Worries About Post-Roe Data Privacy Put Spotlight on Period Apps

Bree Fowler Senior Writer
Bree Fowler writes about cybersecurity and digital privacy. Before joining CNET she reported for The Associated Press and Consumer Reports. A Michigan native, she's a long-suffering Detroit sports fan, world traveler, wannabe runner and champion baker of over-the-top birthday cakes and all-things sourdough.
Expertise cybersecurity, digital privacy, IoT, consumer tech, smartphones, wearables
Bree Fowler
5 min read
A woman's hands holding a smartphone displaying a period-tracking app.

Check your settings and read your privacy policies to keep tabs on what your apps are tracking.


What's happening

The overturning of Roe v. Wade by the Supreme Court has put a spotlight on the data privacy practices of period-tracking apps.

Why it matters

Digital privacy experts say women need to be concerned about the data collection and sharing habits of not just these apps, but all of them in their phones.

Security specialists say that women worried about their data privacy in the wake of the recent Supreme Court decision overturning Roe v. Wade need to think about more than just the apps they use to manage their period and other reproductive issues.

Bans and restrictions began kicking in across at least 16 states almost immediately after the announcement of the ruling, which ended nearly 50 years of federally protected abortion rights. The digital histories of abortion seekers, as well as people who help them, could become criminal evidence in some states where abortions are likely to be prosecuted.

Meanwhile, as new laws get passed and older ones begin to be enforced, legal dangers may extend to abortion seekers in even more states.

"Every individual needs to review their digital footprint in a way that they haven't before," said Sherrod DeGrippo, vice president for threat research and detection at the email security company Proofpoint.

Apps used to chart a woman's monthly cycle let her input and track when her period starts and ends, as well as when it doesn't occur. The information could be used by people trying to identify women seeking abortions if it's combined with data from other apps, like location tracking, internet searches and purchase histories.

Privacy experts and abortion rights advocates fear law enforcement will compel app developers to hand over data they've collected from female users. Largely unregulated data brokers could also sell data they've collected to law enforcement, which could deanonymize it to target individuals.

Some of that data is coming from places you wouldn't expect. Lockdown Privacy, which makes an app to block online tracking, recently discovered that Planned Parenthood's web scheduler can share sensitive, abortion-related information with third-party trackers, including Google and Facebook .

In addition to reaching law enforcement, experts say, data could also fall into the hands of so-called bounty hunters, who may receive more than $10,000 for successfully suing people involved in abortions in Oklahoma and Texas under new laws.

While it may be tempting to say women should delete period-tracking apps, the reality is that many women need them. Period-tracking apps can be useful for women trying to either conceive or avoid pregnancy. Charting a cycle with pen and paper can be tough for some members of the disabled community.

In the past, many of the apps' designers made money through advertising, said Lorrie Cranor, director of Carnegie Mellon's CyLab Security and Privacy Institute. Some apps would ask for permission to track a user's location so that it could be linked, along with menstrual cycle data, to deliver targeted ads. That information could be helpful to law enforcement, though they'd likely need to combine it with additional data to triangulate and identify women.

"It's not the case that there will be a big dashboard in the sky , where you will see a blinking light and know where someone seeking an abortion lives," Cranor said. 

Some app makers have responded to the recent concerns by changing data-sharing practices. Flo, the No. 1 period tracker, said it'll launch a feature called Anonymous Mode to give users the option of removing their identity from their account. Clue, another popular period and fertility app that promised not to share sensitive data with states after a draft of the decision leaked, saw a spike in downloads when it reiterated its pledge following the official ruling.

While period-tracker apps may be the most obvious example of data collection that women need to be concerned about in a post-Roe world, privacy experts say they need to look at their app collections as a whole. 

Daly Barnett, a staff technologist for the Electronic Frontier Foundation, said period apps are a "very real concern" but are a tiny piece of the bigger picture. People can be identified through the devices they're using, as well as behavioral identifiers such as the size of their browser window or the text fonts they use.

Angel Grant, vice president of security for the cybersecurity company F5, said just deleting a period-tracking app could give women a false sense of security.

Women should be particularly careful with fitness- and health-related apps that aren't covered by the privacy protections of the Health Insurance Portability and Accountability Act. The law, known commonly as HIPAA, protects traditional medical information like medical records, but it doesn't cover data collected by apps and devices like fitness trackers.

"Period and menstruation cycle tracking apps are tools women should feel empowered to use," Grant said. "But they should also understand the risks if that personal information gets into the wrong hands."

For more information about your reproductive rights and to find resources, visit the Department of Health and Human Services' site at ReproductiveRights.com.

Privacy protection tips

Think about deleting the app, if you can. The easiest way to avoid these potential problems is just not to use them. It's OK to track your cycle with a pen and paper, Proofpoint's DeGrippo said.

Choose an app that stores your data on your device or doesn't require an account. If the data doesn't leave your phone, it can't be shared, Carnegie Mellon's Cranor said. Similarly, it will be harder to connect data to you if the app doesn't require an account with personal information like your name and email.

Read the privacy policies. Yes, they can be long, wordy and less than helpful. But if an app is going to collect and share your data, it should say so here, Cranor said. This doesn't go for just period-tracking apps. It's for all the apps on your phone.

Review your privacy settings. Many apps will ask for permission to track your activity across your entire phone, not just the app itself, Barnett said. Just say no and check your settings to see if you might have granted permission to one by accident. Turn off ad identifiers, too.

Be wary of location tracking. Yes, a mapping app needs this permission. Letting a silly game collect location data could be a problem because that data could be combined with information from a period-tracking app to identify a woman and where she's been. Turn off location tracking on all your apps unless you think it's necessary.

Use a private browser for sensitive searches. Though they might not be the most convenient, browsers like DuckDuckGo are designed to protect your privacy, Grant said.

If the stakes are high, think about a burner phone. The EFF recommends using a second phone that can't be tied to your identity if you're seeking an abortion in a state where they're prohibited. Encrypted messaging apps that mask your identity and scramble the content are also recommended.

When in doubt, leave your phone behind. You don't need to get rid of your phone entirely, but you might start leaving it at home before you head to sensitive meetings and appointments. "We're now talking about criminal concerns that I don't think women ever thought about before," DeGrippo said.