How Period-Tracking Apps Track More Than Your Period
These smartphone apps don't have to abide by HIPAA, meaning your reproductive and sexual health data could be vulnerable.
The Supreme Court is set to overturn the federal right to abortion, and the stakes have never been higher for people seeking one. Their safety is of the utmost importance, especially as states incentivize private citizens to turn patients and those who aid them for cash.
Texas is one such state to have implemented laws that raise civilians to bounty hunter-like status, allowing them to sue someone accused of aiding an abortion for at least $10,000. While conservatives used to maintain, at least officially, that they are not interested in criminalizing people who have abortions—simply those who provide them—the tides have turned.
An unlikely, but perhaps not unwilling, informant may be a regular feature on a person’s phone: their menstrual cycle tracking app. In a world where ratting out people seeking an abortion is profitable, it’s not a stretch to assume that an app closely recording a person’s fertility might become another tool in their arsenal.
Currently, period-tracking apps do not fall under federal privacy protections like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), meaning these apps can share any data they collect as long as they state this in their privacy disclosures. But even if these apps did fall under HIPAA, law enforcement could still search for any data they deemed relevant to an investigation of someone who might be accused of inducing an abortion in a state where it’s illegal to do so.
“Law enforcement can also get access to the data from the data brokers downstream,” femtech lawyer Bethany Corbin said. “By paying a sum, they can get access to that data through a broker that they would otherwise have to get through a subpoena. So because that information is available in a second medium, they can go and buy it.”
Beyond law enforcement, any private citizen could, in theory, buy this data and use it to sue or turn in someone they suspect of having an abortion.
What—and how much—is being tracked?
Until recently, it was nearly impossible to compare the privacy disclosures among menstrual tracking apps, and users who were interested in seeing the different data being collected from their apps had to read each app’s disclosure. Surfshark, a cybersecurity company, created an index for the top 20 most popular period-tracking apps available via the Apple Store based on the amount and sensitivity of the data collected. Apple’s App Store itself collects 32 types of data, including account, device, and personal data. It also collects fitness and financial data.
According to Surfshark, every piece of data that is collected is ranked given a point system, where one point is given if the data being tracked is not linked to a user’s identity (like app crash data). Two points are given if data is tracked that can be linked to a user’s identity (such as the user’s name). And three points are given if the data could track users across apps and websites (such as user ID). The higher the score, the worse the outcome for the user.
With a score of 67.2 points, Eve collects the most data out of any period-tracking app. According to Surfshark, Eve collects 18 of the 32 data points possible, seven of which track users across platforms, like a person’s name, phone number, email, purchase history, and advertising data.
Next is Glow, which received 64.8 points. Eve and Glow have the same parent company, and Glow collects just one less data point than Eve. However, it doesn’t collect the user’s phone number. Glow tracks 17 of 32 possible data points.
Ovia is ranked next, scoring 62.4 points and collecting 19 data points. While this app technically does collect more data, it collects slightly less sensitive data than Eve and Glow. However, Ovia collects more information for third-party advertisers, including name, approximate location, email, health, device ID, some financial information, and more.
Two of the more well-known period-tracking apps, Flo and Clue, came in at sixth and 10th place, respectively, collecting more data than the average period-tracking app. Neither app sells data to third-party advertisers, but Flo tracks more data that can be linked to users.
Corbin said this signifies a trend where menstrual health apps are collecting much more data than they need for the app to function. Apple’s Cycle Tracking app, for example, is ranked as the 19th most data-hungry of the top 20 apps.
“The Apple Cycle Tracking app is doing very similar things to Flo or Clue or Glow in terms of tracking periods,” Corbin said. “And yet, one [Apple] is using significantly less data than the others to achieve the same function. It really shows that you can get the end result without collecting all of the data that is being collected.”
More data collected also means more lost if an app experiences a data breach. As the price of health data skyrockets, the likelihood of hacks is also on the rise, meaning significant portions of a person’s data could be lost.
What options do users have?
The implications of this are stark in a post-Roe world, and many people who menstruate rely on being able to track and understand their own health data. Because these apps track when someone is on their period, they can also determine if someone may be pregnant by seeing if the person has missed multiple periods.
One alternative, Euki, does not collect any data—it’s all stored locally in each person’s phone.
“People, especially BIPOC communities and communities that have historically been overpoliced, have faced legal risks associated with their digital footprint and pregnancy outcomes for decades,” said Caitlin Gerdts, vice president of research for Ibis Reproductive Health, the creators behind Euki. “Euki responded to a need that has existed for many communities for many years.”
Not only does Euki have the ability to track a person’s menstrual cycle, it also provides information about contraception and abortion and can even walk a person through how to induce an abortion with medications. And thanks to multiple levels of privacy and security, users can set a pin, auto delete their locally stored data on a recurring schedule, change the names of menu options, and more.
“For Euki users who live in states where abortion is restricted or banned altogether,” Gerdts said, “Euki has resources, information, and links to a range of different abortion options, methods, and models of care to support people to make the best decision for them given their individual circumstances as well as resources for financial, logistical, emotional, and legal support.”
Because these apps can track whether or not you’re getting a period, it isn’t a large leap to assume that if someone reports one or multiple missed periods, the app can make assumptions that the person is pregnant. Investigators too, can use this data to show someone might be pregnant. This information could be used against a person suspected of terminating that pregnancy, especially if that person lives in a state where abortion is illegal.
What’s being done about it?
This week, Democratic members of Congress introduced the “My Body, My Data Act,” which aims to limit the reproductive and sexual health data that can be collected. It also requires regulated entities to outline—and share—how they collect, retain, use, and disclose their users’ reproductive health info and gives users the ability to delete their data.
“This legislation will take steps to protect women’s privacy and ensure that individuals cannot collect data from websites or apps and use it against them,” Sen. Mazie Hirono (D-HI), one of the sponsors of the bill, said in a press release.
While this bill is a step in the right direction to protect users who might not know how much data is being tracked, any and all data can still be subpoenaed by law enforcement and used to criminalize someone accused of intentionally inducing an abortion.
Tracking fertility is critical, especially as abortion continues to become outlawed throughout the country. Knowing what is happening to our bodies and when may be one way to prevent pregnancies in states where the service is no longer obtainable. But not if it means risking prosecution while trying. Keep yourself safe, keep your loved ones safe—and understand where your data is going.