Is period tracking safe? • Georgia Recorder

When the company introduced its menstrual tracking feature, called Cycle Insights, she was excited to try it out. But when she started reading more about the terms of the agreement, she couldn’t find any clear information about how the data was stored, how secure it was, or whether it was encrypted.

States Newsroom reached out to Oura for clarification on its Cycle Insights privacy policy, but a request for comment was not responded to.

Kelvas, 34, lives in Chattanooga, Tennessee, where abortion is illegal except to prevent the death of a pregnant woman. The law, a no-pregnancy law that went into effect in August 2022, also makes it a crime to obtain or have an abortion.

“So I deleted it,” Kelvas said of the app.

Opal Pandya is in the same boat. The 25-year-old Philadelphia resident deleted Flo after reading case studies about data sharing with external third parties. She also noticed that she suddenly started getting targeted ads on Instagram for products that claimed to help with menstrual symptoms, which she had just logged into Flo.

“I realized my data was flowing across multiple platforms,” she said.

She didn’t feel comfortable with that and didn’t have time to find out who had access to that data. The final straw was learning that third-party data could be accessed by states to prosecute abortions banned under their laws.

Pandya also gave up on tracking her cycle with her Apple Watch after using it for a while and stopped wearing it to bed because the watch tracks ovulation cycles based on her temperature at night while she sleeps.

Pandya said privacy in healthcare has always been something of concern, and while tracking menstrual information has its benefits, the Dobbs decision showed her that disclosing that data could have “serious consequences.”

“I have always been sensitive about my health information, and I understand that there is a strong distrust of the medical system as a whole,” Pandya said. “And the repeal of Roe v. Wade has done nothing but reinforce and spread that distrust, particularly among minority women.”

Kelvas, who now runs a medical writing service and is a consultant for IT Medical, is well aware of the nuances of tracking menstrual cycles.

As a doctor, she said she can’t emphasize enough how important it is for people to have access to cycle tracking. It’s one of the few tools people have to have more control over family planning and their reproductive health as some states crack down on access to contraception.

But her background in health IT has shown how easy it is to fail to protect sensitive data. Many people assume that all health care information is protected under the federal privacy law known as HIPAA. But menstrual cycle tracking apps, as well as other health care technologies like texting platforms that patients can use to communicate with their doctors, are not.

Kelvas said it’s hard to navigate reproductive rights issues in states with very restrictive policies. “It doesn’t really matter what we do, we always get in trouble,” she said.

“For many women, suddenly becoming pregnant means that they are illegitimate,” Kelvas said. “And what do you do after that? You know, for many people, the reality is that they simply no longer own their uterus.”

What data is available?

There have been no cases yet where data from menstrual tracking apps has been subpoenaed, but that’s likely due to the slow pace at which cases are moving through the court system, said Jake Laperruque, deputy director of the Security and Surveillance Project at the Center for Democracy and Technology. There have been a few other cases of electronic data in some form being subpoenaed, but their terms leave many companies vulnerable to having to hand over the data to prosecutors or courts.

Laperruque warns that the data that could be used to prosecute people who commit abortions could go beyond just the data recorded on a menstrual cycle tracking app.

“There’s a lot of seemingly benign data in healthcare — location information, communications, metadata patterns, even information you don’t know you’re generating.”

said Laperruque.

If social media apps have access to your location, prosecutors could, for example, time your visit to an abortion clinic using location data from any number of apps.

“Data collected by wearable apps and devices can now potentially be used by law enforcement and even private individuals who wish to sue or prosecute individuals exercising their reproductive choices or seeking abortion information or care,” he said.

Digital traces were used in reproductive prosecutions even before the Dobbs ruling.

In 2018, a Mississippi woman was charged with second-degree murder after giving birth to a stillborn baby at home. Part of the indictment indicated that she had researched how to terminate pregnancies in the past.

Last year, a Nebraska teenager was convicted of terminating a pregnancy after prosecutors subpoenaed her to court to question her about Facebook messages between her and her mother.

How to assess data privacy

For now, most of the responsibility for protecting user data rests with users themselves, says Andrew Crawford, senior adviser for healthcare privacy at the Center for Democracy and Technology.

“It’s really up to users to do their homework,” Crawford said. “And unfortunately, sometimes that means reading really dense privacy policies and searching for keywords.”

The app or wearable’s terms of service must outline what data is being collected, what it does with that data, and who else can access it. The app can automatically seek access to things like your contacts, geolocation, or photos, but you don’t have to give it full permissions. Period-tracking apps often share information with data brokers, advertisers, or third parties that is hard to track.

Users should also pay attention to how the app treats the data it receives. The keyword to look for is “encryption,” or data that has been changed to a secret code that can only be unlocked with a unique digital key.

Data stored locally on your device is also typically more secure than data stored in the cloud, Crawford said. It would be much harder for law enforcement to access encrypted data stored only on your device than it would be if they could subpoena the company.

There is always a risk as long as data is recorded somewhere, Laperruque said.

“But the police will only be able to search your phone if they serve you a warrant and confiscate the phone,” he said.

Most wearable devices that collect biometric data have some form of encryption. Apple’s privacy policy states that when the device is locked, all health and fitness data that is on the device and synced to iCloud is encrypted.

“This means that when you use cycle tracking and have two-factor authentication turned on, your health data synced to iCloud is end-to-end encrypted, and Apple does not have the key to decrypt the data and therefore cannot read it,” the company said.

Fitbit and Oura Ring say they also use encryption measures. All three companies say they must comply with subpoenas from law enforcement.

The cost of your data

App creator Elizabeth Ha, 27, of Los Angeles, created the cycle-tracking app Monthly in response to the Dobbs v. Jackson decision. All health data entered into the app is stored privately on your device and never goes into a database. You can delete your app (and then your data) at any time, and Monthly never shares your data with anyone but you.

Ha had long used an app to track her menstrual cycle, but Dobbs’ decision and the attention paid to data privacy at the time forced her to take a closer look at where she was logging her information.

“Once your data goes into these data stores, they act like a black box,” she added.

She feels pretty confident about her reproductive rights in California, but you never know what’s going to happen and who else might need a more secure option, she said of Monthly, which hit the app store late last year.

The mobile app space is so new, it’s been developing over the last decade or more, she said, and it’s evolving so quickly. The reason so many period trackers are free is because they’re made by larger companies that can collect and sell your data, Ha said.

“In order for them to do business, a large part of their business has to sell data,” she said.

Many Americans are waiting for a comprehensive federal data privacy overhaul. In May, the American Privacy Rights Act was introduced in Congress, which would require covered entities to be transparent about how they use consumer data and give consumers the right to access, correct, delete, and export their data, as well as opt out of targeted advertising and data transfers.

It would also mandate that a covered entity cannot collect or transfer to third parties biometric data “without the express consent of the individual.”

For now, people who want to protect their reproductive health information should pay attention to the terms of service of the devices and platforms they use.

“It just goes to show how important both oversight and consumer data are in terms of improving regulation,” Laperruque said. “We need to be more protective.”