If you’re the kind of person who tracks your period, fitness, sleep, or other health metrics with an app, the privacy experts have a warning for you: your data could be a goldmine for hackers. advertisers, hackers or law enforcement.
There have been calls on social media for American women to remove period-tracking apps from their phones since the proposed U.S. Supreme Court ruling on Roe v. Wade was disclosed in early May.
With abortion now banned in at least eight statesthere are concerns that app users’ menstrual cycle data, along with other information, could be used to prosecute them for having an abortion in a state where it is no longer legal.
“I unfortunately have to tell people to get rid of [the apps]“, says Danielle Citron, professor of law at the University of Virginia School of Law.
Her concern is that data from a period tracker, along with other sources of information, could help build a case that a woman had an illegal abortion.
“You had your period on date X, you missed your period, then say, say, 20 weeks later you had your period again, and during that time your location shows that you went to a clinic either in-state or out-of-state — that’s in many ways the circumstantial evidence a prosecutor needs,” Citron said.
Digital privacy experts say concerns over period-tracking apps should also be a wake-up call for Canadians about how they log their own sensitive health data online.
“Simply don’t trust what companies do with your data,” says Ann Cavoukian, former Privacy Commissioner of Ontario and founder of the International Council on Privacy and Data Protection. security by design.
“They may claim to protect your privacy, not store any of your digital data, not share it with anyone, but again and again we have seen that they have it wrong. They often share it with unauthorized third parties from a manner which you have not consented to.”
Follow and share
The most sophisticated applications collect and store huge amount of databeyond the details of the menstrual cycle, to create a profile of users: everything from their name, location and if they are trying to get pregnant, to details of their sex life, exercise, medications they they take, and much more; a treasure trove for advertisers.
“When you downloaded this app, how much did you pay for it? What is your monthly subscription? If the answer is zero, if you’re not paying for the product, then you are the product,” says Ritesh Kotak, cybersecurity. and technology analyst in Toronto.
Some vintage apps explicitly tell users that their data may be shared with third-party advertisers, affiliates, business partners and even other app users – although these details are often buried in their privacy policies.
Since the Supreme Court ruling, several of the biggest vintage app companies have sought to reassure their users about their data protection measures.
Flo launched an anonymous modeso that users no longer need to share their name or email address, while Clue is committed to never transmit private health data “to any authority that could use it against you”.
However, if a company received a warrant or subpoena in the United States, it would be required to turn that data over to law enforcement, Citron says — and the same goes for Canada.
“[Police] could demand it if they have a warrant. You, the organization, are obligated to provide the data to the police,” Cavoukian said. (Clue did not respond to a request for comment.)
Experts say that even if an app promises not to share or sell user data, it’s likely monetizing that information through targeted ads that reach specific users.
“There are puns about what can and cannot be sold,” said Andrea Ford, a medical anthropologist and researcher at the University of Edinburgh who has studied period-tracking apps extensively.
“[The company] always has a profile of you as an internet user, and where you go, what you do, what other things you’re interested in – like, if you’re pregnant and want baby supplies, your data may be redirected to these channels without your personal information being sold.”
Anyone willing to ditch their period tracker should know that simply deleting the app won’t necessarily remove all of your data from their servers: some apps require you to request deletion in writingand processing your request can take weeks.
Big data tracks
Tech experts also warn against focusing too much on period trackers when many other apps also monetize private health data in various ways.
There are many other digital fingerprints that can tell more about a person’s activities, including web search results, text messages, and emailed receipts. All have been used to criminalize people who have sought abortions in the United States, Cynthia Conti-Cook, civil rights lawyer and digital evidence researcher, told the New York Times.
Concerns about the potential for location data from women’s smartphones to be used against them prompted Google to announce that it automatically remove visits to abortion clinicsas well as a number of other destinations, from user location history.
The change will apply globally, including in Canada, a Google spokesperson told CBC News.
Personal data can also be a “very valuable commodity” for hackers, Kotak warned. He suggests using an email address that doesn’t contain your full name when signing up for an app, and providing as little personal information as possible.
Canadians concerned about how apps use their personal data can contact a privacy organization for help or file a complaint with the Office of the Federal Privacy Commissioner.
A spokesperson for Privacy Commissioner Philippe Dufresne said his office has not received any complaints about rule-tracking apps and has not investigated any of those apps.