Privacy concerns over period-tracking apps are valid, Mozilla report finds

The report finds that the privacy policies of the apps they evaluated are "riddled with loopholes.”
period tracking app on phone
Do you use a period tracking app? See how it ranks privacy-wise in this report. DEPOSIT PHOTOS

In a report released last week, Mozilla, makers of the privacy-focused browser Firefox, found that 18 out of 25 reproductive health apps and wearable devices that it investigated had insecure, insufficient, or outright exploitative privacy and security practices. In a post-Roe America, the kind of data these apps and wearables collect can be—and has been—used by authorities to determine if users are or have been pregnant, sought information about abortion services, or even obtained an abortion.

In 2017, Mozilla created its *Privacy Not Included buying guide to help people shop for safe products that are connected to the internet. Many devices and services track large amounts of identifying and incredibly personal information, and don’t take the necessary steps to protect it. 

The minimum security standards Mozilla is looking for are fair and, for the companies and developers creating these products, relatively simple to have in place. The organization says that user data should be encrypted when transmitted over the internet and stored in a database; security updates should be automatic, enabled by default, and supported for a reasonable period after sale; people should be required to use a strong password; the manufacturer needs to have a vulnerability management system in place so security researchers can inform them of any security issues they find; and there needs to be a publicly available privacy policy. 

As well as the minimum security standards, Mozilla also investigates how each product uses the data it collects on its users (for example, selling it to data brokers is a bad thing), how easy it is for users to control their data, and if the company has a good track record of protecting user privacy. 

[Related: The dangers of digital health monitoring in a post-Roe world]

If an app or product falls short on two or more of the categories (or Mozilla can’t confirm it meets the minimum security standards) it gets flagged with a *Privacy Not Included warning label. This is what 18 of the 25 reproductive health tracking tools received. 

In its investigation, Mozilla looked at ten of the most popular period tracking apps, ten of the most popular pregnancy tracking apps, and five wearable devices that track fertility. 

Overall, the apps fared terribly. Mozilla found that these apps typically collected a “buffet” of data that was used to target users with ads, and was sold to third-parties. Often the apps operated a “data first, then consent” model where data collection started before users even opted in. There were also rarely clear guidelines about how, when, and what data could be shared with law enforcement—a particularly troubling issue given the nature of the apps and devices in question. The only app to get a Best Of was Euki created by Women Help Women. Natural Cycles – Birth Control also did okay, but still had some troubling data practices.

Here are all the apps that got slapped with the *Privacy Not Included warning label: Clue Period & Cycle Tracker, Preglife Pregnancy App, Ovia Pregnancy, Babycenter, Pregnancy+, Period Tracker by GP International LLC, WebMD Pregnancy, My Calendar Period Tracker, What to Expect Pregnancy Tracker & Baby App, Flo Ovulation & Period Tracker, Pregnancy & Due Date Tracker, The Bump Pregnancy Tracker & Baby App, Ovia Fertility, Glow Nurture & Glow Baby, Maya Period, Fertility, Ovulation, & Pregnancy, Period Calendar Period Tracker, Glow & Eve by Glow, and Sprout Pregnancy

The wearables did much better. None of the Garmin, Apple Watch, Oura Ring, Fitbit, or Whoop devices Mozilla investigated handled data as poorly as the apps. There are still plenty of legitimate concerns with any kind of large scale data collection, but the odds are much higher that your data will stay safe. 

On the other hand, if you use an app that got Mozilla’s *Privacy Not Included warning label, we suggest you click through to the relevant link above and read a little more. Mozilla is very good at laying out what exactly was concerning about the apps. For example, it flags that WebMD Pregnancy collects user data that it transfers (and possibly sells) to third-parties. It also has a very wishy-washy statement about complying with law enforcement requests. If any of that concerns you, then you shouldn’t use WebMD Pregnancy. 

In the report, Ashley Boyd, Mozilla’s vice president of advocacy, says, “Overnight, apps and devices that millions of people trust have the potential to be used to prosecute people seeking abortions. Our research confirms that users should think twice before using most reproductive health apps; their privacy policies are riddled with loopholes and they fail to properly secure intimate data.” We agree.