Period tracker Stardust surges following Roe reversal, but its privacy claims aren’t airtight

The app was found sharing users' phone numbers with an analytics firm

Period tracking app Stardust surged to the top of the U.S. Apple App Store in the wake of the Supreme Court’s decision to overturn Roe v. Wade after the app promised it will encrypt its users’ private data to keep it out of the hands of the government.

But TechCrunch found on Monday that the current version of the now-booming Stardust app is sharing the app users’ phone numbers with a third-party analytics company, which could be used to identify individual users of the app.

The decision to overturn Roe reversed 50 years of constitutional protections for abortion rights in the United States, allowing individual states to create laws to criminalize abortion. The decision has led to calls for users to delete their period-tracking apps from their phones, fearing the data collected by these apps could be used against them to prove an abortion was obtained illegally.

Others are abandoning their current period trackers and turning to apps like Stardust instead as a result of the company’s strong statement issued in light of the decision to overturn Roe. Stardust said it would implement end-to-end encryption so it would “not be able to hand over any of your period tracking data” to the government, helping to draw in hundreds of thousands of downloads over this weekend ahead of the release of the new, encryption-featured app version slated for release on Wednesday.

TechCrunch ran a network traffic analysis of Stardust’s iPhone app on Monday to understand what data was flowing in and out of the app. The network traffic showed that if a user logs into the app using their phone number (rather than through a login service provided by Apple or Google), Stardust will periodically share the user’s phone number with a third-party analytics service called Mixpanel.

Mixpanel is an analytics service that’s used widely by app developers to track their app’s usage and help identify errors or other ways to improve the app. It does this by tracking how someone uses the app and sending the data back to Mixpanel’s servers. Stardust also shared with Mixpanel details about the phone that the app was installed on, which iPhone model and software version and which cell carrier the phone was connected to.

During the network traffic analysis, TechCrunch saw no health data shared with Mixpanel. But sharing a phone number that’s tied to a specific user of a period-tracking app with a third party like Mixpanel could allow prosecutors to compel Mixpanel to turn over that data — even if Stardust claims that it can’t.

Stardust founder Rachel Moranis told TechCrunch, “The current (old) version of Stardust leverages several data collection mechanisms of Mixpanel that we have disabled/removed in the new version. In addition to not sending [personally identifiable information] to Mixpanel, we have also disabled IP tracking for our users to protect from that metadata being used to identify our users.”

In a tweet, Stardust said it was “working on” a way to allow users to sign in anonymously.

Stardust’s privacy policy, updated on June 26, indicates the app is not as protected as it claims. It notes the app collects a variety of data about users’ devices, activity and location, including through cookies and other tracking technologies. It also carves out some exceptions with regard to data sharing, noting how it may disclose de-personalized data with some providers, with user consent, or when required by law — if it must “comply with or respond to law enforcement or a legal process or a request for cooperation by a government or other entity, whether or not legally required.”

This also seems to contradict the part of the policy that insists that the company will never share users’ ages or “any data related to your health with any third parties.”

Since the overturning of Roe, tech companies are bracing for a new regime under which they could face legal orders compelling the turnover of pregnancy-related user data to state authorities and prosecutors. Some of the biggest tech companies still have not said how they would handle demands for data related to investigations relating to people seeking or providing abortions. That’s contributed to a rush to find apps and services that use end-to-end encryption, which prevents anyone — even the app maker — from accessing a user’s data.

Thanks to its announcement that it’s moving to encryption, Stardust’s app drew in 135,000 new installs on June 24, a 4,400% spike in the number of installs it saw on the previous day, about 3,000 installs, according to data from app intelligence firm Sensor Tower. On Saturday, June 25, the app saw another 200,000 installs and hit No. 1 on the U.S. App Store, up from its prior rank of No. 119. Combined, the two weekend days delivered 82% of Stardust’s more than 400,000 total lifetime installs.

TechCrunch asked the founders for more information about how the app is implementing end-to-end encryption. Stardust founder Moranis told TechCrunch that “all traffic to our servers is through standard SSL (hosted on AWS) and subsequent data storage on AWS RDS utilizing their built-in AES-256 encryption implementation.” Although this describes the use of encryption to protect data while in transit and while it’s stored on Amazon’s servers, it’s not clear if this implementation would be considered true end-to-end encryption.

Given its complexity and the stakes involved, implementing end-to-end encryption is often a time- and resource-intensive effort, where a single coding flaw could undermine the protections of the users’ data. It’s also not uncommon for companies that use end-to-end encryption to publish papers and technical notes explaining how their systems work – often even a point of pride for some companies – or even open-sourcing and publishing their code, as cryptographic proof that their systems are secure.

When asked if the company had conducted a third-party security audit of the app’s code, Moranis said that the company intends to “fully publish our implementation along with a third-party audit once it is complete,” but a timeline was not given. (TechCrunch will follow up when the results of the audit are available.)

After we heard from Stardust, the company quietly changed its privacy policy again to remove mentions of end-to-end encryption.

It’s hard to argue with people’s fears — the period tracking app industry was already found to have engaged in leaky data-sharing practices with third-party tracking and analytic firms, as well as tech giants like Facebook and Google. One app, Flo, had to settle last year with the U.S. Federal Trade Commission for violating its own privacy policy. Among other things, the app had falsely claimed it only shared “non-personally identifiable” information with third parties — which an investigation by the Wall St. Journal proved to be untrue.

Another app, Glow, had to settle with the state of California the year prior for exposing women’s medical information.

Consumer Reports said in May that many apps continue to use third-party trackers and don’t store consumers’ data locally on their devices where it can’t be shared or sold.

Plus, period tracking apps don’t have to comply with the federal privacy law known as the Health Insurance Portability and Accountability Act, or HIPAA.

With the threat of losing their entire user bases, however, many period trackers released statements to ensure customers their data is safe. Flo, which completed an independent privacy review in March, said that it will do “everything in its power” to protect users’ data and privacy. It also said it would launch a new “Anonymous Mode” feature that removes users’ personal identities from their Flo accounts.

Update, 6/30/22, 9:30 AM ET: Zack Whittaker followed up on Stardust’s update after the new app was released this week and found that the locally-generated encryption keys were being uploaded to Stardust’s own servers. This would allow the company the ability to decrypt user data. More here.