The U.S. Supreme Court is anticipated to overturn Roe v. Wade, the landmark 1973 case that guaranteed a person’s constitutional right to abortion, allowing states to decide whether to heavily regulate or ban the procedure. This reported move, based on a leaked draft of an opinion that hasn’t yet been issued but would mean abortion rights would be protected in less than half of all U.S. states, has reignited the years-long conversation about the privacy — or lack thereof — of period-tracking apps, which are used by nearly a third of women in the U.S.
Though popular, and undoubtedly a useful tool for those who want to plan and avoid pregnancy and track signs of menopause, it’s no secret that the objective of many of these apps — of which there are more than a thousand in the app stores alone — go far beyond that of tracking periods. Monitoring menstrual cycles has proven to be a lucrative business for developers, many of which share users’ personal information and activity on the apps with third-party marketers and advertisers.
With that in mind, and in light of the reported decision to overturn Roe v. Wade, some are calling for people to delete their period-tracking apps amid fears that the data they collect — and subsequently share — could be used to target and punish those seeking an abortion.
Eva Galperin, director of Cybersecurity at the Electronic Frontier Foundation, tells TechCrunch: “I do think that we are facing a future in which the data collected by period-tracking apps could be used either as a dragnet to identify women who may have had an abortion or as evidence that a woman has had an abortion in a future in which seeking out or having an abortion is criminalized, which is something anti-abortion advocates have been eager to do.”
Should you be worried?
These widely shared fears are by no means unfounded. People who use a period-tracking app input the most intimate details about themselves, such as the dates of their periods, their weight and the last time they had unprotected sex.
But unlike medical records held by doctors and hospitals, the information collected by these apps isn’t covered by the Health Insurance Portability and Accountability Act (HIPAA), the 1996 federal law that limits where healthcare providers can share patients’ health information. That means health app makers are mostly free to do what they want with the data they collect.
However, while in no way unreasonable to expect the worst, it’s unlikely that self-reported menstrual cycle data will fall into the hands of authorities and lead to widespread hunts for people who seek an abortion or who previously got one.
For starters, there’s the issue of accuracy. Period-tracking apps are often erroneous, and a person’s menstrual cycle is sensitive to a number of external factors such as exercise, stress, medications and even family drama. Experts agree that information such as the day of ovulation and the fertile window can only be predicted precisely if using a marker of ovulation, such as basal body temperature or ovulation sticks, and a 2018 study found that the accuracy of prediction by menstrual cycle apps was no better than 21%.
“It is abortion providers and people working in abortion support networks who are in the most immediate danger right now.” Eva Galperin, EFF
This means that there’s a lot of reasonable doubt surrounding this data, which ultimately means it’s unlikely going to be accepted as evidence in a U.S. court setting, where “beyond a reasonable doubt” is a legal standard of proof required to validate a criminal conviction.
Last month, we also witnessed a Texas judge dismiss a murder charge against a 26-year-old woman in Texas who had her pregnancy terminated after her healthcare provider reported her self-managed abortion. Abortion was made illegal in Texas in September 2021 once a fetal heartbeat can be detected. While there is ultimately no law in Texas that criminalizes a person trying to end their pregnancy nor is there a requirement for healthcare providers to inform authorities about self-managed abortion, anyone who performs or aids the person seeking the abortion can still face civil penalties.
“It is abortion providers and people working in abortion support networks who are in the most immediate danger right now,” Galperin says.
What should you be worried about?
Data belonging to pregnant women, as well as that belonging to women actively trying to get pregnant or not wanting to get pregnant, is immensely valuable to advertisers then use this data to strategically target them.
While it’s unlikely the sensitive data you share with your period-tracking app is going to end up in the hands of those seeking to outlaw abortion, that’s not to say these tools don’t have extensive privacy problems, including the aforementioned issue of sharing your personal data with third parties.
A 2020 Consumer Reports investigation examined five popular period tracking apps — BabyCenter, Clue, Flo, My Calendar and Ovia — and found that they all shared user data with third parties for marketing and other purposes. Privacy International, which conducted a similar study, shared similar results; it found that the most popular apps both store and share a “dizzying” amount of data on users. It called out Flo, in particular, for retaining data on what users write in their “notes” section, such as how hard it was for them to orgasm and the medication they are taking.
Flo is a repeat offender when it comes to privacy infractions. The company, which has more than 150 million users, last year reached a settlement with the FTC over allegations it shared users’ health data with third-party app analytics and marketing services like Facebook, despite promising to keep users’ sensitive health data private. This action followed a 2019 investigation by the Wall Street Journal that found that the app had informed Facebook of in-app activity, such as when a user was having their period or had informed it of an intention to get pregnant.
