Authorities and companies will adhere to the pattern
Applications release information on menstrual cycles, sexual climaxes, and pregnancy termination procedures
After the right to have an abortion was removed in the United States, users of period-tracking applications are worried that their personal medical data could be used as evidence in criminal cases if there are indications of an interrupted pregnancy. They want to know who collects and shares their personal information and how they do it.
After the US Supreme Court overturned Roe v. Wade and effectively prohibited abortion, there were reports in the media that mobile period-tracking apps might be used to gather data on women who have abortions.
Many women around the world use these apps, such as Flo, which has over 40 million active users per month according to the company, and Clue, which has 12 million users. These apps also capture data about menstrual cycle irregularities, which can sometimes indicate a pregnancy that was begun and then terminated. Some also enable users to log in using their Google or Facebook accounts (owned by Meta, which is considered extremist in Russia and is banned there). Additionally, some apps collect information about the user's location.
All the data collected is the property of the development companies, who are unlikely to misuse it. However, if illegal abortion cases are pursued at the request of third parties, law enforcement agencies might potentially exploit a woman's digital presence as evidence. This goes beyond just data from menstrual cycle trackers.
Geodata
In 2015, John Flynn, CEO of marketing company Copley Advertising, reached out to RealOptions, a chain of maternity crisis centers in California. Copley Advertising had developed geo-fencing technology to display store advertisements to people nearby. RealOptions aimed to dissuade women seeking help at crisis centers from having an abortion. Flynn suggested targeting pro-life advertisements to women visiting abortion clinics. A year later, he claimed that over 800,000 women had seen the targeted ads, and more than 2,000 had visited the RealOptions website.
Geofencing utilizes location data obtained from mobile applications. This location data is anonymous, and there is no proof that Flynn tried to identify the women who were shown RealOptions ads (Copley Advertising was investigated by the Massachusetts Attorney General's Office in 2017, after which the company ceased using geofencing for visitors to abortion clinics). However, it is theoretically possible. For example, through social engineering: targeting individuals who visit abortion clinics with fake ads and soliciting their personal details (like names and email addresses) under the pretext of a prize draw or special loan program.
Or through long-term analysis of phone movements. In 2018, The New York Times examined a geodatabase and managed to connect a recurring route to a specific individual—a teacher who commuted between home and school every weekday. After analyzing other geodata collected from her phone with her consent, the journalists uncovered details about her walks with her dog, an overnight stay at her ex-boyfriend's house, and a visit to the doctor's office. In this case, it was a dermatologist, but the database also included a user who spent about an hour at a family planning center.
Companies that gather such databases aren't interested in individuals – they use data sets to create models, which help marketers analyze the market, predict user behavior, and plan advertising campaigns. Leaks and unauthorized sale of sensitive data are risky. In May 2022, Motherboard, Vice’s tech app, revealed that maps showing the general residences of visitors to abortion clinics could be bought from the company’s Placer.ai website. Creating an account and accessing data related to a specific clinic only takes a few minutes. Similar datasets were previously discovered by SafeGraph. The data in them is aggregated, meaning individual mobile phones are not tracked, but rather their clusters. However, if a cluster contains only four or five phones, identifying their owners becomes relatively easy.
The reward for this could be $10,000, which, for example, would be received by a plaintiff who wins a lawsuit against an organization or person who assisted in an illegal abortion under Texas law. According to a Google report, from 2018 to 2020, the corporation received more than 20,000 requests from US law enforcement agencies to disclose user geodata, and the number of these requests is growing: if in 2018 there were less than 1,000 of them, then in 2020 – more than 11,000.
Orgasms and delays
Applications not only track the geographic location of users – for example, in 2018 it became known that the Medical Appointment medical application transmitted information about patients with injuries to law firms. In 2019, a team of scientists from Canada, Australia and the US analyzed 24 health-related apps: each of them asked the user an average of four permissions to access data stored on the device (including calls and email address), the majority (71%) passed them on to third parties. A total of 24 applications supplied user information to 55 organizations.
According to Columbia University researchers, menstrual trackers are the fourth most popular app in the health category.
Users themselves report the start and end of menstruation – but not only. Applications suggest marking symptoms, acne, physical activity, mood swings, restroom visits, orgasms, contraception, and other private events. In 2019, Privacy International analyzed several of these apps and found that two of them, Maya and MIA, began sharing user data with Facebook before the user agreed to the privacy policy. The applications didn't hide the fact that they transfer user data to third parties, but they didn't explain to whom, why and in what form.
At the same time, The Wall Street Journal found out that sensitive information was shared with Facebook (as well as with Google, AppsFlyer, and others) by the Flo application. According to the Federal Trade Commission complaint, the developer company shared data about “in-app events” with third parties – for example, that the user switched it to pregnancy mode – and did not restrict the use of this data. Flo later changed its privacy policy and conducted an independent privacy audit. Flo’s privacy policy currently states that AppsFlyer only receives technical identifiers (IP address, advertising IDs), subscription status, app launch fact reports, and age group.
