Most women don’t remember the number of times they’ve gone to the bathroom, experienced premenstrual syndrome (PMS) or how long their menstrual cycle is each time. But period tracking apps do for those that use them — and they're at risk of having their data sold to third parties, according to a Brazilian think tank.
By monitoring the menstrual cycle of women, reproductive health apps can — to various degrees — collect personal data and put users at risk of having their info sold to third parties, says Coding Rights, a think tank that specialises in human rights within the digital world.
In the US, period-tracking apps are the fourth most popular health app among adults and second-most popular among adolescents. It is hard to estimate the number of period trackers in the market. Columbia University researchers counted 225 apps — of which 17 had a paid subscription model and 108 were free. Google Play told Euronews that they have no data available on the exact number of apps currently available.
But despite their apparent popularity, these apps are not very accurate. A study by the Medical College of New York showed that 81% of period trackers are inaccurate and only three out of 33 apps could give an accurate prediction on the best time to get pregnant.
Tricky terms and conditions
An added problem is that some menstrual-cycle apps also record the number of times a person logs on to Google, Amazon, or Facebook from their phone.
“Every piece of information that we put online becomes something valuable for companies, making our online activities a key component of their economic survival strategies,” said Chupadados, an initiative by Coding Rights aimed at recording how technology businesses sells personal data without users' consent.
“When we turn our reproductive cycles over to apps that operate in this logic, we must stay aware of their terms and conditions […] Feeding on our data, these tools serve as laboratories for observing physiological and behavioural patterns from period frequency and associated symptoms to users’ buying and Internet navigation habits.”
A study done by the Electronic Frontier Foundation (EFF) also found that these apps have "serious privacy issues" and warned that women should be aware of the "privacy tradeoffs" when using a period-tracker.
Privacy and period-tracking apps
The researchers did not name the apps they claim are selling personal data. However, Chupadados and the EFF did highlight a number of common issues they see as potentially problematic:
1) Invasive advertising and spam sent by third-party companies due to data collected by menstrual-cycle trackers.
Same goes for OWHealth, which says in their privacy statement that “if you remove data from your account, you will no longer see it in the app, but some backups of the data may remain in our archive servers.”
The EFF study found that the MyCalendar app kept a log of everything entered on a text file and stored it on an SD card (see picture). The fact that the information was kept on an SD card means that anyone with access to that user’s phone can read that information.
3) Some menstrual-cycle trackers share data with third parties without the users’ consent while others ask for consent but don’t specify which data will be shared. Flo Menstrual Calendar has a pop-up message that says “if you continue you consent” when the app is downloaded, but there is no easy way of choosing what data will be shared.
5) Glitches vulnerable to hijacking: A 2016 consumer reports investigation found that the period-tracking app Glow had serious security flaws that allowed it to be hacked quite easily. These flaws have been subsequently corrected by the app developers;
“One security flaw might have let someone with no hacking skills at all access a woman’s personal data,” said the report.
6) Call recordings: The Bump warned that calls could be “recorded” in its privacy policies. This was later corrected by developers.
It is better to use apps that do not require the creation of accounts
Mirco Bettellini, creator of Italian period-tracking app iGyno, told Euronews that no registration is required to use his app: “The data remains permanently on the user’s phone, so no data is available to third parties.”
Pippo Fertitta, marketing manager of iMamma OBScience, said the business model is based on the sale of advertising slots. The data entered into the app remains on the phone, the company “only has the data entered during voluntary registration with the iMamma community,” he added.
According to experts contacted by Euronews, it is better to rely on apps that don’t require the opening of accounts and allow users to access the services without activating a personal profile. They added that people should be wary of companies that receive venture capital but don’t say how they generate their profit, since it can mean that it's derived from trading personal data.
'Health data is the most valuable data ever'
Raffaele Barberio, president of Privacy Italy, told Euronews that data collected from these apps is sought for research by pharmaceutical industries.
"Health data are the most valuable data in absolute terms, he says, "the profiles Cambridge Analytica took from Facebook had a value ranging from $0.75 to $5 per person: the figures are extremely relevant because the data are particularly reliable".
But Barberio hopes that when the European Privacy Regulation GDPR kicks in in May, the phenomenon of “trivialization of consent” will no longer happen as apps will be forced to delete data from users who've stopped using the service.
However, Fabio Pietrosanti, founder and president of Hermes — a centre for transparency in the field of digital rights — believes "it will take a lot of effort" to demand compliance with GDPR: "The first 24-36 months will be a struggle for adjustment and legal test of its effectiveness."