Period Trackers and Data Privacy

What is happening?

A lot of information is being spread around about the dangers of period tracker data in the wake of Roe v Wade being overturned, and with good reason. Some state legislatures are investigating a troublesome and vaguely defined area of law: whether you can be charged with a crime in one state for activity that takes place in another. For example, if Texas criminalizes activity seeking or aiding an abortion, then people who travel to another state where the activity is illegal could still be charged in Texas for aiding that effort.

Will that type of legal stance hold up in court? Unfortunately it seems likely to do so because of the specific nature of the abortion issue rather than on purely legal merits. The domain of states rights ends at the state borders constitutionally, but there’s precedent to upset that balance. An example would be the way international law is applied to US citizens when abroad. Traveling to another country to commit an act that is illegal in the United States remains a crime, even if that act is legal in the country it occurs in. This is commonly applied to underage sexual activity in places like Thailand, and it paints a clear picture for how states can apply the same logic to their own residents.

What about period trackers?

So why the fuss over period trackers? The primary reason is that these apps are not made for those who menstruate, but for marketers. Their primary purpose is to harvest data that can be shared with third parties for marketing purposes. Users trade their private behavioral and health information for a service that helps them to understand their own reproductive health and plan around it. This is not the model for just a couple of these apps, either. This is the standard reason they exist and the model of revenue they use for justification for investors. User data IS the product.

But what about [specific app]?

But what about that app that I saw shared on Facebook? They had a powerful message that it’s run by and for women. Or maybe there was a signed commitment to never sell our personal data. This one says they’re based in Germany, so the data is safe, right?

No. If your data is being collected it is not safe. Period.

What about that company run by women? Surely they care about keeping other women safe. They probably do, at least on some level. These types of stances are often taken from an ethical position of individuals who actually believe in their cause, but they make promises that are incomplete, ignorant of the challenges, or otherwise fail to align with what readers take away.

A company run by women has the same goal as a company run by men: make a profit, ensure its continuation, and grow. In the case of a non-profit there may be some wiggle room in there, but the business exists to do business.

But they promised to never sell my data! And in some cases that may be true, to a degree. They may not be selling your data directly to a data broker, but instead they will provide that data to a third party company to analyze and allow for targeted advertising. They technically didn’t sell it. They sold the byproduct of the data, which is a distinction without worth for the end user. Your data is still flowing around to groups you have no awareness of and used in countless ways.

But it gets worse. These privacy policies are easily changed and amended. It just takes one new employee to come on board and point at the untapped revenue streams for a few words to change in that policy. You may get a notification that terms of use have changed, or not. It doesn’t matter because no one reads them. And just that fast now your data is with a broker too.

What is the real danger?

Data brokers, third party data agreements, and all the other nasty “user data is the product” ecosystem issues are terrible, but that’s not a unique issue for reproductive health. These problems exist in every facet of our lives, and not just online. We should address these in a broader sense as a society and soon, but today we have a more pressing threat.

Data that is housed by a company is subject to law enforcement demands for information. Yes, even those in Europe. It doesn’t matter how good their privacy policy is, or what values they stand for. When a warrant comes in, they’re going to hand over that information. And that information can be incredibly invasive. These apps don’t just track the data you enter but the metadata as well. They know when you use them, where you were (thanks to phone GPS). Those third party data agreements can pull in even more information into that profile as data points are matched up. And all of this can be harvested by a law enforcement agency that is specifically looking to target you.

The fact is, most of the period tracking apps are actively harmful in the data they collect and share, and the few that pretend otherwise aren’t really any better. And almost none of them are effective in any way against law enforcement misuse of your private info.

So how do you protect against that?

The only way to prevent the seizure of your private data from a company is to not provide that data in the first place. That means either not using these tools at all, or using tools that do not store information anywhere but on your local device (your phone).

Drip is one such app. It is completely open-source with the source code available to be inspected by the community, improved upon, and issues to be publicly logged. It stores all data locally on your device and transmits nothing to a central cloud server. It gets funding from donations and contributions from the community of programmers worldwide. There is no advertising and your data is not the product.

Drip is currently available only on Android, but there is a projected iOS app version due in August of 2022.

Euki is another app that keeps the data on your device. It is available in English and Spanish on iOS and Android. Some of the more popular period tracking prediction features available in other apps aren’t to be found in this one, but safety should be a bigger concern these days.

You can read more about these apps and others in this consumer reports review of several period tracker apps and their privacy.

Be safe, protect your data.

This page is cryptographically signed with my public key.