Hi, We’re Jen Caltrider and Misha Rykov - lead researchers of the *Privacy Not Included buyers guide, from Mozilla! We’re also joined by the Director of Government Affairs and Advocacy at UltraViolet, Sonja Spoo, and we’re all here to answer your burning questions.

Mozilla reviewed the privacy & security of popular period and pregnancy- tracking apps. After Roe vs Wade was overturned in the United States earlier this year, these apps have raised safety and privacy questions.

Here is a summary of what we found:

-18 of the 20 apps we reviewed earned our *Privacy Not Included warning label. This includes popular apps like Clue, The Bump and Flo with tens of millions of downloads.

-There is too often only vague policies of how these companies will share data with law enforcement, which is worrying, considering these apps have the potential to shed light on users’ most sensitive data

Learn more about our findings here

AMA about our research, our guide, or anything else!

Proof: Here's my proof!

UPDATE: Thank you for joining us and for your thoughtful questions! If you would like to support the work that we do, you can also make a donation here or sign up for our newsletters here and check out some of the important work UltraViolet is doing here

Comments: 261 • Responses: 32  • Date: 

icecapp420694 karma

Can you recommend an alternative way to track our cycles? These apps have been very helpful to me over the years, but like you I’m deeply concerned about privacy.

Is our best option now pen and paper? A spreadsheet?

Thank you so much for you work.

Mozilla-Foundation1586 karma

Pen and paper is an option that worked for people for years. For people who want something a little more advanced than that, an app like Euki is a good option. It’s made by a non-profit, so no collecting your data as a business asset. It stores all data locally, so you keep control over it as long as you keep your phone protected and safe. And it has a special passcode a user can enter if they are forced to open the device when they don’t want to that will keep the app from showing your real information. There are a couple of decent privacy options out there, you just have to search for them. And do your due diligence to understand if you can trust them.

-Jen

Acrobatic_Concern_72349 karma

As someone who accepts privacy policies on auto pilot, this is super scary. Two questions:

What do you think the biggest threat is to women's privacy who use these apps?

Are there any cases of this happening yet in the U.S.?

Mozilla-Foundation408 karma

To answer your first question:

Soooo many threats. There’s the chance your data could be accessed by someone who wants to accuse you of having an abortion to send the police to investigate which could potentially lead to your arrest and prosecution for seeking reproductive health care. There’s the chance your data can be shared or sold to data brokers and then sold to pretty much anyone and that’s not information you want the world to have. There’s the chance you’ll be targeted with dumb ads forever because they think you’re having a baby. And the stories of women who lose their babies to miscarriage and the emotional harm seeing those ads do. Because we’re talking about things like when your period starts, what your moods are, what your symptoms are, when your doctors appointments are, what baby name you’ve picked out, how much you weigh, your sexual orientation, and on and on and on. So, the threats are large. And one thing I tell people is, once you share this information on the internet it’s out there. You no longer control it.

-JC

Mozilla-Foundation229 karma

To answer your second question:

I am not aware of any active cases stemming directly from health apps in the U.S. However, the FTC has filed an action against a data broker, Kochava, for selling geolocation data for mobile users that could be used to track people's movements including to places like abortion clinics and such. Data brokers often collect their data from apps like the ones in the Mozilla study and there isn’t as much oversight on what they do with that data. You can learn more about this case here: https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-sues-kochava-selling-data-tracks-people-reproductive-health-clinics-places-worship-other

In a post-Roe world, many of these threats are so far theoretical, but Roe was only overturned a few months ago and we know the anti-abortion movement has a long history of using data to target vulnerable people, including geolocation services to push anti-abortion content to people seeking abortion care in clinics. This is why reviews and studies like the Mozilla one are critical to alerting consumers and policymakers to the threats so we can mitigate them. Another great resource for protecting yourself online when thinking through reproductive health decisions is this guide https://digitaldefensefund.org/ddf-guides/abortion-privacy

-S&S

AmNotThatOtherGuy235 karma

This is interesting work, can you shed more light on the methodology and depth of review that you perform?

