Privacy has become a big discussion point these days since it feels like every app wants permission to use your camera, access your microphone, and track you all over the place. Ensuring that your private information is securely kept becomes especially relevant when considering apps that track your health, particularly those that track your reproductive health. Do you really need to be concerned about your privacy when using health apps? For many reasons, the answer is yes.
Image courtesy of creative commons
It’s generally a good idea to review the privacy policy of any fitness app; look at the data they’re storing and what third parties are linked to the app. For instance, I just looked at my Apple Health app and realized that 29 apps were capable of accessing my health data! Of those, at least nine were apps I don’t use regularly and don’t want to be connected to any longer.
Every time you install an app and grant it tracking permissions or link it to another app so they can conveniently share information, the trade-off is the creation of yet another vulnerability point, making it that much more difficult for you to keep your data private.
It wasn’t that long ago that consumer watchdog groups were concerned that insurance companies might use data gleaned from mobile health tracking apps to raise prices or deny insurance entirely to customers, based on what the wearables and accompanying health apps were revealing about their wearers’ habits.
It’s essential to be aware of each app’s specific permissions, the data each app is gathering about you, how and where that data is being stored, and whether or not your data is possibly being sold. And now, there is a bigger concern, especially for anyone with the ability to get pregnant.
Bear in mind that most period tracking apps allow users to enter extremely personal information, including how often the users have sex, when their last period ended, if they are trying to get pregnant, if they are pregnant, or if they have a miscarriage.
Miscarriages are extremely common, occurring in an estimated 30% of all pregnancies. Causes for miscarriages can include anything from random genetic abnormalities to fibroids, adhesions, autoimmune and clotting disorders. While a “significant portion of women will experience a pregnancy loss in their lifetime, most will go on to have healthy pregnancies thereafter.”
But what if having a miscarriage was enough for a criminal investigation? And what if your health tracking app held all the data necessary to prosecute you?
Text messages and search histories have already been successfully used as evidence against people “facing criminal charges related to the end of their pregnancies.”
Even so, there’s no current legal precedent for criminal action based on data gleaned from a reproductive health app when a pregnancy has been terminated.
But with the recent overturning of Roe v Wade and the inherent data privacy questions that the ruling raises, there’s never been a better time to take a moment and assess what data you’re sharing with your health tracking apps and who else might have access to it.
The Electronic Frontier Foundation (EFF) has laid out some general tips to help protect your privacy; they advise that you “think carefully about who you trust with information” regarding private health matters and to use “end-to-end encrypted messengers with disappearing messages turned on whenever possible” if texting about health issues with someone.
To help ensure your privacy when searching for information on specific medical procedures, you might install a VPN and browse using an incognito window because simply deleting your browsing history isn’t enough.
And because of the location tracking your smartphone and many of its apps are actively conducting, recognizing that there might be times when the smartest thing to do would be to turn off your phone or even leave it behind is key.
AtlasVPN has a vested interest in keeping everyone concerned about privacy matters, but their chart regarding the information collected from popular reproductive health apps is eye-opening and unsettling.
Consumer Reports evaluated the protections offered by several popular period tracking apps and determined that Euki, Drip, and Periodical all store data locally and avoid using third-party trackers. However, none of the companies that make these apps share transparency reports disclosing how the company responds to data access requests.
For that reason, Consumer Reports advocates storing your data locally, being cautious of backing up your data to any cloud storage, and possibly regularly deleting your period data to be safe.
This necessary sense of caution is already impacting health research.
Researchers working with Oura Ring, a wearable health tracker, were extremely close to being able to track and detect pregnancy via health markers like core temperature fluctuations. They stopped their research after Roe v Wade was overturned because they saw it was only a short leap to a dystopian future where having that data recorded could be used against a woman who had an abortion or even a miscarriage.
This literally means that we are now in a world where not only is health research being stymied out of legal fear, but discoveries that could benefit women as a whole aren’t going to be pursued because the long-term knowledge isn’t worth the short-term reality of putting innocent users at risk of being arrested or harassed by ignorant laws and people.
And with that in mind, a third-party health-tracking app with a robust enough system in place that it could keep your private health information secure in the face of a government subpoena starts to seem less and less likely.
That’s not just our fear, either. The executive director of White House Gender Policy stated on Friday that they advise Americans to “be careful” when using third-party reproductive tracking apps. No one is saying not to use them, but they are saying to be really, really aware of what those apps might be sharing depending on where you live.
It might seem like the smarter option would be to eliminate third-party health apps with period tracking abilities entirely in favor of using your smartphone’s Google Fit or Apple Health apps, both of which offer period tracking.
