This not only shifts the burden of risk assessment onto individual users, but also makes it difficult to assess app privacy and security. To do this, we consulted assessment frameworks developed by Beth Israel Deaconess Medical Center (MIND) and The Digital Standard to arrive at four fundamental questions to guide our study.
Local or cloud storage
Agreement where companies store your data is essential to assess the privacy risk associated with the use of their products. The most popular mobile apps store user data in the cloud, on multiple servers in multiple locations, allowing them to process large amounts of easily retrievable information. It also means your data is more vulnerable to bad actors. That’s why organizations like Givens prefer apps that store information directly on users’ devices. If an application stores data directly on your mobile phone, you will have more complete control of it. None of the apps reviewed above gave users the ability to store their data locally, but Euki and Mozilla Foundation-backed Drip does.
Sharing with third parties
It is also useful to know if the data is systematically anonymized (stripped of user identification information) before being shared with these third parties. However, it is not a panacea. Stripped data may still refer to individual users under certain conditions. Machine learning makes this threat even more real, as the technology can speed up shady “re-identification” processes. Although it has promised to refrain from sharing user data itself, Clue does provide anonymized data to certain third-party research groups. Although Stardust is committed to limiting the information shared with third parties, its policy states that it may share information in order to “comply or respond to law enforcement authorities” or to protect “company security. “. Ideally, apps are extremely selective with which third parties they are willing to share information with, or they don’t share with third parties at all.
Every app should have established protocols that allow users to remove their personal data from developers’ systems at will. Although many US-based apps include these protocols to comply with the EU’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), users should research privacy policies that clearly extend these erasure privileges to all users, regardless of location. Even so, it can be tricky, says Givens: “If you’re not a resident of the jurisdiction covered by the law, there’s no guarantee they’re going to honor it.”
If an app explicitly stores location data (like Period Calendar and Period Tracker do), it presents a bigger privacy concern. While three of the five apps analyzed here didn’t appear to explicitly log location data, each app logs users’ IP addresses, which can be used to determine someone’s general location. Flo, for example, explicitly shares IP addresses with third parties such as AppsFlyer.
Stardust’s practices decouple users’ IP addresses from their health data, which increases security. But critics say their methods don’t allow for true end-to-end encryption. Either way, when IP addresses are combined with outside data, such as a user’s search history or even other publicly available information about the user, it can easily reveal the identity. of that person and their activities. The CDT and other privacy advocates have warned that users’ text messages and search histories have already been used against them in legal proceedings involving their reproductive health, and the practice is likely to grow.
Ultimately, a period tracking app like Clue presents users with slightly less risk than apps like Flo, Stardust, Period Calendar, and Period Tracker. However, these five apps, chosen for their outsized popularity, fall short of more secure options like Euki and Drip, as Consumer Reports corroborates. To the extent that it is possible for users to analyze everything of their apps against the standards set out in The Digital Standard, Mhealth Index and elsewhere, users can make informed decisions about which companies to align with, but assessing the risks of using specific apps is an imperfect science . Besides being extremely time-consuming and often confusing, it is far from an adequate substitute for the lack of pervasive legal privacy protections available to all Americans.
According to privacy experts like Givens, period tracking apps represent the tip of the iceberg when it comes to digital privacy and security afterdeer. The CDT recommends people assess their own level of risk to determine if using a period-tracking app is worth it. In the meantime, it’s probably more worthwhile to take steps to secure your personal information such as text messages and search histories.
For those looking to make a difference, experts recommend advocating directly with tech companies, especially pioneering organizations like Google and Meta (formerly Facebook) to demand better individual protections. These are the companies that will eventually have to respond to law enforcement demands for user data, and many are already promising to reduce their surveillance (but also to lobby aggressively against privacy laws and regulations) . To pave the way for better policy, tech companies should strive to take a serious inventory of the data they collect, regularly file transparency reports and, above all, take public positions in defense of the right to privacy. privacy early and often.