From a quick cursory read it looks like you mostly just focus on the EULA/Privacy verbiage, do you perform any technical reviews like traffic inspection to see external 3rd party calls?

Mozilla-Foundation232 karma

You can read the methodology we use to do our research here: https://foundation.mozilla.org/en/privacynotincluded/about/methodology/. We approach our research like an average consumer who has more time and experience reaching privacy policies. We look at what a company has made publically available to try and understand their privacy practices before a user downloads or buys an app or device. We also email all the companies at the email address listed in their privacy policies for privacy-related questions (it’s amazing how many companies never respond). Misha, my colleague has started doing some deeper technical research and also digging into what data brokers can gather. We’re a small team of two though, so doing that research takes more time, money, and resources. And we’ve found, we can learn a lot just by reading public privacy policies and asking companies our questions. -Jen

We do track data transfers that apps are initiating, for example to advertisers like Facebook, AdWords/Doubleclick, Amazon, etc. There is only so far that we can see with this approach, and most of the connections that we observe are sharing of device ids or advertisement ids for advertising or other services. At the same time, our main concern is about behind-the-scenes selling or sharing of data between companies, or to data resellers/data brokers. There is no way to track such sharing technically - the only way to call out such practices is to find a whistleblower. Sadly. So, in a nutshell, we do track connections and SDKs that sit at the app, but the ugliest things are as usually very hard to track.

-Misha

glutenfreeeucharist129 karma

Have you read any of the statements these Apps put out? Clue released on post-Roe overturning that said they would not share data with LE. It made me feel contented, but now I’m worried again.

Mozilla-Foundation167 karma

We have! And some of them have been very good. We appreciated Flo and Clue clarifying how they share data with law enforcement. That’s great information for them to provide consumers. One thing Misha and I always worry about is how much these sorts of statements are actually policy and how much are PR efforts. But, anything that clarifies how the company shares data with law enforcement is great as that was an area in the privacy policies we read for many of these companies that was vague and concerning. We also like seeing some companies moving where they store the data collected our of the US to European countries that are covered by stricter GDPR privacy laws. That’s a real step to help protect consumers’ data from being accessed by US law enforcement.

-Jen C

Agree with Jen that it is always great when companies release statements. But its better when there is clear policy and regulation to keep companies honest/accountable and to give consumers avenues of redress.

-Sonja

lipah_b75 karma

Would you be able to review other apps like the Samsung health app?

Mozilla-Foundation251 karma

Oh, Samsung. I was just reading Samsung’s privacy policy yesterday for the research we’re doing into some of their devices for our holiday guide. It’s pretty awful, to say the least. I haven’t read their privacy policy for their health app specifically, but I can say that Samsung overall does NOT have good privacy practices.

-JC

FaustusC50 karma

What makes the data from these any worse than Apple or Google tracking your every step and visit?

Mozilla-Foundation87 karma

This is a great question. When it comes to tracking reproductive health data, these apps are just the tiny tip of the iceberg for what data could be used to track, harass, arrest, and prosecute women seeking reproductive healthcare in states that have made abortion illegal. It’s all very scary. Yes, period and pregnancy tracking apps collect specific personal information related to pregnancy. But if you stop to think about it, there are soooooooo many other things tracking us every day that can be used to track us too. Our phones, our internet searches, your neighbor’s Ring video doorbell, your cities street cams, your text messages, your financial data, that purchase you made down at the grocery store with your credit card. The list goes on and on. The truth is, our privacy is invaded every single day. It’s just that most people don’t see any, or haven’t seen, any real harms to that yet. We’re starting to realize those harms are closer than we think. So, let’s hold Google accountable. Let’s hold Flo accountable. Let’s hold Kroger and CVS and the city of Dallas and Facebook and Amazon and everyone accountable. Shop with your dollars. Contact customer service and ask them to do better. It’s all a drop in the bucket now, but drops fill up buckets eventually.

