With the recent Supreme Court decision to overturn Roe, a slew of states immediately banned and criminalized abortions, with many others set to follow suit. The swift rollback of reproductive rights in America has resulted in more questions than answers, from how these bans will affect everyday reproductive care to whether or not it’s safe to continue to use period tracking and fertility apps. Cybersecurity and legal experts have raised concerns about how that data might be used by the government to track when someone is pregnant — and when they aren’t pregnant any longer.
Some men, like activist Santiago Mayer, have begun to sign up for accounts themselves in an attempt to distort the data. “Should law enforcement agencies try to use full databases to identify women who might have had an abortion or miscarriage, the resources invested in isolating them will increase significantly,” he tells Romper. “I have been encouraging people to be chaotic, but not so chaotic that our profiles are easily discernible from real ones.” Meanwhile, many women and other people who can get pregnant are looking overseas for apps that are more secure. Still more are wondering if it’s time to bust out the paper calendar and basal thermometer again. (Hey, if laws are reverting to the last century, maybe period tracking has to also.)
What is the right answer? Are these apps safe for women in states where abortion is now criminalized? Are they safe for anyone in this country? We asked several legal and cybersecurity experts a series of questions to help people understand how their data might be used.
The chief of governance, risk, and compliance for Montgomery County, Maryland’s Department of Health and Human Services, Joy Royes is an attorney specializing in health policy and privacy. She’s been a part of the legal teams for both the Obama and Biden administrations and is a member of the legal advisory board for the University of Pennsylvania’s Actionable Intelligence for Social Policy. She also runs private law practice in Pittsburgh.
Jennifer Weiss-Wolf, an attorney and author focusing on reproductive rights, is the author of Periods Gone Public: Taking a Stand for Menstrual Equity. Weiss-Wolf currently serves as the inaugural women and democracy fellow at the Brennan Center for Justice at NYU Law and her forthcoming book, Period. Full Stop. The Politics of Menopause, will be published in 2024 by NYU Press.
Finally, Cathy Pedrayes is a cybersecurity content creator with more than 2 million followers on TikTok. Her book, The Mom Friend Guide to Everyday Safety and Security, helps women understand various safety topics from self-defense to data privacy.
What data safety concerns do you envision or worry about with the information we put into fertility and period tracking apps?
Joy Royes: The primary concern is always the unauthorized disclosure of protected health information (as defined by HIPAA). We don’t want anyone to have access to our info without our approval, whether it be by sale, by hacking, or by subpoena. No one should see my data without my permission. There are some specific circumstances when the government has a right to receive info without our position — instances where the government has a legitimate interest and does not need your approval to gain access to your information. That is where the battleground will be. How far is too far?
With abortion not only being banned but being criminalized, a subpoena will almost always require a company to give up the info it holds.
In all cases that I can think of, a subpoena in a criminal case is going to require that the information be disclosed by the custodian — without the object’s authorization. With abortion not only being banned but being criminalized, a subpoena will almost always require a company to give up the info it holds. In the case of period tracking and/or fertility apps, the mere documentation of a menstrual cycle — when it begins and where it ends — will most certainly serve an evidentiary purpose in a case related to the beginning and/or end of a pregnancy.
Cathy Pedrayes: [W]ith apps, it’s important to remember that they often sell data to third parties; that’s the business. This health data can include menstruation cycles, which can be sold and combined with location tracking data to piece together a puzzle of who is seeking services where.
There’s always the risk of hacking — now an even more insidious threat in light of bounty hunter laws, like the one in Texas, that create financial incentives for private citizens to report those suspected of aiding and abetting an abortion.
And with more states poised to criminalize abortion and pregnancy outcomes — including miscarriage and stillbirths — the apps could be used as the basis for prosecution, a burden that already falls heaviest on Black and brown women, whose bodies are more frequently overpoliced and targeted. At present, law enforcement can subpoena the companies for data stored on third-party servers; and even when data is stored on the user’s own device, which is presumably safer, it still can be subject to a search warrant.
