Following the abolition of the right to abortion in the US, users of period-tracking apps fear that their medical data could become the basis for criminal prosecution if there are signs of an aborted pregnancy. Understanding who and how collects and distributes personal information
After the US Supreme Court overturned the Roe v. Wade judgment and the de facto ban on abortion, the media appeared messages about what mobile apps for tracking the menstrual cycle can be used to get data about women who have abortions.
Such applications used by millions of women around the world: for example, Flo, according to the company’s own data, has more than 40 million active users per month, Clue has 12 million. Such applications collect data on when users start and end menstruation, and therefore on delays that may be the onset and then interrupted pregnancy. Many applications also allow users to sign in with Google or Facebook accounts (owned by Meta, which is recognized as extremist in Russia and banned). Some also collect geolocation data.
All collected data belongs to development companies, which themselves are unlikely to endanger their users. However, if the illegal abortion proceedings are initiated at the request of third parties, law enforcement agencies can use as evidence, the woman’s digital footprint. And it’s not just data from menstrual trackers.
Geodata
In 2015, John Flynn, CEO of marketing agency Copley Advertising, contacted RealOptions, a California chain of maternity crisis centers. Copley Advertising developed geo-fencing technology by showing store ads to people in their vicinity. And RealOptions was engaged in persuading women who turned to crisis centers to refuse an abortion. Flynn suggested networks target prolife ads on women attending abortion clinics. A year later, in one of his presentations, he claimed that more than 800,000 women saw the ads he targeted, and more than 2,000 went to the RealOpltion website.
Geofencing uses user location data collected by mobile applications. Such geodata is anonymous, and there is no evidence that Flynn tried to identify the women to whom he showed RealOption ads (in 2017, the Massachusetts prosecutor’s office investigated Copley Advertising, after which the company stopped using geofencing regarding visitors to abortion clinics). But theoretically it is possible. For example, with the help of social engineering: if you target people who visit abortion clinics, fake advertising and ask for personal information (names, email addresses) ostensibly to participate in a prize draw or a preferential loan program.
Or by analyzing the movements of the phone over a long period of time. In 2018 The New York Times, by exploring a geodatabase, was able to associate a repetitive route with a specific person—a teacher who made her way from her home to school and back every weekday. After reviewing (with her permission) other geodata collected by her phone, the journalists were able to learn about walking the dog, a night spent at the house of a former boyfriend, and a trip to the doctor. In her case, it was a dermatologist, but in the database taken for the study, there was also a user who spent about an hour in a family planning center.
Companies that collect such databases are not interested in individuals – they use data sets to build models, which, in turn, help marketers analyze the market, predict user behavior and plan advertising campaigns. Leaks and free sale of sensitive data are dangerous. In May 2022 Motherboard, technical application for the edition of Vice, discoveredthat on the company’s website Placer.ai you can buy maps that show the approximate places of residence of visitors to clinics where abortions are performed. It takes a few minutes to create an account and start browsing data related to a particular clinic. Previously similar datasets found at SafeGraph. The data in them is aggregated, that is, not individual mobile phones are tracked, but their clusters. But if there are only four or five phones in the cluster, revealing the identities of their owners becomes relatively easy.
The reward for this may be the amount of $ 10,000 – this is how much, for example, will be received by a plaintiff who won a lawsuit against an organization or person who provided assistance with an illegal abortion, under Texas law. According to a Google report, from 2018 to 2020, the corporation received over 20,000 requests from US law enforcement agencies to disclose user geodata, and the number of these requests is growing: if in 2018 there were less than 1,000 of them, then in 2020 – more than 11,000.
Orgasms and delays
Applications not only track the geographic location of users – for example, in 2018 it became known that a medical application Medical Appointment communicated information about trauma patients to law firms. In 2019, a team of scientists from Canada, Australia and the USA analyzed 24 health-related apps: each of them asked the user on average four permissions to access data stored on the device (including calls and an email address), the majority (71%) transferred them to third parties. A total of 24 applications supplied user information to 55 organizations.
According to Columbia University researchersthe fourth most popular app in the health category is menstrual trackers.
Users themselves inform them about the beginning and end of menstruation – but not only. Applications offer to mark ailments, acne, sports, mood swings, toilet visits, orgasms, contraception, and other private life events. In 2019, Privacy International analyzed several such applications and found that two of them – Maya and MIA – started sending user data Facebook even before the user has agreed to the privacy policy. The applications did not hide the fact that they transfer user data to third parties, but they did not explain to whom, why and in what form.
At the same time The Wall Street Journal found outthat sensitive information was shared with Facebook (as well as Google, AppsFlyer and others) by the Flo app. According to the Federal Trade Commission complaint, the developer company shared data about “in-app events” with third parties – for example, that the user switched it to pregnancy mode – and did not restrict the use of this data. Flo later changed its privacy policy and conducted an independent privacy audit. Flo’s privacy policy currently states that AppsFlyer only receives technical identifiers (IP address, advertising IDs), subscription status, app launch fact reports, and age group.
In 2020, the app developer company Glow was fined $250,000 — she transferred user data to third parties without their consent. In addition, a vulnerability was discovered in the application, due to which any account could easily be hacked.
