Despite handling volumes of personal health data, most reproductive health tracking apps have opaque privacy protection policies and no clear policy on data-sharing practices with law enforcement
(SAN FRANCISCO, CA | WEDNESDAY, AUGUST 17) — Eighteen out of 25 reproductive health apps and wearable devices that Mozilla investigated for privacy and security practices received a *Privacy Not Included warning label. These findings raise concerns in the post-Roe landscape that data could be used by authorities to determine if users are pregnant, seeking abortion information or services, or crossing state lines to obtain an abortion.
Mozilla researched ten popular period tracking apps, ten pregnancy tracking apps, and five health and fitness wearable devices that track fertility, including Flo, Glow, Ovia, Period Calendar Period Tracker, and My Calendar Period Tracker.
Entrusted by millions of users to track menstrual cycles, ovulation windows, and plan or prevent pregnancies, these apps collect huge amounts of data and are often used to target pregnant and expecting families with numerous ads. Additionally, that data rarely stays in one place — it circulates, bouncing from one entity to the other, from a disconcerting number of third-party businesses, research institutions, and others.
Euki is the only app that earned a place in Mozilla’s “Best Of” category. The wearable devices Mozilla reviewed — Garmin, Fitbit, Apple Watch, Oura Ring, and Whoop Strap — fared better, with none of them earning the privacy warning label.
Says Ashley Boyd, Mozilla’s Vice President of Advocacy: “Overnight, apps and devices that millions of people trust have the potential to be used to prosecute people seeking abortions. Our research confirms that users should think twice before using most reproductive health apps; their privacy policies are riddled with loopholes and they fail to properly secure intimate data.”
Overnight, apps and devices that millions of people trust have the potential to be used to prosecute people seeking abortions.
Ashley Boyd, VP of Advocacy, Mozilla
Says Jen Caltrider, Mozilla’s *Privacy Not Included Lead: “Companies collecting personal and sensitive health information need to be extra diligent when it comes to the privacy and security of the personal information they collect, especially now in our post-Roe vs Wade world in the U.S. Unfortunately, too many are not. This is frightening.”
Says Misha Rykov, *Privacy Not Included Researcher: “Best practices for privacy by design and by default have existed for a while, but most of the leading reproductive health apps chose to ignore them. This is scary when even the baseline security is shaky in apps used by millions of women post-Roe vs Wade.”
Key findings include:
- No clear stand on data sharing with law enforcement. A rather worrying trend, the majority of the apps have vague boilerplate statements with no clear guideline on when and how much user data could be shared with U.S. law enforcement. However, a sliver of hope can be seen in the Ovia Fertility policy policy, which clearly articulates how they share data requests from law enforcement.
- Data first, then consent. Data is precious and more lucrative than ever. Not only are most of these apps collecting tons of personal information, but some are also finding new ways of trapping users into sharing information even before they give consent. In other cases, privacy policies are hidden under the terms of service, making it harder for users to know how companies will collect, use, store, and retain their data, as seen in the Maya Period, Fertility, Ovulation & Pregnancy tracking app.
- All you can collect and share “data buffet” practice. Volumes of personal data collected are being used to target users with personalized ads, and now, they could be used to identify and map the activities of people seeking an abortion. Personal information collected ranges from phone numbers, emails, residency postal addresses, gender, device IDs, advertising IDs, and IP addresses, to app activity data such as cycle length, date of last menstrual period, sexual activity, pregnancy due date, doctors’ appointments, and pregnancy symptoms. Some apps also asked users to fill in work experience, education, hobbies, and interests. Additional data could also be collected via social media platforms and sold to third parties such as data brokers. Notably, a majority of the apps also shared data for research purposes and in some cases with employers.
- Poor privacy and security protection. Despite the highly sensitive nature of the data these apps collect, there are frail barriers put up to safeguard its access. At least eight apps failed to meet Mozilla’s Minimum Security Standards, allowing weak passwords ranging from “1” to “111111.” Apps such as My Calendar Period Tracker and Maya Period, Fertility, Ovulation & Pregnancy, accept a one-digit password like “1”, while Preglife, which requires a minimum of six digits, allows sequential passwords like “111111.”
- Untrustworthy AI use. Most of these apps use algorithms to predict fertility and ovulation windows but were not forthcoming on how they operate, and what other functionalities were powered by AI.
North America: Patrick Kowalczyk, [email protected]
Europe: Tracy Kariuki, [email protected]