-Jen C

I would also add that what makes these different is the specificity of the data as it pertains to reproductive health and the new reality where this data could be used in criminal matters as abortion is criminalized. We’ve seen, tangentially, a recent story of Facebook messages being subpoenaed and used in prosecution for someone’s pregnancy outcome in NE this year https://www.npr.org/2022/08/12/1117092169/nebraska-cops-used-facebook-messages-to-investigate-an-alleged-illegal-abortion. It isn’t a stretch to see how health data can be similarly used with much greater efficacy given the particular sort of data these apps hold.

-Sonja S

orangeoliviero40 karma

Looking at the problematic period trackers, this seems very much a direct representation of the adage "if you aren't paying for it, then you are the product".

The ones that don't sell your data off are the ones that sell an actual product to you.

Does that align with what you've seen in general?

Mozilla-Foundation38 karma

The way we’re seeing our current digital data economy going these days is yes, more companies seem to be asking for subscriptions to their services. They still use your data to target you with interest-based advertising, personalize as much of the content to you as they can to get you to spend more time in their apps, share data with all the affiliates in their business empire, share your data with third parties for advertising and marketing purposes, and then add a line to their privacy policy that says they will “anonymize” (reminder, it’s been found to be pretty easy to re-identify de-identified data) your data and then they can do whatever they want with it. So, yeah, that old adage if you’re not paying for it you’re the product feels a bit dated these days. You’re the product on the internet, regardless. At least with too many of the companies we review.

-Jen C

TakoBell2239 karma

Hi, your work is extremely interesting to me!

Two questions: What regulatory/legal mechanisms should be evolved to combat the infringement of privacy on health apps in the short- and long-term? In your experience, are laws lagging far behind when it comes to the advancement of technology?

Secondly, what would your foremost advice be for users to keep a check on their privacy rights? What should one do to make sure that they protect their privacy as far as possible on apps like these?

Mozilla-Foundation52 karma

To answer your second question:

These five steps are a good start in improving your privacy hygiene:

  1. Check *Privacy Not Included reviews as well as privacy reviews or mentions in media for a product before using it. Try to stay away from apps that are too famous for neglecting information security. There are always safer alternatives.
  2. After downloading an app, give it as little permissions as possible. Lots of apps can function just well without having access to your gallery, camera, contact list, microphone, GPS location, and whatnot.
  3. Check your app settings. Opt out of targeted ads whenever possible and dele
  4. Do not neglect security: set up a decent password, ideally two-factor-identification, for your device/app as well as WiFi at home.
  5. After downloading an app, give it as few permissions as possible. Lots of apps can function just well without having access to your gallery, camera, contact list, microphone, GPS location, and whatnot.nt your sensitive data to stay around after you have stopped using the service.

-Misha

Mozilla-Foundation27 karma

To answer your first question:

100% policy is lagging behind practice right now on privacy with health apps. This is true overall of the tech space, not just with health apps. The case I mentioned earlier, FTC v. Kochava, is one example of regulatory bodies trying to catch up on all the aspects of the privacy and health space. The Biden administration has also been exploring how to ensure health privacy is protected. The President issued an executive order this summer which included instruction to the FTC and other agencies to address these concerns and formulate policy. convened tech leaders to talk through these issues and to press them to be proactive about preventing the weaponization of sensitive health data. There are also various pieces of legislation that have been introduced to address aspects of these overall concerns too including the My Body, My Data Act, among others. The legislative, regulatory, and legal frameworks to respond to this moment are forming but it will certainly take time for them to be fully fleshed out or implemented.

-Sonja S

bethebumblebee23 karma

What are your thoughts on the Apple Health app?

Mozilla-Foundation31 karma

I’ll answer this with the caveat that I have not researched Apple Health specifically. However, I have researched a lot of devices and apps that allow users to connect to Apple Health. Here’s the issue. While Apple Health might be OK from a privacy perspective when it comes to Apple’s privacy practices, they connect with all these third-party apps and devices and share data back and forth and once that data is shared away from Apple, those third-party privacy policies apply. And those third parties don’t always (or rarely) have as strong privacy practices as Apple. Your data gets more vulnerable the more you share it.

