Rapeepong Puttakumwong / Getty Images
In the wake of the leaked Supreme Court draft opinion set to be quashed Roe v. WadePrivacy experts are increasingly concerned about how data collected through period-tracking apps, among others, could potentially be used to punish anyone who wants or is considering an abortion.
Millions of people use apps to track their menstrual cycles. Flo, which considers itself the most popular time and cycle tracking app, has amassed 43 million active users. Another app, Clue, claims 12 million monthly active users.
The personal health data stored in these apps is one of the most intimate types of information a person can share. And it can also be telling. The apps can show when their periods stop and start and when a pregnancy stops and starts.
That has privacy experts on their toes, because if abortion is ever criminalized, this data — whether subpoenaed or sold to a third party — could be used to suggest that someone has had or is considering an abortion.
“We are deeply concerned in many advocacy spaces about what happens if private companies or the government gain access to highly sensitive data about people’s lives and activities,” said Lydia XZ Brown, policy advisor at the Privacy and Data Project at the Center for Democracy and Technology. “Especially when that data can put people in vulnerable and marginalized communities at risk for actual harm.”
At least 26 states are “certain or likely” to ban abortions if Supreme Court falls Roe v. Wadeaccording to the Guttmacher Institute, a research group that works for abortion rights.
But some states have expressed an interest in going further. Two days after the leaked Supreme Court opinion was first reported by Politico, Louisiana lawmakers introduced a bill that would classify abortion as homicide.
It’s more than just menstrual apps
Evan Greer, director of the digital rights advocacy group Fight for the Future, says menstrual apps aren’t the only ways technology can be used to connect someone to an abortion. If someone sits in the waiting room of a clinic that offers abortion services and plays a game on their phone, that app can collect location data, she says.
“Any app that collects sensitive information about your health or your body needs to get an extra check,” Greer says.
Search history can also be identifying, Brown says. Activist groups — no matter what they advocate for — could try to buy a dataset that would show where people have searched for information about abortion.
That information could be used for predatory advertising, Brown said, but it could also be a way for individuals to report another person for seeking an abortion. This can be especially risky in Texas, she added, given the state’s controversial new abortion law known as SB 8.
The law prohibits abortion as soon as heart activity is detectable — usually around six weeks. It also allows individuals to enforce the ban through payments of at least $10,000 for anyone who successfully sues an abortion provider.
“Anyone can get their hands on this data simply by buying it from a company that already collects it,” Brown says.
Sharing data from apps is not unprecedented
It’s not uncommon for apps to partner with law enforcement during criminal investigations, often particularly around child exploitation images. If abortion is criminalized, experts say menstrual data could become a target for researchers.
“It gets really muddy when you have an abortion,” Ford says. “If that [were to become] illegal in certain places, does that transcend the right to privacy written into the contracts, as child trafficking would?”
The Flo app has previously come under fire for sharing data.
Last year, the Federal Trade Commission reached a settlement with the popular fertility and menstrual tracking app after allegations it misled users about disclosing their personal health information. The settlement followed a 2019 Wall Street Journal Research found that the app notified Facebook when a user was on their period or informed the app that they were planning to become pregnant.
In a statement to NPR, the company said it “believes that women’s health data should be kept with the utmost privacy and care at all times, and therefore we do not share health data with any third party.”
The company added that a third-party, independent privacy audit completed in March “confirmed that there are no gaps or weaknesses in our privacy practices.”
In a statement to NPR, the menstrual tracking app Clue said, “Any data you keep in Clue about pregnancy, pregnancy loss, or abortion is kept private and secure.” As a European company, the company said it is required by European law to apply “special protections” to reproductive health data.
Despite such commitments, Jason Hong, a professor in Carnegie Mellon University’s School of Computer Science, warns that the data a user enters into a period-tracking app can extend far beyond the phone or app they’re using.
“It’s very difficult to understand how your data is being used and where it’s being shared, because it can be many third parties, and those third parties can also resell to other third parties,” Hong says. “Your data could be all over the network right now. And it’s really hard to track what’s going on.”
OK, but should I uninstall the app?
For those doubting their time period tracking app, Ford says there’s a risk versus convenience calculus that’s different for every user. It depends a lot on where you live and what the laws are.
“If I lived in a state where abortion was actively criminalized, I wouldn’t use a menstrual tracker — that’s for sure,” she says.
But for those who choose to log their data online, there may be some options that are not so risky. Ford says apps built with a non-profit model could provide more privacy.
Hong says paid apps could be better because they’re less likely to track users because they don’t need to collect ad data. Hong also advised users to read Apple’s privacy nutrition labels, which are designed to show users in simpler terms how their data is being used.
Apps that store data locally are also preferred, Greer explained, because when data is stored locally, the user is the owner — not the company.
If the police are interested in data stored on a user’s device, they need a warrant, which has a “much higher legal bar” than a subpoena, Greer says. But if the data is in the cloud and owned by a company, a subpoena is needed to access the data.
Ford says the safest option is arguably the most old-fashioned: tracking your cycle on paper.
“If you want to be safe, use a paper calendar.”