Personal Health Information, Mobile Health & Health Apps, Privacy & Security

Have you considered your privacy rights when using birth control apps?

With a May 2024 update from the FTC on a pregnancy app that shared users’ sensitive information

Abstract from the article titled, "Before Using Birth Control Apps Consider Your Privacy" posted on Wired.com: "Natural Cycles’ privacy policy states that in using the app each user grants the company and any of its partners broad rights to “use, reproduce, distribute, modify, adapt, prepare derivative works of, publicly display, publicly perform, communicate to the public, and otherwise utilize and exploit a user's anonymized information.”

Subjective: This article points out important considerations for people utilizing birth control and related apps that require the user to provide a significant amount of personal information. The somewhat galling aspect of which is that many users pay subscriptions for these services that in the end could make no small amount of money off this data.

Objective: Megan Moltini provides a balanced description of the pros and cons in using these types of apps. It is pointed out that many are not actively selling personal data at the time of the article and that the data they retrieve helps to provide a better product for its users. However, the potential for secondary use of the data for other unknown purposes is there.

Assessment: With statements such as this, users need to make educated choices about the apps that they choose to share their personal health information with: “Berglund says Natural Cycles’ only revenue stream at the moment is the app’s subscription service, and that selling customer data to third parties isn’t part of the company’s business plan. “We’ve never shared any data for financial purposes,” she says. But that may not always be the case. “I can’t say we’ll never share data, there’s no guarantees in life of what will happen.”

Plan: It has become very apparent that our personal data is being collected at great scale whether legally or illegally and it is important that we make active and educated choices about the health apps we use before automatically clicking the “Ok” or “I Agree” button when reviewing terms and conditions.

- Creates an article page break.

Exploring Privacy Practices of Female mHealth Apps in a Post-Roe World

A recent research study from King's College London titled "Exploring Privacy Practices of Female mHealth Apps in a Post-Roe World" investigates the privacy practices of 20 popular female mobile health (mHealth) apps, focusing on period tracking, fertility, and pregnancy apps. The study uses a mixed-methods approach, including thematic analysis of Data safety sections and privacy policies, and a privacy-focused usability inspection.

Key findings include:

  1. Inconsistent Privacy Practices: The study reveals significant inconsistencies between what is declared in the Data safety sections and the actual privacy policies of the apps. Many apps claim not to share user data, but their privacy policies indicate otherwise, including sharing data with third parties and law enforcement.
  2. Flawed Consent and Data Deletion Mechanisms: The mechanisms for obtaining user consent and for data deletion are often flawed. Users frequently have to accept broad privacy terms to use the apps, with limited options to opt-out of data sharing. Moreover, data deletion processes are not always clear or fully effective, with some apps retaining user data even after account deletion.
  3. Sensitive Data Collection: Female mHealth apps collect highly sensitive data, including menstrual cycles, sexual activity, and physiological wellbeing, along with personally identifiable information. This data is often shared with third-party advertisers and could potentially be accessed by law enforcement, posing significant privacy risks, especially in a post-Roe v. Wade context.
  4. Privacy Safeguards: While some apps implement technical safeguards like data encryption, many do not clearly communicate these practices. Additionally, there is a lack of robust organizational measures to protect user data from breaches and unauthorized access.
  5. User Safety Concerns: The study highlights the potential for mHealth apps to be used for intimate surveillance and the commodification of sensitive data. In a post-Roe world, where abortion rights are more restricted, the misuse of such data could have severe implications for users' safety and privacy.

Recommendations include improving transparency in privacy practices, ensuring robust consent mechanisms, enhancing data deletion and portability features, and implementing strong technical and organizational safeguards to protect user data. The study calls for a dedicated focus on both user privacy and safety in the design and implementation of female mHealth apps.

This analysis underscores the urgent need for better privacy protections in female mHealth apps, especially given the sensitive nature of the data they handle and the changing legal landscape surrounding reproductive rights .

