Check your privacy settings. And think carefully about your choice of period-tracking app.
Last Friday, the Supreme Court overturned Roe v. Wade, the landmark 1973 ruling that gave women federal legal protection to have an abortion. It will now be up to each state to set their own laws on abortion.
Some 13 U.S. states have “trigger laws” to immediately ban abortion, while a similar number will either ban or severely restrict abortion in the coming weeks and months. Ultimately, an estimated 40 million women nationwide lose access to abortion, according to the Guttmacher Institute, a public-health think tank that supports abortion access.
Following the decision, women have expressed concerns and fears on social media about menstruation data logged in their period-tracking apps, and some apps have acknowledged that they may be forced to hand over data if required to do so by a court order or a subpoena. The concern is that information about a woman’s menstrual cycle could be used as evidence against her if she seeks to terminate a pregnancy after a state’s deadline for a legal abortion.
After users input their period data, these apps can track women’s ovulation cycles and make recommendations to help with birth control planning. Women living in states where abortion is effectively outlawed fear that companies could hand over their personal information.
Gina Neff, professor of technology and sociology at Oxford University, wrote on Twitter that app users should realize that post-Roe, U.S. health privacy laws do not protect data voluntarily uploaded to these apps, particularly when women sign the privacy agreements when signing up for these apps.
“Delete every digital trace of any menstrual tracking. Please,” she wrote. More than 50,000 people retweeted her post calling women to delete their digital footprint of menstrual tracking:
Pregnancy- and period-tracking apps could pose a risk to users by exposing their information to third parties, according to a report by Atlas VPN that analyzed 10 of these pregnancy- and period-tracking apps. “Apps dedicated to women’s health, like pregnancy or period trackers, heavily collect sensitive data and share it with third parties,” the report said.
‘Dangerous’ privacy settings
For example, the pregnancy-tracking app BabyCenter has 15 data trackers in its Android version and 20 data trackers in its Apple iOS version, and some of those are from third parties, according to the report.
What to Expect, a pregnancy- and baby-tracking app from the same parent company, has 19 permissions on Android devices and nine permissions on its iOS version. Among the 19 permissions, three were deemed “dangerous” by Google’s protection level standards, meaning they grant the app additional access to restricted data, such as the user’s location, contact information, microphone and camera.
Everyday Health Group, the parent group for those two apps, is taking steps to protect its users in light of last week’s Supreme Court ruling, a spokesperson told MarketWatch. “The Supreme Court’s decision to strike down Roe v. Wade has brought to light valid concerns about the protection of reproductive health information,” the spokesperson said. “Reflecting on this change, we are reevaluating and further strengthening how we protect our users and their private data.”
Glow, the San Francisco, Calif.-based parent company of several pregnancy- and period-tracking health apps, issued a statement on Twitter saying it values user trust and promised to “uncompromisingly protect our users’ privacy and personal health information.”
“We fully realize that rules and regulation around data privacy is complex and constantly changing,” it added. “We promise that we will always strive to do better, listen to our users and continue to uncompromisingly protect our users’ privacy and personal health information.”
However, some users say they want guarantees that their information will never be passed onto third parties.
Candy Calderon, a health and wellness coach, tweeted in response to Glow’s statement on user privacy: “What we need is ‘we WON’T EVER sell/share your data’… simple! We need a definitive NO. What I’m taking from this statement is that you’ll bend to pressure to share our data if it comes [to] that or closing the company. Like there’s room for this to happen. Deleting the app right now!
Some apps insisted they would vigorously resist any request by state governments for user information, and said they would close their company before yielding to such a request. “We would rather close down the company than be an accomplice to this type of government overreach and privacy violation,” GP Apps, the parent company of Period Tracker app, said in a blog post.
“Users can use Period Tracker without a Period Tracker online account and the data will be stored only locally on the user’s device,” it added. “If the user wants access to Period Tracker’s online backup feature then the user needs to sign up for an account for automatic regular backing up of data to a secure server.”
Ovia Health, a Boston, Mass.-based company that provides fertility, pregnancy and parenting apps, told MarketWatch that it does not sell user data to data brokers, adding that it protects user data with rigorous security controls. It also offers options for a user to delete their data, but said it might need to preserve data to comply with a valid government request.
“Please note, however, that if you seek to delete your data after Ovia has received a government or other legally-binding request for it or when your data is otherwise subject to a preservation order, Ovia will be required to preserve your data in order to comply with the request,” the company said.
“Like any other company or person that is subject to U.S. jurisdiction, it is possible that Ovia could receive a legally-binding request (such as a court order or subpoena) from government or law enforcement,” it added. It directed users to: How Does Ovia Respond to Data Requests.
Anonymous use of health apps
Other apps are enabling users to sign in anonymously. Flo, a period-tracking app headquartered in London, England, announced an “Anonymous Mode” on Thursday. It will allow its users to use the service without logging personally identifiable information, such as name and email address. In a statement, Flo said the feature was already under development, but the Roe ruling accelerated the release.
“We care deeply about our users’ privacy, which is why Flo does not share health data with any company but Flo, and you can delete it at any time,” the company told MarketWatch. “We firmly believe women’s health data should be held with the utmost privacy and care. In March 2022 Flo completed an external, independent privacy audit which confirmed there are no gaps or weaknesses in our privacy practices.”
Perigee, based in Malmö, Sweden, is the parent company of fertility tracking app Cycles and two other health tracking apps. When asked about its response to the data-sharing concerns that arose in the U.S. post-Roe, the company told MarketWatch that it has some data protection policies in place to help users remain anonymous, including logging into the app without an account, which means Perigee will never have access to their data.
“Currently we’re doing our best to inform our users about their rights, how we protect their data and ensure them that if U.S. authorities or any third-party authority were to request their data they can rest assured that we would not simply hand it over. As we’re governed under EU law this allows us extra security under the GDPR rules we’re compliant to,” a Perigee spokesperson said.
(Clue, Stardust, GP Apps and Glow did not respond to a request for comment.)
ExpressVPN’s vice president Harold Li told MarketWatch that it has seen a 5% increase in the number of people who visited the website from the U.S. after the Supreme Court ruling came out, presumably concerned about their own pregnancy and/or period data. (A VPN is a virtual private network; using one is a way to keep the data on your device more private.)
However, using a VPN would not necessarily protect users against trackers while using an app, Li said. “If a period tracking app wants to — or is legally compelled to — share user data with third-party services and/or use the data against women who are considering getting an abortion, a VPN can’t stop that,” Li said. Instead, many Twitter users suggested using a VPN for online browsing purposes for abortion-related information, which can help encrypt one’s online traffic and hide their virtual location.
Women shouldn’t be overly concerned about using personal-health tracker apps, as they are not the primary form of evidence most likely to be used in abortion prosecutions, said Kendra Albert, a public-interest technology lawyer with Harvard Law School’s Cyber Law Clinic. The biggest threat, she wrote in a Medium post, is a third party such as hospital staff or a relative reporting a woman to the police.
“If tracking your period is useful to you, you don’t need to stop tracking your period, although you may choose to switch to an app that collects less data and stores it locally,” she wrote.