Period tracker apps caught sharing sensitive health data with Facebook

Period tracker apps caught sharing sensitive health data with Facebook

Popular period tracker apps used by millions of women are sharing sensitive personal information such as monthly timings, contraception use, symptoms, mood, and sexual life to Facebook.

Some of the apps, including Maya and MIA Fem: Ovulation Calculator, have millions of downloads on the Google Play Store. They are also available for the iPhone.

“The data you share with your menstruation app is probably information you would not share with others,” Privacy International stated.

The data sharing happens via Facebook’s software development kit (SDK) that gives app creators a full range of tools to develop apps tailored to Android and iOS. Facebook Business Tools, such as tracking pixels, and Like and Share buttons that you see on sites across the web also send data automatically to the social media giant.

Sharing intimate medical data

Given the confidential nature of medical data, the idea that your blood pressure, mood and sexual life is shared with a third-party — Facebook or otherwise — without seeking explicit informed consent is a cause for concern.

In response, Maya, Pinkbird, and Grupo Familia have removed the offending SDK from its apps. Facebook, for its part, puts the onus on app makers not to break platform rules or misuse its developer tools to collect private information. But it’s not clear whether Facebook has directly benefited from such data sharing in the first place.

“Our Terms require the app developer to be clear with their users about the information they are sharing with us and to have a lawful basis for the disclosure and use of data,” Facebook said in a statement.

Maya’s features

The detailed investigation undertaken by Privacy International (PI) builds on a similar study undertaken by the UK-based non-profit watchdog last December. The findings disclosed how widely-used Android apps like Duolingo, Yelp, Spotify, Skyscanner, and KAYAK automatically transferred data to Facebook the moment a user opens the app, whether or not that individual has a Facebook account, or if they are logged in or otherwise.

That the apps were sending data to Facebook without a user’s consent and without proper disclosure notwithstanding, The Wall Street Journal revealed earlier this year that the behavior extended to iOS as well, despite Apple’s stringent privacy rules and protections.

Maya was found to share data about users’ use of contraception as well as their moods, PI’s analysis found. It also requested information about when users’ have had sex and whether the intercourse was protected or not. All this data was subsequently shared with Facebook.

“There is a reason why advertisers are so interested in your mood; understanding when a person is in a vulnerable state of mind means you can strategically target them,” PI noted.

Marketers can then leverage this information to strategically target ads to them based on their moods, not least when they are pregnant, as they are most likely to change their purchasing habits.

The GDPR divide

As far as data collection and sharing practices go, this is where it gets murky. Most companies aren’t upfront about what kinds of data they collect and for what purpose — instead resorting to dense legalese and vague phrases like “personalization” and “better customer experience.”

MIA Fem, for example, recommends articles to read based on your sex habits. “We selected ‘masturbated’ in the section on sex and were recommended an article called ‘Masturbation: What You Want to Know But Are Ashamed to Ask’,” PI said in its report, which was then shared with Facebook.

The apps‘ behavior once again raises questions about how much users can knowingly agree to such personal information being shared with third-parties like Facebook, especially when online services have lengthy terms of service that most tend to gloss over or decide not to read at all.

MIA Fem’s features

It’s also been repeatedly established that privacy policies are nothing but sophisticated traps. As Mikko Hypponen, the Chief Research Officer (CRO) at F-Secure, once said, “It doesn’t matter what it says in the policy. Nobody reads them.”

But tech companies have been repeatedly protected by their dubious privacy policies, furthering the wealth of personal data available to them. Moreover, the advent of EU GDPR guidelines for data protection has created a peculiar divide, with companies setting different privacy standards for their EU customers and their non-EU customers.

In this digital era, trading personal information for convenience seems to be de rigueur — and that’s assuming people understand they’re making an exchange at all. On the contrary, anyone who uses tech has already given up some privacy as the cost of this benefit.

But privacy isn’t all-or-nothing, and it isn’t one-size-fits-all. What matters is that you, as a user, have the ability to understand how your data is used, and control over whether it is used in a manner that’s in line with your expectations.

I will close with a final word from Steve Jobs, who famously said:

Privacy means people know what they’re signing up for, in plain English and repeatedly. I believe people are smart and some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of your asking them. Let them know precisely what you’re going to do with their data.

It’s been almost 10 years since he uttered those prescient words, but the fact that we’re still grappling with data security and protecting consumers even now shows how little the needle has shifted on privacy.

Read next: US court says scraping a site without permission isn't illegal