Glow Nurture & Glow Baby

Aviso: *privacidade não incluída neste produto

Glow Nurture & Glow Baby

Glow Inc
WiFi

Data da avaliação: 9 de Agosto de 2022

|
A Mozilla investigou por 8 horas
|

Opinião da Mozilla

|
Votos das pessoas: Muito assustador

Glow Inc makes four different sex, period, fertility, ovulation, pregnancy, and baby tracking apps they say cover everything from "period to parenting." There is Glow (fertility), Nurture (pregnancy), Baby (babies), and Eve by Glow (period & sex life). All four apps use the same privacy policy.

Glow's pregnancy tracking and baby apps say they give you things like baby growth and development, kick counter, medical log, contraction timer, postpartum support, baby feeding and sleep schedule, parenting tips, community forums and more. That's a whole lot of personal, sensitive health data they collect to help users during pregnancy and after. So, how does Glow do at protecting the privacy of all this personal information you share about you and your baby? Honestly, they aren't great. Actually, they're pretty bad.

O que pode acontecer se algo der errado?

Uhg, Glow. This will not be a glowing review because Glow raises a whole lot of privacy concerns for us. Where to start?

There's the big old bunch of trouble they got into back in 2020 after Consumer Reports found lots of problems with Glow's privacy and security. And then California settled with them in a case where they were allegedly failing to "adequately safeguard health information," "allowed access to user's information without the user's consent," and had security problems that "could have allowed third parties to reset user account passwords and access information in those accounts without user consent." Very very bad.

And then there's the dishonesty this privacy researcher was really irked by when she reviewed the data privacy information the company shared on its Google Play store data safety page. There they make the claim: "No data shared with third parties. The developer says this app doesn't share user data with other companies or organizations." This claim is easily shown to be false with a read of their privacy policy where they outline sharing data with lots of third party advertisers, business partners, and professional advisors (which seems way beyond the scope of what Google says constitutes what needs to be declared for data sharing.) Misleading and dishonest data safety claims are a HUGE pet peeve of us here at *Privacy Not Included. Unfortunately, with what we've seen so far on Google's new Play store data safety information pages, this self-reported data from companies is too often inaccurate. Glow isn't the only one making misleading claims there.

Glow does state clearly in their privacy policy that they can collect a whole bunch of personal, usage, and health information on their users. Things like name, email, precise location, spouse's name, sexual orientation, health care providers' names, child information, mood, medications, and, of course, sexual activity, fertility, and menstrual cycle information. That's a whole lot of information they can collect, which is not surprising. They are an app designed to do that. What is surprising is when an app that knows they are collecting this much super sensitive, personal, and health related data then goes on to say they can use some of the data for targeted, interest-based advertising purposes or share with "professional advisors" which they say can include "lawyers, auditors, bankers and insurers," or their vague list of affiliates which can include "corporate parent, subsidiaries, and affiliates." That's a lot of potential data sharing with a lot of potential third parties.

Glow also states in their privacy policy that they can collect even more information about you from third-parties sources such as social media and combine that with what they collect on you. They say, "We may combine personal information we receive from you with personal information we obtain from other sources, such as social media accounts ..." This is where we remind you to never, ever log into an account with a social media login like Facebook. It's bad privacy news where even more of your data can be shared with both the social media site and the company. Glow is also a little too vague for our liking in that statement about collecting data from third parties sources. They say they "may" combine data from third party sources "such as" social media accounts. Which seems to indicate to us they could also being collecting data from other third parties sources, for example, data brokers or public sources. Gross.

All of these are some serious privacy red flags we aren't happy about at all. And then there is the question of how Glow says they might share your information with law enforcement. Their privacy policy mentions that in a couple of places where they say, "We may use your personal information to ... comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities." And they say they may share your personal information with "Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes..." This leaves us feeling wary as it seems to indicate Glow might give up a users' data through voluntary disclosure, which is a policy we really don't like here at Mozilla. We much prefer when companies state they won't give up user data to law enforcement unless required to under subpoena, and even then, we like to see them commit to only giving up the bare minimum necessary.

What's the worst that could happen with Glow? Way too much, we're afraid. We'd say this product comes with *Privacy Not Included and recommend you look elsewhere for a privacy protecting pregnancy tracking app. We just don't believe users can or should trust Glow to respect and protect their privacy, no matter what the company states on Twitter or in a press response.

Dicas para se proteger

  • Enable multi-factor authentication to protect your account.
  • In the app settings under "Personal privacy security and data" make sure to uncheck the box for "Internet-based ads."
  • Do not connect Samsung Health, GoogleFit or Apple Health or other wearables to the app.
  • Chose a strong password! You may use a password control tool like 1Password, KeePass, etc.
  • Use your device privacy controls to limit access to your personal information via app (do not give access to your precise location, camera, microphone, images and videos, other files).
  • Keep your app regularly updated.
  • Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization).
  • Request your data be deleted once you stop using the app. Simply deleting an app from your device does not erase your personal data.
mobile Privacidade aviso Segurança Inteligência artificial aviso

Pode me bisbilhotar? informações

Câmera

Dispositivo: Não aplicável

Aplicativo: Sim

Microfone

Dispositivo: Não aplicável

Aplicativo: Sim

Rastreia localização

Dispositivo: Não aplicável

Aplicativo: Sim

O que pode ser usado para se inscrever?

Que dados a empresa coleta?

Como a empresa usa esses dados?

We ding this product for sharing personal data for advertisement. Their use of some of services may be classified under California law as a “sale” of your Personal Information.

"We, our service providers and our third party advertising partners may collect and use your personal information for the following marketing and advertising purposes: Direct marketing. [...] Interest-based advertising. [...]

"We may engage third-party advertisers or advertising companies to display ads on our Service and other online services. We may also share names, email addresses and device identifiers our users with these companies to facilitate interest-based advertising to those or similar users on other online platforms."

"We may share your personal information with the parties below, with other third parties with your consent, and as otherwise described in this Privacy Policy or at the time of collection: Affiliates. Our corporate parent, subsidiaries, and affiliates, for purposes consistent with this Privacy Policy. Advertising partners. Third party advertisers and advertising companies for the interest-based advertising purposes described above. Advertisers whose ads are posted on our Service may be able to infer information about you when you click on those ads (e.g., that you have a newborn if you click on an ad about a newborn product). Professional advisors. Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us."

"Our use of some of these services may be classified under California law as a “sale” of your Personal Information."

"We may combine personal information we receive from you with personal information we obtain from other sources, such as social media accounts that you use to log into or connect to the Service, which will allow us to collect the information you chose to make available in your settings on that social media account. "

How the company says they may share data with law enforcement:
"We may use your personal information to: comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities; protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above. "

Como você pode controlar seus dados?

We ding this product for sharing personal data for advertisement. Their use of some of services may be classified under California law as a “sale” of your Personal Information.

"We, our service providers and our third party advertising partners may collect and use your personal information for the following marketing and advertising purposes: Direct marketing. [...] Interest-based advertising. [...]

"We may engage third-party advertisers or advertising companies to display ads on our Service and other online services. We may also share names, email addresses and device identifiers our users with these companies to facilitate interest-based advertising to those or similar users on other online platforms."

"We may share your personal information with the parties below, with other third parties with your consent, and as otherwise described in this Privacy Policy or at the time of collection: Affiliates. Our corporate parent, subsidiaries, and affiliates, for purposes consistent with this Privacy Policy. Advertising partners. Third party advertisers and advertising companies for the interest-based advertising purposes described above. Advertisers whose ads are posted on our Service may be able to infer information about you when you click on those ads (e.g., that you have a newborn if you click on an ad about a newborn product). Professional advisors. Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services that they render to us."

"Our use of some of these services may be classified under California law as a “sale” of your Personal Information."

"We may combine personal information we receive from you with personal information we obtain from other sources, such as social media accounts that you use to log into or connect to the Service, which will allow us to collect the information you chose to make available in your settings on that social media account. "

How the company says they may share data with law enforcement:
"We may use your personal information to: comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities; protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above. "

Qual é o histórico conhecido da empresa na proteção de dados dos usuários?

Ruim

In 2020, California settled with Glow app over alleged violations of California’s Confidentiality of Medical Information Act (“CMIA”), the Unfair Competition Law (“UCL”), and the False Advertising Law (“FAL”). In addition to a $250,000 civil penalty, the settlement included injunctive terms that require Glow to comply with state consumer protection and privacy laws, and a first-ever injunctive term that requires Glow to consider how privacy or security lapses may uniquely impact women.

The Attorney General's complaint alleged the Glow app:
- Failed to adequately safeguard health information;
- Allowed access to user’s information without the user’s consent; and
- Additional security problems with the app's password change function could have allowed third parties to reset user account passwords and access information in those accounts without user consent.

Already in 2016, a Consumer Reports investigation singled out Glow Inc. for privacy and security flows.

Informações de privacidade infantil

The Service is not intended for use by children under 16 years of age. If the app provider learn that they have collected personal information through the Service from a child under 16 without the consent of the child’s parent or guardian as required by law, they will delete it.

Este produto pode ser usado offline?

Sim

Informações de privacidade fáceis de entender?

Não

Links para informações de privacidade

Este produto atende aos nossos padrões mínimos de segurança? informações

Sim

Criptografia

Sim

Glow claims their data is encrypted in transit in their Google Play store data security information. We could not confirm that Glow encrypts data at rest where it is stored on their end.

Senha forte

Sim

Atualizações de segurança

Sim

Gerencia vulnerabilidades

Sim

You can submit vulnerabilities here: https://glowing.com/security. Glow shares more information for security researcher on a security page on their website.

Política de privacidade

Sim

O produto usa inteligência artificial? informações

Sim

Glow predicts women's chance/risk of pregnancy with machine-learning technology.

Esta inteligência artificial não é confiável?

Não foi possível determinar

Que tipo de decisões a inteligência artificial faz sobre você ou por você?

Perceived chance to get pregnant

A empresa é transparente sobre como funciona a inteligência artificial?

Não

We found no sources/white papers about how their AI algorithms work

O usuário tem controle sobre os recursos da inteligência artificial?