For example, there was a major data leak https://healthitsecurity.com/news/61m-fitbit-apple-users-had-data-exposed-in-wearable-device-data-breach) of 61 million fitness tracker data records, including Apple's Healthkit data, by the third-party company GetHealth. In September 2021, a group of security researchers discovered that GetHealth had an unsecured database containing over 61 million records related to wearable technology and fitness services. GetHealth accessed health data belonging to wearable device users around the world and leaked it in an non-password protected, unencrypted database. The list contained names, birthdates, weight, height, gender, and geographical location, as well as other medical data, such as blood pressure.

That data leak wasn’t Apple’s fault, but users of Apple Healthkit were harmed by it.

-Jen

darkest-mirror2 karma

I’m intrigued about this one too, hope they respond.

Mozilla-Foundation8 karma

Sorry - our previous answer is not showing up for some reason. Hopefully you can see this!

--

Sorry - our previous answer is not showing up for some reason. Hopefully, you can see this!ever, I have researched a lot of devices and apps that allow users to connect to Apple Health. Here’s the issue. While Apple Health might be OK from a privacy perspective when it comes to Apple’s privacy practices, they connect with all these third-party apps and devices and share data back and forth and once that data is shared away from Apple, those third-party privacy policies apply. And those third parties don’t always (or rarely) have as strong privacy practices as Apple. Your data gets more vulnerable the more you share it.

For example, there was a major data leak https://healthitsecurity.com/news/61m-fitbit-apple-users-had-data-exposed-in-wearable-device-data-breach) of 61 million fitness tracker data records, including Apple's Healthkit data, by the third-party company GetHealth. In September 2021, a group of security researchers discovered that GetHealth had an unsecured database containing over 61 million records related to wearable technology and fitness services. GetHealth accessed health data belonging to wearable device users around the world and leaked it in an non-password protected, unencrypted database. The list contained names, birthdates, weight, height, gender, and geographical location, as well as other medical data, such as blood pressure.

That data leak wasn’t Apple’s fault, but users of Apple Healthkit were harmed by it.

-Jen

starhawke1320 karma

Is this a US only problem? How does this affect other countries and GDPR laws in the EU? Are we more protected here?

Mozilla-Foundation27 karma

Europe has stronger privacy laws thanks to their GDPR, and many European countries of course allow legal abortion so it can depend. But overall we also know that political winds can change and that much of the rightward lurch in Europe includes attacks on abortion. This is all to say that while privacy laws right now may be more robust, it's important to not take that for granted.

-Sonja

ThisShowIsBoringAF16 karma

Considering the fact that the US military gave us software such as Tor and Tails, and the fact that gpvernments around the world are known to have backdoors in our hardware, would you agree that digital/non-digital privacy is simply an illusion these days?

Mozilla-Foundation34 karma

Misha and I love to joke as privacy researchers about our giant tin foil hats. It’s easy to fall into the Debbie Downer mentality that privacy is all gone, it’s an illusion, everything is awful blah blah blah. We get it.

Does that mean we shouldn’t work for better privacy practices in our policy, and as consumers hold companies accountable for their terrible privacy practices? I don’t think so. I have this theory that every social movement has a tipping point. And the movements that make the most change are the ones best prepared for that tipping point. I really do think consumers are starting to see the harms of giving up all their privacy these days. Health and wellness apps really highlight that. And I think the privacy movement’s tipping point is coming. Soon I hope. And I hope we all will work to do our best to stay educated, be aware, do what we can, and be ready for that moment. -Jen

popplesan12 karma

Do you think that apps collecting private data should go through a stricter review process before getting accepted?

In academia we have to run every study through IRB, detailing the type of data we collect and how we’ll secure it and minimize harmful effects. Should a similar requirement apply to app developers?