In 2020, Glow, a company that creates apps, was fined $250,000 for sharing user data with other companies without getting permission. Also, a weakness was found in the app, so anyone's account could be easily stolen.
However, the app might not just be a dishonest data seller. In 2019, The Guardian reported on the Femme app, which expressed concerns about the safety and effectiveness of birth control methods. It said they could harm women's health and suggested that the safest, 'natural' way to prevent pregnancy was by tracking the menstrual cycle. 'Hormonophobia' is the most common reason for rejecting hormonal birth control in Western countries, even though with the right modern drug recommended by a doctor, the risk of side effects is very low.
It turned out that Femme's medical consultants do not have a medical license, but are connected to the Catholic University of Santiago in Chile. The app itself was made and supported by the Chiaroscuro Foundation, which was sponsored by the New York-based private Sean Filer Foundation. Other recipients of funds from this foundation include politicians who support banning abortion. According to Femme CEO Anna Halpine, the app does not take any position on abortion issues.
Fake clinics
The biggest danger for American women who want to keep a pregnancy or abortion secret is the medical institutions themselves. For instance, in 2019, it was revealed that the government of Missouri required reports on abortion operation dates and fetus gestational age from the only abortion clinic in the state at that time. The reports did not include patients' names, and the director of the state health department indicated that they were gathered to monitor medical service quality, after the clinic received complaints. However, this raised concerns among pro-choice activists. Nonetheless, in 2022, Missouri completely prohibited abortion, the first time since the Roe v. Wade ruling was overturned.
According to the Health Insurance Portability and Accountability Act (HIPAA), a doctor may give a patient's medical information to the police if they believe a crime is happening in a healthcare facility or emergency room. However, some of this information, especially if it is collected and presented incorrectly, can be misunderstood. For instance, if a woman seeking help for a miscarriage or bleeding after childbirth is given medications that are also used in abortion.
Apart from medical institutions, the country has crisis centers for pregnant women, or CPC (stands for crisis pregnancy center). In these centers, pregnant women encounter false information (such as claims that abortions cause cancer and mental illness) and coercion (persuasion, 'mandatory' fetal ultrasounds and stories about fetal development). Women have reported that by contacting the CPC, they lost the time needed to end their pregnancy.
However, many women ended up at the CPC because they wanted to get an abortion. Crisis centers target their ads to women looking for relevant information on the internet and optimize their websites to appear in search results related to abortion. According to the Hate Action Center based in the UK (which also works in the US), 11% of Google search results for 'abortion clinic near me' and 'abortion pill' in states where abortion is practically banned lead to CPC websites. When searching on Google Maps, it's up to 37%.
When a woman comes to the CPC, she is welcomed by staff in medical gowns. They ask her to fill out a form about her health, medications, habits, pregnancies, and personal details. Even though CPCs look like clinics, they are not medical facilities and are not bound by HIPAA and the Federal Trade Commission rules. However, the centers defend their actions by citing the freedom of speech guaranteed by the First Amendment.
Their own policies about handling data can be confusing, such as allowing CPC to share customer information to prevent a serious health or safety threat as per the law. The Women’s Media Center tells a story of a woman who went to the CPC and then got an abortion elsewhere, where the staff from the crisis center called her and her mother to ask about the operation details.
Additionally, CPCs can share client data with developers of their CRMs. One of them, Next Level, is developed by the pro-life organization Heartbeat International. Next Level states on its website that combining data can allow them to use predictive and prescriptive analytics to achieve more powerful results for pregnancy care.
How to delete everything
There are reports of women in the United States deleting apps that track their menstrual cycle, but this won't erase the data already collected. To do this, app developers like Flo, Clue, and Natural Cycles ask users to contact their support service as per their privacy policies.
Lawmakers are also responding to the new threat. Congresswoman Sarah Jacobs introduced the My Body, My Data bill in the House of Representatives, which aims to allow app developers to collect a limited amount of user data. A group of senators is also working on a bill to prohibit the sale of geodata and medical data to brokers.
Some app developers plan to add an anonymous mode to their applications. Flo, for example, reported this. After this change, the company won't be able to link the account to a real person, even if requested by law enforcement agencies. However, some personalized features will also stop working in anonymous mode. A similar mode is being developed by the Natural Cycles app.
The app developer Clue released a statement emphasizing that it will not comply with official requests for user data from the United States, as it is based in Germany and is subject to the General Data Protection Regulation (GDPR).
Google announced on July 1 that it would remove visits to abortion clinics from its users’ location history in the coming weeks. The new policy will also apply to travel to fertility clinics, domestic violence shelters, drug treatment centers and other places where women with unwanted pregnancies may end up.
However, the most reliable way to avoid getting on maps with marks about visiting a particular place is not to take your phone with you there.