In a statement given to TechCrunch, Flo spokesperson Denae Thibault said that the company does not share users’ health data with third parties. “We firmly believe women’s health data should be held with the utmost privacy and care. In fact, in March 2022 Flo completed an external, independent privacy audit which confirmed there are no gaps or weaknesses in our privacy practices,” Thibault added.
Other apps have fallen foul of similar data-sharing practices. In 2020, California reached a settlement — which included a $250,000 fine — with period-tracking app Glow after Consumer Reports found that users’ sensitive data was accessible to anyone who knew a user’s email address. The Washington Post also reported that the Android edition of fertility app Premom was sharing users’ data with three Chinese companies focused on advertising, and that pregnancy-tracking app Ovia was sharing users’ health data with their employers.
While alarming, there’s an even bigger issue: data brokers. These external third parties often have a relationship with data brokers, individuals or organizations that collect, aggregate and combine personal information from a variety of sources to create a digital profile on you and sell it to others. A study by the Norwegian Consumer Council examined 10 popular apps, including Clue, and found that they were collectively feeding personal information to at least 135 companies.
What’s more, even when your data is de-identified by removing identifiable information such as your name or email address, it can be combined with other information — such as your location, contacts or unique identifiers in your phone — and traced back to you.
“Often, location data can be associated with an advertising ID, an identifier generated by the phone’s operating system that can be used by advertisers in apps and websites to uniquely identify a user online and offer services such as targeted advertising,” said Laura Lazaro Cabrera, legal officer at Privacy International. “In previous research, PI has identified targeted advertising of scientifically dubious health information as a tactic deployed by those opposing abortion.”
Should you delete your period-tracking app?
This is a difficult and complex question to answer. For some, period-tracking apps can be incredibly useful tools; not only can they empower people by helping them to learn more about their body and how it changes with their cycle, but any recorded irregularities could potentially be a sign of hormonal, thyroid or hematologic issues.
And while the risks associated with the lax privacy of some of these apps have been highlighted in response to the reported plan to overturn Roe v. Wade, the majority of these aren’t limited to period-tracking apps. Most of the other apps installed on your smartphone also collect data — including your location — that can identify where you go, who you meet and what you do. Thankfully, on Android and iOS, you have the ability to prevent apps — including period trackers — from collecting and sharing your data.
However, the complexity arises from the intimacy of the data users are sharing with period-tracking tools.
“Having your personal health information disseminated in ways you’re unaware of could have serious repercussions,” said Dena Mendelsohn, Consumer Report’s senior counsel on privacy and technology policy. “It could, for instance, affect your ability to obtain life insurance and how much you pay for that coverage, increase the interest rate you’re charged on loans, and even leave you vulnerable to workplace discrimination.”
It’s difficult to say whether deleting your period-tracking app is the best course of action, particularly as in some cases it’s unclear whether all of your historical data will be wiped from these developers’ servers as a result.
“Deleting the app does not guarantee that one’s data will be automatically erased — in reality, the opposite is likely to be true,” Cabrera said. “Generally, unless the user expressly requests for their data to be deleted, the app will commonly retain the data for a period of time after deletion of the app.”
Clue, Flo and Ovia all confirmed to TechCrunch that all user data is deleted should a user delete their account.
EFF’s Galperin recommends that for those seeking abortions, assistance with their abortions or information about abortions, a heightened sense of operational security — especially in regards to apps, search engines and location tracking — should be the number one priority.
“I’ve spent most of my career helping to protect activists and journalists in authoritarian countries, where it is often wise to think several steps ahead about your digital privacy and security practices,” she tells TechCrunch. “Unfortunately, I think it is also time to bring this mindset to abortion services and the people who are seeking them out.”
It’s also worth familiarizing yourself with the privacy practices of your period-tracking app of choice, many of which have seemingly improved in light of the multiple investigations that probed the often careless data-sharing practices of these services.
For those who live in states where police can compel you to biometrically unlock your devices — either using your fingerprint or face scan — you might want to turn off the biometric unlock feature on your phone and instead use a PIN code, which you cannot be forced to disclose. Police often use mobile forensic tools to download the contents of a person’s phone, which can be used as evidence against them.
Clue, which ranked as the most privacy-conscious app in Consumer Reports’ study, told TechCrunch: “We have received messages from users concerned about how their data could be used by U.S. courts if Roe v. Wade is overturned. We completely understand this anxiety, and we want to reassure you that your health data, particularly any data you track in Clue about pregnancies, pregnancy loss, or abortion, is kept private and safe.”
Period-tracking apps should be an empowering experience and not one where user data is exploited. In light of recent events, we recommend that people using these apps extend that empowerment to their personal security; choose to use apps that allow people to use them without creating an account, change the privacy settings to restrict data access, and be aware of the developers’ privacy policies.
Ultimately, however, if you’re worried about your data, privacy, or the potential risks associated with using a period-tracker, it might be time to delete your app and rely on pen and paper instead.
Read more on TechCrunch: