How private is your period-tracking app? Not very, study reveals

After the fall of federal abortion protections in the US, pressure has mounted on apps that collect pregnancy-related data to preserve people’s privacy. A new study has found many of them do not hold up to scrutiny.

Experts at internet research non-profit Mozilla studied more than 20 pregnancy and period tracking apps for privacy and security features and said the results were grim.

“Most of these products collect vast amounts of personal data, and then share it widely,” said Ashley Boyd, the vice-president of advocacy at Mozilla.

Related: Facebook gave police their private data. Now, this duo face abortion charges

Of the 10 pregnancy apps, 10 period trackers, and 5 wearables reviewed in the study, only seven were deemed to have safe user data and privacy practices. Most collected large amounts of personal data and shared it with third parties such as data brokers and advertisers. The study also examined security practices and found eight apps failed to meet minimum security​ ​standards and allowed weak passwords. Many apps also offered unclear policies surrounding police warrants for user data or made no stance on such requests.

Mozilla has published the report, called Privacy Not Included, for nearly a decade, but its results have taken on new urgency after the supreme court overturned Roe v Wade this summer, effectively ending the right to abortion nationwide. The decision immediately raised concerns about the tech industry’s potential compliance with the criminalization of abortion.

Period tracking apps are used by nearly one in three women in the US, according to a 2019 survey published by the Kaiser Family Foundation, logging large swathes of information about length of menstrual cycle, types of birth control used, and other health issues.

Experts fear this data could be used by law enforcement to prosecute people illegally seeking abortion. While there is not yet evidence period tracking data is being used in investigations, other tech companies are already contending with law enforcement requests. Last week, it was revealed a 17-year-old teen and her mother in Nebraska are facing criminal charges after Facebook handed over data including private messages related to an abortion that the girl had obtained illegally.

Related: Facebook gave police their private data. Now, this duo face abortion charges

The majority of the apps studied had “misleading” data sharing policies and lacked clear guidelines on how data requests from law enforcement would be handled, the study showed.

“Most of these apps share data with a large number of third parties, and that includes everyone from advertisers and Facebook to research partners and law enforcement,” said Mozilla researcher Jen Caltrider. “This raises a lot of questions.”

Mozilla divided the apps into the camps of “not creepy” and “very creepy”, and labeled those carrying significant privacy concerns as “privacy not included”. Only three apps and four wearable devices of the more than 20 surveyed made the cut, including period tracking app Euki and Google’s Fitbit device.

Euki was described as “a sexual and reproductive health app designed with privacy in mind” and does not collect any personal data that could be investigated by law enforcement or obtained by other entities. Other apps were not so clear, the study showed.

“Most of these privacy policies feature very vague statements about whether the app will share data with law enforcement, and those gray areas are going to be increasingly exploited,” Caltrider said.

Researchers are encouraging users to read up before they choose a tracking app, and to avoid apps that collect large amounts of data regardless of what privacy practices they advertise.

“Now more than ever, consumers need to be empowered when it comes to privacy,” the study said.