How easy is it to exclude the menstrual cycle tracking data that you share with Google Fit and Apple Health from being uploaded to the cloud, and can you trust Google and Apple with that data?
Google Fit
Google Fit data permissions are found by clicking your profile tab, clicking the settings cog in the upper right is clicked, and then scrolling down to “manage Fit data permissions.”
There you’ll find toggles that give the option of denying or allowing Google Fit to save new vitals and cycle tracking information to your Google Account; you should make sure that this option is toggled off. But is that enough?
Do Google Fit app data permissions create a false sense of security?
Apple Health
Apple is constantly bragging about its immense commitment to privacy. However, we scoured the Apple Health app and couldn’t find anything that indicated there was an easy way to control whether your period tracking data would be uploaded and stored or not.
There were a lot of options on information that you could include, which can be very helpful for getting the full picture when tracking your cycles and reproductive health.
However, without the ability to specify directly to Apple what information you want to be kept, destroyed, or otherwise stored, you’re putting significant faith in Apple’s pledge for privacy.
You can share a lot of information with Apple, but there’s no way to adjust it after the fact.
Counting entirely on any company promising that your data will be kept secure is probably insufficient.
For instance, Apple complied with 90% of the government’s requests for user data in 2019. Plenty of other tech companies have complied with subpoenas providing all sorts of information (including the keywords you use for searches).
A “privacy pledge” means they’re trying their best to keep unauthorized groups from accessing your information. But nothing in those promises says or even hints that they consider law enforcement an unauthorized group.
If you’re curious about what that means, you can browse both Google’s information sharing policy and Apple’s. Both offer just enough information that it feels like they’re protecting you — until you read the part about how each company will comply with any appropriate law enforcement requests.
In the case of Google, that means the right type of law enforcement request can return records of your Google Voice messages, Gmail emails, private YouTube videos, etc.; they are all fair game. 
Apple has an 18-page document explaining its law enforcement guidelines, detailing what information they will or will not be able to provide with the proper subpoenas, warrants, and greater legal processes.
Are Apple’s and Google’s legal departments prepared to meet states in court to protect the reproductive health privacy rights of people who use their products in states where abortions are now banned?
Does this mean that an Apple Health or Google Fit user in Texas has to worry about an ordinary citizen using the Texas bounty hunter abortion law to request information on their menstrual cycles?
Will Apple and Google shrug and defend handing over requested information by saying that since it’s legal for law enforcement to request it in that particular state, they HAVE to release it? But GREAT NEWS, they waited for the appropriate legal process before doing so, so they still feel entitled to crow about how fantastic they are at privacy?
While it’s great that Google has announced that it will delete location data for users seeking out abortion clinics, domestic violence shelters, and other sensitive locations, what happens when a state takes Google to court and pressures them? Or if Google decides there’s a monetary advantage to rescinding this policy?
As we saw above in the deep dive on Google’s law enforcement responses, if it’s a “valid legal request,” Google isn’t going to say no. And in that situation, Apple isn’t going to say no, either.
If this alarms you, and it really should, you might consider using a period tracking notebook that can’t be remotely accessed, but be sure to keep it safe!
Privacy, and what happens when that privacy is lost, is something we all need to consider when using any health app, not just those focused on tracking menstrual cycles and reproductive health.
For instance, Strava is fantastic for tracking workouts. Still, even the United States military had to step in when a Strava heat map inadvertently indicated several bases’ locations because soldiers shared their running routes! Researchers have also raised alarms that many popular running apps are vulnerable to hacking or other data leaks.
That’s terrifying because it not only gives randos the ability to judge your last 5K time, but it also opens up the possibility that someone could figure out where you live as well as your usual run schedule.
So after you figure out your period tracker, maybe double-check that you’ve set up all available security features on your tracking app for running, cycling, or other outdoor activities.
Obviously, many things will need to be figured out going forward, but this discussion is a good reminder that privacy is something you should never take for granted. Anything you track that’s either deeply personal or that can be used to trace your everyday life should be as locked down as possible, with regular checks that all security features and common-sense protections are engaged.
Sure, we all accept certain inherent privacy risks when using smartphones and their connected apps, but that doesn’t mean you’re powerless to control your information!
We all need to be aware of what kind of digital trail we’re leaving because there is no guarantee that someone else — much less a big company that makes its money gathering and selling your information — is going to have our best interests at heart when it comes to protecting our privacy when using health apps.
This is just more of the scary things that can happen on line! Interesting read