Mozilla-Foundation12 karma

To answer your first quesiton: That sounds like a good idea. Here are two challenges: Most of the apps collect private data, or to be precise, lots and lots of private data often beyond the goal for which this app exists. There is no centralized entity to ‘accept’ apps. We know that apps have to comply with certain regulations like GDPR or CCPA, but these regulations are not enforced against a particular app unless there are numerous complaints, and even then, it goes slowly. We could also see that ‘data safety’ labels at Google Play Store or app privacy filters at App Store are self-reported and Google/Apple bear no responsibility for them. So, Big Tech stays away from filtering apps by privacy and security, too.

-Misha

Mozilla-Foundation8 karma

Yes, we support the idea of some entity to be there to check apps (at least in contexts of very sensitive data like pregnancy trackers) before allowing the apps to reach users. But who could be that entity? We know that government bodies find it hard even to enforce GDPR/CCPA. Big Tech companies are also performing poorly: we could also see that ‘data safety’ labels at Google Play Store or app privacy filters at App Store are self-reported and Google/Apple bear no responsibility for them.

-Misha

throwawaylurker01211 karma

What do you feel is part of good privacy hygiene regarding these apps for this type of content? (I.e. period, pregnancy)

Also I know many companies exist now that hover up our phone data for different reasons (Advan, Safegraph, Mapped etc for geolocation/real estate for example). We know these apps might be used in scenarios now as discussed post Roe v Wade decision, but are there other ways this data might be used apart from that and advertising?

Mozilla-Foundation25 karma

The five initial steps for privacy hygiene would be the following:

  1. Check *Privacy Not Included reviews as well as other privacy reviews or mentions in media for a product before using it. Try to stay away from apps that are too famous for neglecting information security. There are always safer alternatives.
  2. After downloading an app, give it as few permissions as possible. Lots of apps can function just well without having access to your gallery, camera, contact list, microphone, GPS location, and whatnot.
  3. Check your app settings. Opt out of targeted ads whenever possible and dele
  4. Do not neglect security: set up a decent password, ideally two-factor-identification, for your device/app as well as WiFi at home.
  5. When you stop using an app, request full deletion of your data. You can often do it in the app, or via an email mentioned in the Privacy Notice. A reference to CCPA or GDPR has to be enough. You do not want your sensitive data to stay around after you have stopped using the service.

For additional privacy, you may try to stay as anonymous as possible. For this, follow these steps:

  1. Sign up via email that does not contain your name. Do not sign up with third-party plug-ins, such as Google, Facebook, etc.
  2. Use “anonymous mode” whenever possible. A couple of apps are working on it, like Flo and Natural Cycles. We did not have a chance to review how ‘anonymous’ this mode is (no digital is 100% anonymous), but that sounds like a great start in today's world.
  3. Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images and videos)

-Misha

Literary-Throwaway8 karma

When Roe v Wade was first overturned, people were advocating for anyone with a penis to download period-tracking apps and use them improperly to taint any analytics that could be taken by governments or other third parties. For example, I heard one cis man say that he downloaded an app to track his workout schedule. Is this a strategy you would recommend? If enough people adopted this strategy, how much of a difference would it make for people with uteri?

Mozilla-Foundation16 karma

I mean if that is what you want to do, ok! But ultimately it probably wouldn’t trouble the analytics overall and there are other ways, like giving to an abortion fund, volunteer with the digital defence fund (​​https://digitaldefensefund.org/volunteer), or writing to lawmakers about the need to protect reproductive health data that probably would have more impact.

-Sonja

JustHere2RuinUrDay7 karma

How about drip? It should be good, you're partly funding it after all.

Mozilla-Foundation7 karma

We didn’t review Drip, so I can’t say for sure if it is good. I can say that I’ve heard OK things about it.