Are there any legal protections for the data in these apps? What legal steps can we take to protect our data if we choose to continue using these apps?
JR: [The overturning of Roe v. Wade] just happened, so there are no legal protections right now. There is legislation flying everywhere like bullets to protect a woman’s personal health information.
JWW: Sens. Warren and Murray and others have proposed that the Department of Health and Human Services Office for Civil Rights clarify protections for data collected by period tracking apps. The FTC, which is currently responsible for oversight and enforcement, should similarly require apps to warn users about data risks and to use standardized consumer disclosures.
Some Congressional leaders have gone directly to Apple and Google, asking them to remove period trackers that collect users’ health data without obtaining explicit advance permission. “The Fourth Amendment Is Not for Sale Act,” which would limit law enforcement’s ability to buy personal information, would include data collected by period tracking apps. And the “My Body, My Data Act” is a new bicameral bill that would create a national standard for privacy protections for period tracking apps.
CP: Many mistakenly believe that health data in apps is protected by HIPPA. While that may be the case for some apps, such as ones your doctor may have you use, that doesn't apply to all apps, and it’s important to recognize that before agreeing to the terms and conditions. I don’t know of many legal options unless a company misrepresents their data selling policies (which has happened) or has a breach that they don’t disclose. For the most part, all of the decision-making falls on the user, and these apps don't make it easy with long complicated terms and conditions that you’re forced to accept to even use the product.
Have there been any instances so far of this data being requested or subpoenaed?
CP: Yes, Tapestri [a company that pays consumers for their consent to share their data] has reportedly received two offers to buy health data of users near certain state borders. They’ve reportedly declined, but we would need all apps and data brokers to publicly state this data is off-limits or, better yet, regulate it.
JR: Absolutely. Data disclosure and the right to privacy have been issues for at least two decades in criminal cases. There are broader issues at play. The real question is “Does the government have the right to receive health information to prosecute a criminal case?” The answer is “Sometimes.” Law enforcement requests it all the time. They ask for everything, always. When these state bans go into effect, law enforcement will again make the requests and data privacy lawyers will go back to work. The limitations will be shaped by the courts. To be clear, all bans on abortion criminalize it, and as such will have liberal precedent on its side to receive the data.
Some nonmenstruating people have been signing up for and using these apps this week to muddy the data, in an effort to protect women who are using them. Is there any merit to this process?
JR: Before the expansion of artificial intelligence, I would laugh and say, “Excellent.” However one of the strengths of artificial intelligence (AI) is its ability to clean data for us. I don’t think it will have much of an impact on the larger, more well-resourced companies that have AI capabilities, but may prove to be super effective for smaller apps that still rely on traditional data cleansing methods.
The safest option for women is to use apps that use entirely anonymized data. This means that even the company doesn’t know who you are.
CP: This would depend on what information the app is collecting and what they’re doing with it. On a high level, yes, it’s hard to infer much when you have a ton of data, but it doesn’t take much to cross-reference the data with other data sets and pinpoint users. That’s why we can’t trust when apps say they anonymize the data either because all it takes is a few data sets and suddenly it’s not so “anonymous” anymore.
Are there options that are safer than U.S.-based apps? Of the U.S.-based apps, are there any that have stronger data protection than others?
JR: I can’t recommend one app over the other, but I can recommend two features in order of desirability: first, anonymization and second, encryption. The safest option for women is to use apps that use entirely anonymized data. This means that even the company doesn’t know who you are. Your data is entirely de-identified without the ability of re-identification. There is no metadata and no tracking of location. A company cannot give any information that they cannot find. They cannot produce what they don’t have.
The second one is encryption. Encryption means that information is input one way and there is a special key to decrypt it. Data is a big money game. None of these apps want to destroy the data or render it unusable. Back-end data sales are why and how you get diagnosed with Type 2 diabetes and Ozempic winds up on your Facebook feeds! The largest data seller is Google. Every Google search you do makes you a potential customer for whatever that search was. Retailers and companies rely on this. So, there needs to be a balance — the utility of these apps coupled with their ability to be profitable against us feeding into an “evidence machine.”