Tags: HIPAAPrivacyhealth appsFDABirth ControlNatural CyclesCMHAFFElectronic Privacy Information CenterWIREDpregnancyinsurerscoverage

More links

  • A link to the King's College London research article.The PDF document titled "Exploring Privacy Practices of Female mHealth Apps in a Post-Roe World" investigates the privacy practices of 20 popular female mobile health (mHealth) apps, focusing on period tracking, fertility, and pregnancy apps. The study uses a mixed-methods approach, including thematic analysis of Data safety sections and privacy policies, and a privacy-focused usability inspection.
  • Pregnancy app Premom shared users’ sensitive informationAccording to the FTC, Premom shared users’ information with other companies, including Google and China-based marketing and analytics firms — all without telling users, getting their permission, or limiting what companies could do with the information. This led to FTC charges that Premom illegally shared users’ sensitive information like their health information, location, and device identifiers, which could be used to personally identify them.
  • Report: Popular period tracking apps share data with third partiesA report by the U.K.-based Organisation for the Review of Care and Health Apps found 84% of 25 apps shared data outside of the developer's system.
  • A link to the Office for Civil Rights page on HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health CareAccess to comprehensive reproductive health care services, including abortion care, is essential to individual health and well-being.1 The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule2 (Privacy Rule) supports such access by giving individuals confidence that their protected health information (PHI),3 including information relating to abortion and other sexual and reproductive health care, will be kept private.
  • A link to the Ars Technica article titled, "Google closes data loophole amid privacy fears over abortion ruling"Google is closing a loophole that has allowed thousands of companies to monitor and sell sensitive personal data from Android smartphones, an effort welcomed by privacy campaigners in the wake of the US Supreme Court’s decision to end women’s constitutional right to abortion.
  • A link to the MobileHealthNews article titled, "Period tracking app Flo adds 'anonymous mode' after Roe decision"Flo said users will be able to enter anonymous mode through the iOS and Android app's settings, allowing them to use the app without personal email, name and technical identifiers. If the company receives "an official request to identify a user by name or email," Flo said it would be unable to connect any data to a specific person.
  • A link to the original article on Wired.comNatural Cycles stores user data in an encrypted cloud environment, and every week a pooled, anonymized version of the data gets pulled onto the company’s local servers to run the analysis that powers its app. So if you decide you want to delete your data, it should get scrubbed from the cloud first, and then from the company’s models, during that weekly overwriting process, according to Berglund. But according to the company’s privacy policies, it’s under no obligation to delete any data it has
  • A link to the Washington Post article titled, "Is your pregnancy app sharing your intimate data with your boss?"As apps to help moms monitor their health proliferate, employers and insurers pay to keep tabs on the vast and valuable data
  • Will insurers have to cover the controversial contraception app Natural Cycles under Obamacare’s mandate? An article from STAT.Currently, the Health Resources and Services Administration’s Women’s Preventive Services Guidelines include “the full range of contraceptive methods for women,” including the birth control pill, IUDs, and sterilization procedures, as well as “additional methods as identified by the FDA.”
  • A link to the Electronic Privacy Information CenterEPIC is a public interest research center in Washington, DC. EPIC was established in 1994 to focus public attention on emerging privacy and civil liberties issues and to protect privacy, freedom of expression, and democratic values in the information age. EPIC pursues a wide range of program activities including policy research, public education, conferences, litigation, publications, and advocacy. EPIC routinely files amicus briefs in federal courts, pursues open government cases, defends consu
  • A link to an article discussing Garmin's menstrual cycle tracker Starting today, Garmin Connect users can record their cycle type, symptoms and notes about their personal health. By doing so, the service will begin to predict when their next period will occur or outline windows of increased fertility. In addition, the app will surface fitness and nutrition educational content that is tailored to the user’s current phase of their cycle.
  • A link to the New York Times articled titled, "What Women Know About the Internet"Of course, privacy is a concern for everyone, but this is also an issue, like health care, on which women have a particular view. Women know, for example, what consent really means. It’s not scrolling through seemingly endless “terms of service” and then checking a box. Online consent, just as it is with our bodies, should be clear, informed and a requirement for online platforms.