Consumer Reports did look into Drip as part of their reviews and they do recommend it. You can read their review here: https://www.consumerreports.org/health-privacy/period-tracker-apps-privacy-a2278134145/

-Jen C

Mrmrmckay7 karma

Isn't it true of all apps though? Even the various "freedom" apps governments used during the pandemic were just harvesting vast amounts of data? I wonder how bad tik toks privacy is lol

Mozilla-Foundation8 karma

True, there are plenty of bad apps out there collecting tons of data and sharing or selling it all around. TikTok’s privacy is bad. But it’s also not asking you to enter when you started your period, how heavy your period is, when you last missed your period, what your moods are, what pregnancy symptoms you’re experiencing, when your next OB/GYN appointment is, and the like. The collection of this very sensitive, personal, health data is what sets these reproductive

-Jen C

Alohn22675 karma

How often do you do those reviews ? Those are very interesting !

Mozilla-Foundation22 karma

Misha and I are Mozilla’s *Privacy Not Included team. We created our buyer’s guide for connected devices and apps back in 2017 and have been slowly expanding our work ever since. This year we were able to review Mental Health apps in May, Reproductive Health apps in August and we’re deep in the weeds of researching our Holiday buyer’s guide that will roll out in mid-November this year. We’re a small team but we work hard and do our best because we truly believe in our work and helping consumers understand why privacy matters and what they can do about it. Hope that answers your question. Thank you for finding our work interesting!

-Jen C

nutmegtell5 karma

Holy shit. How can I tell my kids to track their periods privately? Good old handwritten calendar ?

Mozilla-Foundation11 karma

Kids always present a special privacy concern. Many of these apps say they aren’t for children under 13 in the US or 16 in Europe. That being said, teaching young people that protecting their privacy online is super important and this is a good place to start. As we mentioned in another comment, pen and paper is an option that worked for people for years. For people who want something a little more advanced than that, an app like Euki is a good option. It’s made by a non-profit, so no collecting your data as a business asset. It stores all data locally, so you keep control over it as long as you keep your phone protected and safe. And it has a special passcode a user can enter if they are forced to open the device when they don’t want to that will keep the app from showing your real information. There are a couple decent privacy options out there, you just have to search for them. And do your due diligence to understand if you can trust them.

-Jen C

andricekrispies4 karma

To preface this, I definitely believe data security in regards to all apps and technology is a huge and legitimate concern.

That said, I’m reading a lot more about the insecurity of data related to period tracking apps in the wake of Roe V Wade and it’s starting to feel like fear mongering at best, pushing people away from a free and reliable mode of natural family planning at worst. You say yourself that there have been no instances of this data being used by law enforcement or anyone else nefariously to date, just that the possibility could hypothetically exist. Considering how the country is backsliding so rapidly away from access to abortion, birth control, and sex education, these apps seem like one of the few affordable and nationally accessible ways for people to take control over their fertility. I’ve been using a period tracker for awhile now to try to get pregnant, and it could just as easily be used as a way to prevent pregnancy. I’m a little uncomfortable with a narrative that pushes this dystopian, Black Mirror-esque “what if,” when our present reality is already dystopian enough in its lack of safe and accessible options. All that considered, is it wise to put people off one of the few options that does exist, imperfect as it may be?

I’ve learned so much about my cycles and fertility through these apps. I’m just thinking about someone who lives in a state with poor sex eduction, no abortion access, and increasingly restrictive birth control options. What options do they have left to easily educate themselves and have a measure of agency in their own family planning?

Mozilla-Foundation8 karma

To answer: is it wise to put people off one of the few options that does exist, imperfect as it may be?

I think this raises an interesting point. People need to do their own risk assessment and determine the potential risks of using these apps to their privacy and safety versus the rewards they get from using these apps. We’re not saying people shouldn’t use these apps. As you point out, they offer some very valuable benefits. What we learned from our research though, is that too many of these apps don’t meet the minimum privacy and security criteria we’ve set here at *Privacy Not Included to recommend people can use these apps safely. We have a methodology we review all the products we research by. We reviewed 10 pregnancy apps, and not one of them met our privacy and security standards. When we reviewed 10 period tracking apps, only 2 apps didn’t earn our *Privacy Not Included warning label. We’re not trying to fearmonger. We’re simply researching these apps based on our established methodology and reporting our findings. Unfortunately, our findings weren’t good and we wanted people to know that. Does that mean you shouldn’t use these apps? No. What we recommend is using apps that do better at protecting privacy than others because the chance that something could go wrong when you share this personal health data is real and elevated in our post-Roe vs Wade world. FYI, here’s ur methodology: https://foundation.mozilla.org/en/privacynotincluded/about/methodology/

-Jen C

Mozilla-Foundation7 karma

To answer: What options do they have left to easily educate themselves and have a measure of agency in their own family planning?