Can we trust the statements apps put out, like this one from Clue?
JR: If those statements are not true, the Federal Trade Commission is authorized to take action against them — and they will. You, as an individual, can file a claim if a covered entity has not afforded you your privacy rights. I know from firsthand experience that they take those complaints very seriously.
CP: Have apps been caught misrepresenting their data policies? Yes, but the benefit of having a company with a very public stance on an issue, like Clue, is that if it’s revealed that stance was false, then there’s legal repercussions. There would also be a loss of users and customer trust, which hopefully is enough to dissuade a company from making bad decisions. That said, I’d prefer something more concrete and proactive when it comes to protecting data.
JWW: As earnest as such statements may be, if companies are subpoenaed, they simply may not have a choice but to turn over data.
How do you, in your expert opinion, see the future of fertility and period tracking apps, given the recent court decision?
CP: From my perspective, women have already had concerns about fertility apps. We’ve seen apps like Flo sell data without properly disclaiming it, so it’s easy to worry about who else might be doing the same.
JR: I worked on the Affordable Care Act as part of Obama’s team and returned to serve on Biden’s Health Policy Committee for the campaign. I know many of the folks in this administration’s health policy shop, and I fully expect to see a movement to protect women’s reproductive rights. The International Association of Privacy Professionals has been working on a national privacy act for some time, so this issue of privacy is on the radar of Congress. Nobody saw this coming, but the foundation for legislative protection is in place.
However, if I was a betting woman, I would look toward the tech sector first. Necessity is the mother of invention. It is my belief that Silicon Valley and its friends will come through with a technical solution that will address the issue. It is something else they can sell. I am sure they all want to be the first to offer a product that offers reproductive rights privacy protections.
JWW: One thing we can’t ignore is that for many, period tracking apps have become a default to the dearth of sex and health education in this country: 21 states have no mandate to provide it at all, and of those, 13 do not even require that it be medically accurate.
One way to redirect people from apps is to find other ways to share some of the same education they provide. A novel way I’ve proposed in this Newsweek op-ed is that the federal government require menstrual product companies — which have a captive audience of millions — to provide accurate information about the menstrual cycle as it pertains to early pregnancy in packaging and on consumer websites, much like the FDA mandates uniform language about the risks and symptoms of toxic shock syndrome.
In your opinion, should we delete these apps and request our data be removed?
JWW: I personally would not use a period tracking app and risk my information being compromised. These apps do not provide any insight or information that people can’t learn to decipher themselves with pen, paper, and a basal thermometer.
I’d argue the trail is already being tracked and sold to marketers; whether that same data could be abused for criminal proceedings remains to be seen.
CP: The larger problem is data brokers. While you could take some precautions by deleting a health app and asking to have your data deleted (no guarantee it would be), what about your search engine, browser, or Internet service provider? Are you using Google and Facebook to log into all of your apps and/or sharing data across apps? Are you making purchases with a credit card? Whether you have a health app or not, all of this other data is enough to pinpoint some details. I may not know your exact menstruation cycle, but if you stop buying tampons for a year, I can infer you’re probably pregnant and/or breastfeeding.
In terms of data [outside of apps], I’d argue the trail is already being tracked and sold to marketers; whether that same data could be abused for criminal proceedings remains to be seen. We know historically data has been abused throughout the world, particularly in authoritarian regimes so it’s certainly possible, but my guess would be that medical professionals would be an easier and more efficient target.
JR: I believe in a woman’s choice. It depends on why you are using it and where you live. Is there a possibility that an unwanted pregnancy is a possibility for you and you live in a state where it is impermissible? Plan accordingly. The apps that provide this service are trying to be responsive. They are working to see how they can make changes to protect women. If women choose to use the apps, they should educate themselves so they are clear about what they are using and what the potentialities are.
I have two young adult daughters. I have instructed both of them to not use any of the apps until this situation matures. In the meantime, we should have a healthy supply of Plan B contraception available so that we are not forced to make any choices we do not want to have to make. We will continue to do what’s legal until it isn’t.