Menstrual app: better data protection, but rarely optimal

Contents

Many women use apps to keep track of their periods, symptoms associated with their cycle and ovulation, for example. Privacy International found unpleasant data protection issues with period trackers in an investigation in 2019. Several apps automatically forwarded sensitive health data to Facebook, even if users had not given their consent. Now there is a new Privacy International (PI) audit report.

In it, the human rights organization gives the major period tracker industry a better, but by no means flawless, report card. The organization examined the applications Flo, Period Tracker by Simple Design, Maya by Plackal Tech, Period Tracker by GP Apps, Womanlog and Wocute, which are particularly frequently downloaded from the Google Play app store, as well as Stardust, which emphasizes data protection, and finally the non-commercial open source app Euki. Only the latter scored flawlessly in the data protection analysis.

Static analyses of the apps using Exodus Privacy, which identifies known trackers among other things, were followed by dynamic analyses of data traffic using Data Interception as a Service (DIAAS) developed by Privacy International itself. Finally, the terms of use and privacy policy were also included.

"In general, our investigation found that the apps were less egregious in their data sharing compared to our findings last time," writes PI, "This time we did not find that the period trackers were sharing their users' periods with Facebook, but we did find that several apps continue to (embed ad networks and analytics services), and that these third parties often process certain personal and/or device-related data."

Flo

Market leader Flo shows significant improvement. There is no longer any automatic data transfer to Facebook; the default settings are largely privacy-friendly. Data is only passed on after opt-in. There is also the option of anonymous use; in this case, the Flo operator does not know any names and therefore cannot pass them on to the authorities. In anonymous mode, the data traffic running via Cloudflare is also encrypted end-to-end. However, PI tested the normal version, not the anonymous mode. The minimum age for users is 16, and it is mandatory to state your year of birth.

Occasionally, addresses from Appflyer, a service for analyzing the use and marketing of apps, appeared in Flo data traffic. Flo discloses the use of Appflyer and Cloudflares in its privacy policy – not only through general clauses, but also by naming specific names.

Period Tracker by Simple Design

PI also reports improvements for the Period Tracker by Simple Design app. Unlike in 2019, health data entered by users is no longer transferred to servers, but only stored locally on the device. However, the app has triggered a "flood of web traffic" to advertising and analysis services, including several Google services, because the programmers have installed corresponding SDKs. Every time the app was called up, device information was transmitted for advertising purposes.

Maya

The Indian period app Maya has also stated that it has stopped sharing health data with Facebook, but continues to use SDKs from Facebook, Google and others for advertising purposes. There is a cumbersome form for obtaining the user's consent, in which certain things are preset to be data protection-friendly, others are not, so caution is advised.

Google apparently also collects data about the location of the device. PI has also discovered suspicious calls to the Facebook Graph API, which means that the Facebook Core SDK may still be included in Maya after all. After all, Facebook's server has rejected all of these contact attempts.

To use Maya, an account must be set up with an email address. Health data entered is immediately transferred to a server, including any notes made by the user. According to PI, the privacy policy is "rather vague".

Period Tracker by GP Apps

Period Tracker by GP Apps can be used without an account and health data is only stored locally. The app asks for consent to personalize the advertising displayed, which can also be declined. Nevertheless, there are calls from advertising services. However, some of the parameters were so outdated that the connections to the advertising services did not work. The problem: third parties could intercept these connection attempts.

Womanlog

Womanlog transmits the health data entered to a server. There is a similarly complex form to Maya for evaluation for advertising purposes. An account with an e-mail address is only required if you want to use the chatbot provided by OpenAI.

This bot costs money, is designed to answer questions and predict periods. Accordingly, it has access to at least some of the health data entered, including the period days. Each chat with the bot is given its own identification number. Womanlog also communicates with advertising services and the Facebook Graph API for Facebook's login service but, as far as can be seen, does not transmit any health data.

Wocute

Wocute from Singapore also transmits the health data and notes entered to a server. An account is not required. There are repeated connections for analysis or advertising purposes, including the Chinese Beacon QQ and Berlin-based Adjust. Once again, the Facebook Graph API is contacted, this time with outdated parameters that still work.
Some of the connections deliver via the Chinese Alibaba cloud. The privacy policy reveals that personal information is stored on Chinese servers. The SDKs used are not mentioned by name.

Stardust

Stardust is based in New York and focuses on astrology and data protection. The Android app can only be used with a Google account; Google then also passes on the user's name, email address and even photo to Stardust. Stardust claims to use a service called Rownd to separate the identity of the user from the health data transmitted to Stardust-Sever. Rownd stores the identity, Stardust stores the health data.

Is this separation really an obstacle for prying authorities? In fact, there are numerous data connections to Rownd via Cloudflare. And while other apps either omit the date of birth or only request the year of birth, Stardust collects the exact date.

Stardust also communicates with analysis and marketing servers, as well as with a service for push notifications and one for in-app purchases. The latter runs on servers of the passenger transportation provider Lyft. PI points out that Stardust claims to be particularly data protection-friendly, but does not disclose the names of most of the third-party services used in its privacy policy; it only uses general formulations.

Euki

Euki stands out from the test field. It was founded as a non-profit project and the source code was published as open source last year. There is no user account and the app does not transfer any data to servers. During the test, DIAAS only saw background connections from the Play Store. Rating: Reduced to the max!

Privacy International recommends

The human rights organization recommends that operators of menstrual apps set up anonymous usage options without an account and with only local storage of data, full user control over their data, complete disclosure of third parties involved and the information entrusted to them, obtaining the consent of the respective user to data transfer, limiting data collection to what is necessary, limiting any data transfer to what is necessary, and continuously closing all security gaps. Regulatory authorities should pay particular attention to menstrual apps as they collect sensitive health data, demands Privacy International.

PI advises users to be suspicious if an app asks unnecessarily detailed questions and perhaps not to use the app in question. In general, PI refers to ad blockers, switching off personalized advertising in the smartphone's operating system, rejecting optional advertising and analysis data processing in the app's settings, and generally using the respective app as sparingly as possible.

• Privacy International's report: No Body's Business but Mine: Vol. 2

(ds)