I think this is all fair! These apps have served you and many well and been a source of education. But part of using apps is understanding the pros and cons and recognizing risk. We are in some uncharted times right now where a legal right has been taken away and that means new risks to be aware of as a consumer and for advocates to work to ameliorate so people can continue to use the apps in ways that are helpful. In terms of education, there are many sources of education folks can turn to and have agency in their family planning including Planned Parenthood, other reputable medical sites and providers and through trusted networks. You can also still use these apps if they help you, and armed with the information shared by Jen and Co just have better awareness of what information to put into these apps versus what to be more cautious about. Some apps can be used for purely informational or educational purposes as well.

-Sonja

Onepopcornman3 karma

As you mention in another comment. One of the end-around concerns is that this data might be brokered and (identified) leaving its use as broad as your imagination.

1) is there any evidence so far they that brokering is happening?

2). is there any evidence so far that data is identifiable beyond the initial collection (is it being stored in concerning ways)?

Keep asking the good questions! These are real concerns especially how we are seeing how data broker items are effecting other things (like social benefits).

Mozilla-Foundation12 karma

Q1: is there any evidence so far they that brokering is happening?

Data brokering is real and what we are seeing is only the tip of the iceberg! The most famous examples are data brokers selling data about visits to abortion clinics and the list of 32 data brokers identified by Gizmodo as selling data about pregnant people (they identified 2.9 billion profiles of U.S. residents pegged as "actively pregnant" or "shopping for maternity products.").

Q2: is there any evidence so far that data is identifiable beyond the initial collection (is it being stored in concerning ways)?

In the shadowy world of data brokers, we have no visibility into how that data is being stored. Our guess is - not so securely. There are too many data leaks happening from unknown sources.

-Misha

Onepopcornman2 karma

Hi misha thanks for the response. In regard to question one. I think I was asking if there is evidence that these apps specifically are selling their collected data based on your research.

It seems like based on the terms it’s possible they are selling it. But I was curious based on your methods if there was evidence of which ones were that was confirmed.

(These aren’t skeptical questions, I’m just curious if we have the kind of grainular picture of who is doing what at the moment).

Mozilla-Foundation3 karma

There is evidence that data brokers have information related to period tracking and pregnancy tracking apps. Did they get this data from these apps selling it to them? Perhaps sometimes. Did they get it from other apps or phone info and device ids and location info, also, likely? Some apps will come right out and say, “We never sell data.” Other don’t come out and say that they don’t sell data directly, those are the ones your wonder about. Regardless of how they get it though, data brokers are getting data about people using these apps.

-Jen C

dogtierstatus2 karma

I am guy with a partner. We are not in the US. Actually in a third world country.

We dont have facebook accounts. The accounts I registered in Flo are in my name but with an email account not connected in any way with Facebook.

How much exposure do I have with respect to my partner's data being used by Facebook for tracking/advertising purposes?

Mozilla-Foundation11 karma

Unfortunately, your data is probably not safe from Facebook (rule of thumb, your data is never safe from Facebook). Here’s what Flo’s privacy policy says in regards to sharing data with social media sites like Facebook:

“2. Flo sends your Personal Data to AppsFlyer, which analyzes it and provides us reports and insights on how to optimize our promotional campaigns.

