If you're trying to get pregnant, you may have turned to an ovulation- or period-tracking app for help. Millions of women around the world use them for a variety of reasons. But what happens to the highly personal data people enter in these apps? In some cases, it gets fed to third parties — including Facebook. That's according to a Buzzfeed News investigation and a new report by the UK-based advocacy group Privacy International, which looked at apps being used in different parts of the world.
The apps monitored in the study included Maya by Plackal Tech, MIA Fem by Mobapp Development Limited, and Mi Calendario Menstrual by Grupo Familia (an app targeting users in Latin America). They also looked at My Period Tracker by Linchpin Health, Period Tracker & Ovulation Calculator by Pinkbird, and Period Tracker by GP International LLC.
The World's Marco Werman spoke with Eva Blum-Dumontet, the researcher who led the study on the period-tracking apps at Privacy International.
Marco Werman: What are some of the apps that you looked at and what purpose do they serve?
Eva Blum-Dumontet: We looked at Maya by Plackal Tech, MIA by Mobapp Development Limited, and Mi Calendario by Grupo Familia — which is an app targeting users in Latin America. We also looked at My Period Tracker by Linchpin Health, Ovulation Calculator by Pinkbird, and Period Tracker by GP International LLC. And what we found is that the ones that are both called Maya [MIA] has very worrying practices because essentially they ask their users to enter extremely sensitive data not just about their menstruation but also about their sexual lives and also all sorts of medical data like their birth control pill but also even like their blood pressure any sort of medical history they might have. And this is all shared with Facebook and other third parties.
And those other apps that you mentioned — are they also acquiring the same kind of data?
All of them actually are collecting very sensitive data. The other ones were not sharing [that data] with Facebook or other third parties. But what they were doing though is that every time the user would open the app they let Facebook know that the user is opening the app. So Facebook knows that you're using this app, which means that you're a person who menstruates ... [or it] means you're at a time of your cycle where you're actually on your period. It probably also tells Facebook that you may be either trying to have a child or trying to avoid getting pregnant. So there is a lot of information already that can be inferred from just nearly letting Facebook know that you've opened up the app.
Just to be clear, the app developers would say this [information] is legitimately needed to make certain determinations about your fertility, correct?
So, it's needed for them, but what's absolutely not mandatory, is sharing it with Facebook.
So what does Facebook do with this information?
It's unclear at this stage what Facebook does with this information. [But] what we question is why a company like Facebook should have access to this data when we think back to the reality of what has happened with Facebook collecting so much data about us in the past, and, obviously, I'm thinking, for example, about the Cambridge Analytica scandal and the targeting of populations in the context of elections. It is worrying that a company like Facebook would hold so much data and so much personal intimate data.
Who around the world is typically using these apps?
So the apps we’ve looked at are particularly popular in India, in Indonesia, and in the Philippines.
Right. And women there — are they given this information voluntarily? I mean, do you know if there are concerns about privacy in those countries?
We partnered with BuzzFeed for this research and they've interviewed users of these apps in various countries, and, obviously, sadly, a lot of users are simply not aware of the data collection and data sharing of those apps and their practices.
Right, which seems like this ought to be changed. If people are unaware, they should be made aware. I mean, how clear do these apps make it into their terms of service?
We have been looking at the privacy policies of those apps. It's worth bearing in mind that for the general public, for the average person, it would be actually quite a difficult thing to read. It's not necessarily written in very accessible language. It's quite long.
Did you not explicitly clarify the extent to which they share information with third parties?
So we actually question even the legality of the privacy policies that are not sufficiently transparent, not sufficiently explicit, especially, when, as I said, they are collecting medical data.
I mean, the thing is, even when people are aware and they then decide to fork over their data, they're doing it voluntarily, right?
Well, there is a question to be asked — is it people doing it voluntarily when they don't actually understand what's going to happen to this data and when it's not properly explained to them? In European data protection legislation, there is the really important notion of informed consent. If you don't understand what you're signing, it cannot be understood as informed consent, and that's actually what we would argue in this case.
This interview was edited and condensed for clarity.