But the application may not be just a dishonest data merchant. In 2019 The Guardian spoke about the Femme app, which “raised doubts about the safety and effectiveness of contraceptives, arguing that they can be harmful to a woman’s health, and that a safer, ‘natural’ way to avoid pregnancy is to track the cycle.” “Hormonophobia” is the most common reason for refusing hormonal contraception in Western countries, despite the fact that with the correct selection of a modern fourth-generation drug by a doctor, the risk of side effects is minimal.
As it turned out, Femme medical consultants do not have a medical license – but are associated with the Catholic University of Santiago (Chile). And the application itself was created and supported by the Chiaroscuro Foundation, which, in turn, was sponsored by the New York-based private Sean Filer Foundation. Other recipients of funds from this fund include politicians who advocate a ban on abortion. According to Femme CEO Anna Halpine, no position on abortion issues is broadcast on the app.
Fake clinics
The biggest danger for American women who want to hide the fact of pregnancy or abortion is the medical institutions themselves. For example, in 2019 it became known that the government of Missouri required the then only abortion clinic in the state to reports on dates of operations and gestational age of fetuses. The data did not contain the names of the patients, and Randall Wilms, director of the state health department, assured that they were collected to monitor the quality of medical services – after complaints were received at the clinic. But the event has caused concern among pro-choice activists. However, in 2022, Missouri banned abortion altogether, the first since the ruling in Roe v. Wade was overturned.
Under the Health Insurance Portability and Accountability Act (HIPAA), a doctor can release a patient’s medical information to the police if they believe a crime is being committed in a healthcare facility or emergency room. But some of this data, especially if it is incorrectly collected and presented, can be misinterpreted. For example, if a woman who seeks help for a miscarriage or bleeding after childbirth is prescribed medications that are also used during abortion.
In addition to medical institutions, the country has so-called crisis centers for pregnant women, or CPC (from crisis pregnancy center). They are pregnant women faced with misinformation (for example, statements that abortion causes cancer and mental illness) and pressure (persuasion, “mandatory” ultrasound of the fetus and stories how it develops). Women report that by contacting the CPC, they lost the time needed to end their pregnancy at term.
However, many ended up in the CPC precisely because they wanted to have an abortion – crisis centers target their ads to women who are looking for relevant information on the Internet, and optimize their sites so that they appear in search results for queries related to abortion. According to the UK Hate Action Center (works in the US as well), 11% of Google search results for “abortion clinic near me” and “abortion pill” in states where abortion has been effectively banned lead to CPC websites. When searching on Google Maps – up to 37%.
When a woman arrives at the CPC, she is greeted by staff dressed in medical gowns. Filling out a patient questionnaire ask questions about chronic and hereditary diseases, medications taken, bad habits and addictions, past pregnancies, as well as marital status, housing conditions, education, sources of income; enter her name, address, telephone number. But although CPCs look like clinics, they are not medical facilities, which means they are not covered HIPAA and FTC requirements. But the centers themselves, defending their activities, appeal to the First Amendment, which guarantees freedom of speech.
Their own data processing policies are often confusingly worded, for example, leaving CPC free to disclose customer information “to prevent a serious threat to the health or safety of you or any other person under the law.” Women’s Media Center tells the story of a womanwho visited the CPC and then had an abortion elsewhere, the crisis center staff called her and even her mother to find out the details of the operation.
In addition, CPCs can share client data with developers of their CRMs (customer relationship management systems). One of them, Next Level, is created by a major pro-life organization Heartbeat International. “Big data is revolutionizing industries around the world, and now is the time to do the same for the life-affirming work of pregnancy care. By combining the data obtained separately, we can begin to use predictive and prescriptive analytics and change the rules of the game, achieving more powerful results.” writes Next Level on his website.
How to delete everything
The media reported that women in the US mass delete appsthat track the menstrual cycle – but this will not help to remove already collected data from the databases. To do this, application developers (for example, Flo, Clue and Natural Cycles) invite users to write to the support service (addresses can be found in the privacy policies).
Legislators are also reacting to the new threat. For example, Congresswoman Sarah Jacobs introduced to the House of Representatives bill “My body, my data”, where app developers can collect a limited amount of user data. A group of senators is working on bill to ban the sale of geodata and medical data to brokers.
The developers of some applications plan to add an anonymous mode to them. This was reported, for example, by Flo. After that, the company will not be able to link the account to a real person, even if it receives an official request from law enforcement agencies, although some of the application’s personalization functions will also stop working in anonymous mode. Similar mode develops and application Natural Cycles.
Application developer company Clue released a statementin which she emphasized that she was not going to respond to any official requests for user data from the United States, since she is located in Germany and is subject to the GDPR (General Data Protection Regulation – General Data Protection Regulation).
Google announced on July 1, which will remove visits to abortion clinics from the location history of its users in the coming weeks. The new policy will also apply to travel to fertility clinics, domestic violence shelters, drug treatment centers and other places where women with unwanted pregnancies may end up.
However, the most reliable way to avoid getting on maps with marks about visiting a particular place is not to take your phone with you there.