  1. At the same time, AppsFlyer sends your Personal Data to some of its integrated partners (e.g., Pinterest, Google Ads, Apple Search Ads, FB marketing network and others) to find you or people like you on different platforms, including social media websites. These integrated partners analyze your Personal Data and show relevant information about Flo to people who might be potentially interested in it or remind you about revisiting the App, if you stopped using it a while ago.” Link to Flo’s privacy policy: https://flo.health/privacy-policy

-Jen C

stonded1 karma

[deleted]

Mozilla-Foundation5 karma

Blocking trackers in your apps won’t prevent the collecting and storing and potentially sharing of the data you share through the app, unfortunately. Removing internet access will probably result in most of these apps not working properly. My best advice would be to search out an app like Euki and use it instead.

-Jen C

stonded1 karma

[deleted]

Mozilla-Foundation6 karma

Blocking trackers in your apps won’t prevent the collecting and storing and potentially sharing of the data you share through the app, unfortunately. Removing internet access will probably result in most of these apps not working properly. My best advice would be to search out an app like Euki and use it instead.

-Jen C

returnkey0 karma

When the draft opinion leaked, like a lot of other folx I got really spooked. I had been using Clue, but I was terrified if I just deleted my account, a copy of my data would still exist somewhere, so I started going back through and removing all my past entries individually. Because I had such a long archive, there’s still some old entries I haven’t gotten to and I still get predictive alerts.

Am I being over the top? If I purge my data as is, is that being cautious enough? The accuracy of their prediction models spooks me enough that I worry projections could still reasonably be held against me. What should I do to be most cautious about purging whatever archival info they might still have on me?

Mozilla-Foundation5 karma

Clue is actually an OK app. However, it didn’t meet our Minimum Security Standards because they allowed the weak password of “1” to sign up for the app. The good thing about Clue is, the allow all users to request their data be deleted, no matter where you live. Clue is actually based in Germany and is covered by the EU’s stricter GDPR data privacy laws. So you can email them (unfortunately, at the time of our review, we didn’t see any way to delete your data within the app) and ask them to delete all your data. Clue says that the way to delete data is to email them.

Here’s what they say:

"Request the complete deletion of your data, including all past data sent to third-party services used for tracking and analysis, by reaching out to [[email protected]](mailto:[email protected]). Your data will be deleted within 30 days."

As for your concerns being over the top. Absolutely not. Your concerns are valid. However, I would also say that if you use Clue and set up a strong password to protect the data on your phone from people who might snoop, you’re probably OK. Now, if you live in a state where abortion is illegal though, I would probably not use an app. But that’s just me.

-Jen C

returnkey0 karma

Thank you! This is very helpful.

Unfortunately, I’m one of those blue urbanites within a red state (now with an abortion ban), so I stopped using tracker apps when the draft came out.

Side questions: Out of caution & fear for contraception access, I also ordered several EC pills, some via Nurx. I didn’t see Nurx mentioned above, but have you ever assessed their privacy/security for users?

Mozilla-Foundation2 karma

Hello, thank you for the question.

No - we have not looked into the privacy of Nurx. -Jen C

davidildo-12 karma

After Roe vs Wade was overturned in the United States earlier this year, these apps have raised safety and privacy questions.

This seems like fear mongering at it's worst. Is there any evidence that Roe v Wade and period apps are in anyway related or there is a specific risk associated with using a period app that relates to Roe v Wade?

Mozilla-Foundation13 karma

Hi u/davidildo, happy to answer your question as a woman living in a world where Roe vs Wade is no longer the law of the land. It is truly, absolutely terrifying to women to think they might be forced by the government to go through a traumatic and dangerous pregnancy. When you hear stories of law enforcement and vigilantes being able to target anyone getting an abortion or giving an abortion as the laws in Texas also, the idea of fearmongering is no longer a thing. We live in a world where we live in fear. End of story. And anything that could be used to target people getting the reproductive health care they need and want to prevent them from getting that health care and potentially forcing them to carry a pregnancy they don’t want, is very bad. Take a step back and listen to women around you and realize this is a privacy issue, this is a health issue, and this is a human rights issue. Period and pregnancy tracking apps are the tip of the iceberg here.

-Jen C