New report warns about privacy of period-tracking, pregnancy apps after Roe v. Wade overturned
A new report is shining a spotlight on potential privacy concerns loopholes in apps that collect women's personal health information following the reversal of Roe v. Wade.
Abortion is now nearly banned in at least 15 states as a result of the Supreme Court's decision on June 24 to overturn the landmark 1973 Roe ruling -- which legalized abortion at the federal level -- and send the issue back to the states.
A report released Wednesday by the Mozilla Foundation, a non-profit organization that advocates for online privacy, concluded that among 25 popular reproductive health apps, most apps were found to have very vague privacy policies surrounding how they will share data with law enforcement.
Eighteen of the products earned Mozilla's label of "*Privacy Not Included" meaning users' data may not be secure, and eight failed to meet the foundation's "minimum security standards."
Among the apps examined by Mozilla's staff researchers were pregnancy apps, period trackers and wearables, all products that collect personal reproductive information like weight, birth plans, pregnancy journals and doctors' appointments.
Only one app - Euki - was ranked in Mozilla’s “Best of” category. The app Natural Cycles earned a commendable mention by Mozilla.
Other wearables and apps that ranked near the top of Mozilla's list include Garmin, Apple Watch, Whoop Strap 4, Oura Ring and Fitbit.
Caltrider said the privacy policies of the reproductive health apps researched were similar to the privacy policies of apps used for things like sharing recipes and photos.
"Anything that you share is no longer secure and that's just an expectation that you should have if you share something with these apps and it's not stored locally," Jen Caltrider, a co-author of the report and the lead of Mozilla Foundation's *Privacy Not Included online guide, told ABC News. "If the app collects information about your sexual activity, your sexual orientation, your moods, symptoms, pregnancy, your due date, any of it, just expect that that that information is no longer yours to control."
Pregnancy and period-tracking apps have millions of users every month who utilize the technology to better understand and help control their reproductive health. The apps can tell you when to expect your next period, if you might be pregnant and how far along you are, when you are the most fertile for conceiving and what sorts of symptoms you usually experience.
Reproductive health apps' ability to share data with law enforcement is of particular concern for women who live in states where abortion has been limited or banned, according to Caltrider.
"What we found was most companies had fairly vague statements, that it was hard to tell whether companies would voluntarily disclose data to law enforcement if they came asking," said Caltrider. "Unfortunately there were a number of companies where we just couldn't tell what their data sharing plans were, and that worries us."
Leah Fowler, a research assistant professor at the University of Houston Law Center, told ABC News that consumers should not expect the health data they enter on apps to be protected in the same way it would be at a hospital or doctors' office.
"When we think about data in a consumer context, it doesn't have any of those special protections we tend to expect in other health contexts, like going to the doctor," said Fowler, whose research focuses on health law and policy. "The information you might give an app when you're playing Candy Crush or Angry Birds in many ways isn't different than the type of data you're giving an app in a health context, even if it feels particularly intimate and can become quite intimate when you're talking about period and fertility trackers."
Both Caltrider and Fowler said that period tracking, pregnancy and fertility apps can be smart, useful tools to use, as long as users do their own research.
"I think that each individual consumer has to do a cost-benefit analysis of how useful they find the product and the types of risks they may be exposed to depending on where they live," said Fowler. "And I think that there are lots of products available that will allow them to use what are ultimately very useful, very popular tools without exposing them to as much risk. For example, one that might store data locally on your phone or that doesn't participate in third-party data sharing."
Consumers should be able to find an app's privacy policy when they download the app on their phone, according to Caltrider.
She said to be wary of privacy policies that are either too short or too long, adding, "If companies can't clearly articulate what data they're collecting, how they're using that data, who they're sharing that with, it's a flag."
Both experts said another red flag warning is if a company uses the word "sell" or "share" in its privacy policy, meaning they can sell and share your information.
And if you go to download an app and can't find the privacy policy, Caltrider said she would advise not downloading the app.
In addition, Caltrider said that apps made by companies based in Europe tend to have tighter privacy restrictions than do companies based in other locations, including the United States.
"I do encourage people to at least look and see if they have a privacy policy," said Caltrider. "If you don't want to read the whole thing, do a search and see if they have the word sell in there and talk about selling your data. See if they do targeted, interest-based advertising with third parties."
She continued, "There are some little tells that will let users know oh, this company is treating my data more like a business asset and using it for purposes beyond just providing the service."
Statements from companies
ABC News reached out to all of the companies listed in Mozilla's report. Here are the responses we received.
Sprout
"It appears [the Mozilla Foundation] incorrectly stated the app does not have a Privacy Policy. It has always been and is freely available since the launch of the app on the app's product page on the Apple App Store and Google Play Store -- a Privacy Policy is required by Apple and Google and can be viewed in the corresponding app privacy and data safety sections. Customers can also access our Privacy Policy within the app and on our website: https://sprout-apps.com/privacy-policy.html.
Our Sprout Pregnancy app has always been privacy focused and is one of the only pregnancy apps on the market that does not require an account to use the app (no username or password) and the app data is only backed up to the user's personal iCloud or Google Drive account.
We have also responded to Mozilla's questions and you can contact them for additional information."
