This not only shifts the burden of risk assessment to individual users, but also makes it difficult to assess the privacy and security of applications. To do so, we consulted the evaluation frameworks initiated by Beth Israel Deaconess Medical Center (MIND) and The Digital Standard to arrive at four basic questions to guide our study.
Local versus cloud storage
Understanding on The companies that store your data are critical to assessing the privacy risk involved in using their products. The most popular mobile applications store user data in the cloud, across multiple servers in multiple locations, allowing them to process large amounts of easily retrievable information. It also means that your data is more vulnerable to bad actors. That’s why organizations like Givens prefer applications that store information directly on users ’devices. If an app stores data directly on your mobile phone, you’ll have more complete control over it. None of the apps reviewed above gave users the option to store their data locally, but Drip, backed by Euki and Mozilla Foundation, did.
Sharing with third parties
If you’ve recently used Facebook to sign in to a website or app, you already know some of the ways app developers share information with third parties. Understanding which third parties a company works with and what type of data is transmitted to them is a useful way to assess your level of protection. For example, Period Tracker’s privacy policy allows users to share their device IDs with ad networks, which is quite risky. It also expresses its willingness to sell or transfer user data as a result of a corporate merger or sale. Typically, applications that clearly explain to whom they provide information and why, as Clue does, are more reliable.
It is also helpful to know if the data is routinely anonymous (without user credentials) before sharing it with these third parties. However, this is not a panacea. Reduced data can still lead to individual users under certain conditions. Machine learning makes this threat even more real, as technology can accelerate shady “re-identification” processes. While committed to refraining from sharing user data, Clue passes anonymous data to certain third-party research groups. While Stardust expresses a commitment to limit the information they share with third parties, its policy states that it may share information to “comply with or respond to law enforcement” or to protect the “security of the business.” Ideally, applications should be extremely selective with which third parties are willing to share information, or not share it with third parties at all.
Data deletion
Each application should have established protocols that allow users to delete their personal data from the developers ’systems at will. While many U.S.-based applications include these protocols to comply with the EU General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA), users should monitor their privacy policies. privacy that clearly extend these delete privileges to all users, regardless of location. While this can be tricky, Givens says, “If you are not a resident of the jurisdiction covered by the law, there is no guarantee that they will.”
Even applications that invite data deletion requests do not always execute them in a timely or complete manner. Flo, whose security practices put them under FTC control in 2021, specifically states in its privacy policy that after deleting their application, “they retain your personal data for a period of 3 years in case that you have decided to reactivate “. Period Tracker allows you to keep the identifiers of users’ mobile devices “for up to 24 months” after receiving a request. The most secure applications should retain your data for 30 days or less and ideally send deletion requests to third parties on your behalf, as Clue does.
Location tracking
If an application explicitly stores location data (such as calendar and period tracking), it presents a larger privacy issue. While three of the five apps analyzed here didn’t seem to explicitly save location data, each app saves users ’IP addresses, which can be used to determine someone’s overall location. Flo, for example, explicitly shares IP addresses with third parties like AppsFlyer.
Stardust practices disassociate users ’IP addresses from their health data, which increases security. But critics say his methods fail to achieve true end-to-end encryption. Regardless, when IP addresses are combined with external data, such as a user’s search history or even other publicly available information about the user, they can easily reveal that person’s identity and activities. . The CDT and other privacy advocates have warned that users ’text messages and search histories have already been used against them in legal proceedings related to their reproductive health, and the practice is likely to expand.
The bottom line
At the end of the day, a period tracking app like Clue presents users with a little less risk than apps like Flo, Stardust, Period Calendar and Period Tracker. Still, these five apps, chosen for their great popularity, falter compared to safer options like Euki and Drip, as corroborated by Consumer Reports. As far as users can analyze all of its applications according to the standards set out in The Digital Standard, Mhealth Index and elsewhere, users can make educated decisions about which companies to align with, but assessing the risks of using specific applications is an imperfect science . In addition to being time-consuming and often confusing, it is not a suitable replacement for the lack of widespread legal privacy protections available to all Americans.
According to privacy experts like Givens, period tracking apps represent the tip of the iceberg when it comes to digital privacy and security.Roe. The CDT recommends that people assess their own level of risk to determine if it is worth using a period tracking app. In the meantime, it’s probably better to take steps to protect your personal information, such as text messages and search histories.
For those looking to make a difference, experts recommend directly advocating for tech companies, especially organizations that set precedents like Google and Meta (formerly Facebook) to demand better individual protections. It is these corporations that will ultimately have to respond to law enforcement requests for user data, and many already promise to reduce their vigilance (but also press aggressively against privacy legislation and regulation). To pave the way for a better policy, technology companies should aim to make a serious inventory of the data they are collecting, submit transparency reports regularly, and most importantly, take public positions in defense of human rights. privacy early and often.