your period, fitness, sleep or other health metrics with an app, privacy experts have a warning for you: your data could be a gold mine for advertisers, hackers, or law enforcement.
There have been calls on social media for American women to delete period tracking apps from their phones since the U.S. Supreme Court’s draft decision on Roe v. Wade was leaked in early May.
With abortion now banned in at least eight states, there are fears that app users’ menstrual cycle data, along with other information, could be used to prosecute them for having an abortion in a state where it is no longer legal.
“I regrettably have to tell people to get rid of [the apps],” says Danielle Citron, a professor of law at the University of Virginia School of Law.
Her concern is that data from a period tracker, as well as other sources of information, could help build a case that a woman had an illegal abortion.
“You got your period on X date, you missed your period, then let’s say, for example, 20 weeks later you got your period again, and that in that time period your location shows that you went to a clinic either in the state or out of the state — that in so many respects is the circumstantial evidence that a prosecutor needs,” Citron said.
Digital privacy experts say the concerns over period tracking apps should also be a wake-up call to Canadians about the way they log their own sensitive health data online.
“Simply, do not trust what companies are doing with your data,” says Ann Cavoukian, a former Ontario privacy commissioner and founder of the International Council on Global Privacy and Security by Design.
“They may claim to protect your privacy, not store any of your digital data, not shared with anybody, but again and again, we’ve seen that they’ve been proven wrong. They often share it with unauthorized third parties in ways that you have not consented to.”
Tracking and sharing
The more sophisticated apps collect and store an enormous amount of data, beyond menstrual cycle details, to build a profile of users: everything from their name, location and whether they’re trying to get pregnant, to details of their sex life, exercise, what medications they take, and much more — a treasure trove for advertisers.
“When you downloaded that app, how much did you pay for it? What’s your monthly subscription fee? If the answer is zero, if you’re not paying for the product, then you are the product,” says Ritesh Kotak, a cybersecurity and technology analyst in Toronto.
Some period apps explicitly tell users their data could be shared with third-party advertisers, affiliates, business partners and even other app users — though those details are often buried in their privacy policies.
Since the Supreme Court’s ruling, several of the larger period app companies have sought to reassure their users about their data protection measures.
Flo launched an anonymous mode, so users no longer need to share their name or email, while Clue pledged to never turn over private health data “to any authority that could use it against you.”
However, if a company received a warrant or subpoena in the U.S., they would be required to hand over that data to law enforcement, Citron says — and the same goes for Canada.
“[Police] could demand it if they have a warrant. You, the organization, are obligated to provide the data to the police,” Cavoukian said. (Clue did not respond to a request for comment.)
Experts say even if an app promises not to share or sell users’ data, it likely still monetizes that information through targeted ads that reach specific users.
“There are word games about what can and can’t be sold,” said Andrea Ford, a medical anthropologist and researcher at the University of Edinburgh who has extensively studied period tracking apps.
“[The company] still has a profile of you as an Internet user, and where you’re going, what you’re doing, what other things you’re interested in — like, if you might be pregnant and you might want baby supplies, your data can be funnelled into those channels without it being your personal information being sold.”
Anyone ready to ditch their period tracker should be aware that simply deleting the app won’t necessarily delete all your data off their servers: some apps require you to make a deletion request in writing, and it can take weeks for your request to be fulfilled.
Big data trails
Technology experts also caution against focusing too much on period trackers when many other apps also monetize private health data in various ways.
There are plenty of other digital footprints that can reveal more about a person’s activities, including web search results, text messages and emailed receipts. All have been used to criminalize people who have sought abortions in the U.S., Cynthia Conti-Cook, a civil rights lawyer and digital evidence researcher, told The New York Times.
Concerns about the potential for women’s smartphone location data to be used against them prompted Google to announce it will automatically delete visits to abortion clinics, as well as a number of other destinations, from users’ location histories.
The change will apply globally, including in Canada, a Google spokesperson told CBC News.
Personal data can also be a “very valuable commodity” to hackers, Kotak warned. He suggests using an email address that doesn’t contain your full name when you sign up for an app, and providing as little personal information as possible.
Canadians concerned about the way apps are using their personal data can contact a privacy organization for help, or file a complaint with the federal privacy commissioner’s office.
A spokesperson for Privacy Commissioner Philippe Dufresne said their office has not received any complaints related to period tracking apps, nor have they investigated any of those apps.