Euki
"We are pleased that Euki is being recognized in this way. Our ultimate goal remains getting Euki to anyone who can benefit from a comprehensive, inclusive and of course secure app for sexual and reproductive health. Access to abortion services is essential health care, a critical part of our human rights, and abortion access must be protected. Euki can help and we want to ensure that it gets in the hands of anyone who can benefit from its unique features and privacy protocols.
Natural Cycles
"At Natural Cycles we have always been committed to protecting our user's data as a regulated medical device and we're fully supportive of Mozilla's mission and assessment. We are of the mindset that every app – even if they have strong privacy protections like ours – should be working even harder to protect data on their user's behalf. I can confirm our team is working rigorously to ensure that not only is Natural Cycles the most scientifically-backed fertility app, that we have the strongest data protections too."
Clue Period & Cycle Tracker
"You can find Clue's stance about privacy here from the co-CEOs: Data is power, and responsibility: what we believe as Clue's Co-CEOs and here: Patient Data Privacy at Clue: A statement from the Co-CEOs.
Whoop Strap 4
"At WHOOP, our mission is to unlock human performance. We exist to improve the lives of our members, not invade them. We have invested heavily, and will continue to invest, in features and security to protect the privacy and security of our members' data. We believe this should be the standard for all companies providing wearable devices and health tracking technology."
Flo Ovulation & Period Tracker
"We understand that our users place trust in our technology to keep their sensitive information private, and the responsibility we have to provide a safe and secure platform for them to use. This is why Flo has never, and will never share any health data with any company but Flo. We will never make user data the source of our revenue because that would go against our core promise to our users.
In March 2022, Flo completed an external, independent privacy audit which confirmed Flo's own practices are consistent with its publicly stated privacy policy. Beyond this, the independent audit specified, "From both a governance and operational perspective, Flo was able to demonstrate a commitment to the privacy and security of its users' data and has devoted appropriate resources and personnel to ensuring it maintains those commitments."
In an effort to further protect reproductive health information of our users, Flo recently announced the launch of 'Anonymous Mode.' Flo already uses security best practices, including encryption of all data and passcode protection, however this new feature deidentifies data on a deeper level by removing personal email, name and technical identifiers. In the event that Flo receives an official request to identify a user by name or email, Anonymous Mode will prevent Flo from being able to connect data to an individual, meaning Flo would not be able to satisfy the request.
Beyond this, we provide security measures designed to protect individual user data and privacy rights. As of last week, Flo is now the first period & ovulation tracker to achieve the ISO 27001 certification, the internationally recognized standard for information security. This certification affirms that Flo protects users' data at the highest standard possible.
Flo remains committed to ensuring the utmost privacy for our users. Some of the additional measures we take include:- Data Encryption: Data is transferred to our servers in an encrypted form.- Data Separation: Personal user data (that can be used to identify an individual person, e.g., e-mail) is kept separately from data logged in the app (e.g., specific user inputs). This measure helps to prevent users from being identified.- Rigorous Supplier Due Diligence: We only work with suppliers who meet our minimum privacy and security standards- Regular Privacy Risk Assessments: We undertake regular risk assessments on all processing activities to ensure risks are identified and removed.
You are welcome to read our Privacy Portal, which gives more detailed info on our data protection policies: https://flo.health/privacy-portal. You also may find this landing page on how Flo responds to data requests useful: https://flo.health/flo-user-response-data-requests."
Preglife Pregnancy App
"We are very happy that Mozilla is [doing] audits like this. Personal privacy is something we take very seriously, and we are positive for all efforts that highlight the importance of privacy.
Not so happy about not performing better than what we did but when reading the audit, it clearly states that we at Preglife take privacy very seriously. Our privacy policy is well written, easy to understand, and I am confident that our wish to keep our user's privacy secure shines through. The fact that we allow simple passwords is unfortunate but true. We don't deny that. However, it is on our "to-do list" and something that we were about to fix within the coming weeks. But in the light of this audit and the increased need for privacy for our U.S. users, we will make this our top priority, meaning we will fix this ASAP.
In the audit Mozilla were unable to verify if we use encryption or not -- but we do. All personal data that is transferred from the app is encrypted. All databases are encrypted.
Also stated in the audit, we allow users to use Preglife without creating an account. If you use Preglife in that way you never have to worry about any data loss since all data is stored locally on your handset. The downside is that if you lose your phone or if it breaks you risk losing valuable data. However, in the light of current events in the U.S., some users may feel that is a risk they are willing to take to be totally 'off the grid.'"
Glow Nature & Glow Baby
"We strongly disagree with Mozilla's review and we are working closely with Mozilla on their rating process, including sending them all the legal facts to address their concerns and claims.
We do not share personal data with anyone and will never sell user's data. It's simply against our core values. We have an extensive set of features and internal protocols that protect user data. We have also implemented 3rd party annual privacy and security assessments to ensure our platform provides the highest level of data protection for our users. Every single employee at Glow is required to go through privacy and security-related training.
Our number one goal is to build the best products for our users and doing anything that violates their trust would go against our values. Even in the case where we have been asked to provide information to law enforcement, we have always examined those requests in extreme detail and take action ONLY when it is protecting our users. We will continue to uncompromisingly protect our users' privacy and personal health information. Period."
ABC News' Laryssa Demkiw, Michela Moscufo, MaryAlice Parks, Jeca Taudte, Sony Salzman and Cheyenne Haslett contributed to this report.