Não

We found no AI controls in the app

Novidades

Serious Privacy Flaws Discovered In Glow Fertility Tracker App
TechCrunch
There are scores of startups making fertility tracker and family planning apps today, but a Consumer Reports investigation has singled out Glow Inc. for serious security and privacy flaws.
Glow Pregnancy App Exposed Women to Privacy Threats, Consumer Reports Finds
Consumer Reports
Recently, Consumer Reports tested Glow for security and privacy features as part of a broader project, and found surprising vulnerabilities. One security flaw might have let someone with no hacking skills at all access a woman’s personal data. Other vulnerabilities would have allowed an attacker with rudimentary software tools to collect email addresses, change passwords, and access personal information from participants in Glow’s community forums, where people discuss their sex lives and health concerns. Glow has responded by fixing the problems and updating the app.
Attorney General Becerra Announces Landmark Settlement Against Glow, Inc. – Fertility App Risked Exposing Millions of Women’s Personal and Medical Information
State of California Department of Justice Office of the Attorney General
California Attorney General Xavier Becerra today announced a landmark settlement against Glow, Inc. (Glow), a technology company that operates a fertility-tracking mobile app that stores personal and medical information. The settlement, which is subject to court approval, resolves the Attorney General’s investigation of Glow's app for serious privacy and basic security failures that put women’s highly-sensitive personal and medical information at risk. In addition to a $250,000 civil penalty, the settlement includes injunctive terms that require Glow to comply with state consumer protection and privacy laws, and a first-ever injunctive term that requires Glow to consider how privacy or security lapses may uniquely impact women.
California Settles with Glow App Over Alleged Privacy and Security Violations
WilmerHale
In September, the California Attorney General (the “AG”) reached a settlement with Glow, Inc. (“Glow”), a technology company that is responsible for an ovulation and fertility-tracking mobile application called the Glow app. The AG alleged violations of California’s Confidentiality of Medical Information Act (“CMIA”), the Unfair Competition Law (“UCL”), and the False Advertising Law (“FAL”), though Glow made no admission of liability in the settlement. Ultimately, the settlement imposes a monetary fine as well as highly prescriptive injunctive terms that last for a period of 2 to 3 years and go far beyond the requirements of California law. Glow must maintain certain information related to user consent, document product design methodology for potential review by the AG, and provide risk assessments to the AG, among other things. The AG also has incorporated certain gender-specific requirements that companies may want to evaluate as part of their overall approach to “privacy by design” in developing their products. Companies operating in California also should evaluate these provisions to determine whether they make sense to consider or could create potential risks based on current operations, even if not formally required by existing law.
Supreme Court overturns Roe v. Wade: Should you delete your period-tracking app?
TechCrunch
Though popular, and undoubtedly a useful tool for those who want to plan and avoid pregnancy and track signs of menopause, it’s no secret that the objective of many of these apps — of which there are more than a thousand in the app stores alone — go far beyond that of tracking periods. Monitoring menstrual cycles has proven to be a lucrative business for developers, many of which share users’ personal information and activity on the apps with third-party marketers and advertisers.
‘Delete every digital trace of any menstrual tracking’: Are period-tracking apps safe to use in a post-Roe world?
MarketWatch
Pregnancy- and period-tracking apps could pose a risk to users by exposing their information to third parties, according to a report by Atlas VPN that analyzed 10 of these pregnancy- and period-tracking apps. “Apps dedicated to women’s health, like pregnancy or period trackers, heavily collect sensitive data and share it with third parties,” the report said.
Forget Tracking Your Period—Your Period (App) Is Tracking You
Marie Claire
Many may assume that since these [period-tracking] apps handle sensitive medical information, their intel is safeguarded. Untrue. Only info shared with a health-care provider or a health plan is protected by the Health Insurance Portability and Accountability Act (HIPAA). “Everything I put into my period-tracking app is fair game to be sold,” says Michelle Richardson, director of the Privacy & Data Project at the Center for Democracy & Technology. And marketers and insurance companies are paying big money to use it.
Fertility and Period Apps Can Be Weaponized in a Post-Roe World
Wired
Experts that spoke to WIRED say that fertility and period-tracking apps—along with the myriad other data trails that users leave behind—could be a rich source of data for law enforcement looking to punish women if abortion is outlawed or criminalized.
The data flows: How private are popular period tracker apps?
Surfshark
Nobody really wants to keep track of their periods in their minds or a wall calendar, which makes period trackers really popular. But are they tracking more than menstrual cycles? To find that out, we took a look at 20 period tracking apps popular in the US and compared their data collection practices.
Supreme Court overturns Roe v. Wade: Should you delete your period-tracking app?
TechCrunch
Though popular, and undoubtedly a useful tool for those who want to plan and avoid pregnancy and track signs of menopause, it’s no secret that the objective of many of these apps — of which there are more than a thousand in the app stores alone — go far beyond that of tracking periods. Monitoring menstrual cycles has proven to be a lucrative business for developers, many of which share users’ personal information and activity on the apps with third-party marketers and advertisers.

Comentários

Tem um comentário a fazer? Nos diga.