As states grapple with the issue of abortion in the wake of the Supreme Court overturning Roe v. Wade, some women are becoming increasingly concerned about health data privacy in the digital age – and whether their information might be used by law enforcement for potential legal cases. 


What You Need To Know

  • As states grapple with the issue of abortion in the wake of the Supreme Court overturning Roe v. Wade, some women are becoming increasingly concerned about health data privacy in the digital age

  • Researchers at Mozilla investigated over two dozen period and pregnancy tracking apps and wearable devices for their privacy and security practices surrounding personal health data

  • Of the apps and devices studied, 18 received Mozilla’s “*Privacy Not Included” warning label; Mozilla looks for a number of factors when identifying a product as such, and a company must fail two or more of its benchmarks

  • Only one service provider – a sexual and reproductive health app called Euki – earned a spot in Mozilla’s “Best Of” category for offering robust protections and not collecting any personal data

The concern rests primarily in states that have already or might soon restrict abortions based on fetal viability. Previously, Roe defined fetal viability as the “interim point at which the fetus becomes … potentially able to live outside the mother's womb,” typically between 24 and 28 weeks of gestation. Many states ban abortion before that definition of viability, at 20 weeks after fertilization, or about 22 weeks of gestation — the time since the patient's last menstrual period.

Advocates fear that the data from apps that monitor a person’s fertility and date of last period might aid law enforcement in levying charges against women who received an abortion or the doctor who provided the procedure.

According to one recent study, at least some of those fears are grounded in reality. Researchers at Mozilla investigated over two dozen period and pregnancy tracking apps and wearable devices for their privacy and security practices surrounding personal health data – and found most had “opaque” policies in place, with little clear information on data-sharing practices with law enforcement. 

The study examined ten period tracking apps, including Euki, Natural Cycles, Flo, Glow and Eve; ten pregnancy tracking apps, including Preglife, Babycenter, WebMD Pregnancy and Sprout Pregnancy; as well as five wearable fitness devices like Fitbit, Apple Watch and the Oura Ring. 

Of the apps and devices studied, 18 received Mozilla’s “*Privacy Not Included” warning label. Mozilla looks for a number of factors when identifying a product as such, and a company must fail two or more of its benchmarks, which include how the company uses the data it collects from users, how users can control and protect their data, a company’s known track record of protecting users’ data and a general minimum security standards check. 

For this particular study, researchers were also specifically looking for how apps might share personal health data with law enforcement. 

“We looked a little deeper at how the privacy policies of these companies say they can share data with law enforcement. And what we found was it was pretty vaguely outlined, and that's a concern,” Jen Caltrider, Mozilla's *Privacy Not Included lead, told Spectrum News’ Reena Diamante in a recent interview. “So that was pretty scary for us knowing that if you live in a state where abortion is illegal, your data might be accessible by law enforcement and government.”

Some of the companies listed vague privacy policies, including Period Tracker, which does acknowledge that it would share data with law enforcement, but did not indicate under what circumstances it would do so. Mozilla also stated that another app – Sprout Pregnancy – did not have a privacy policy, and its terms of use were last updated in 2013. 

In response to questions from Spectrum News, Sprout Apps said the study “incorrectly stated” they did not have a privacy policy. On its website, all of Sprout’s apps (save its pregnancy app) have “Terms of Use and Privacy Policy” listed, while Sprout Pregnancy mentions only “Terms of Use.” 

Sprout also noted “the app data is only backed up to the user’s personal iCloud or Google Drive account,” and that “any legal data requests would need to be submitted to Apple and Google as all personal data is only stored on the user’s iCloud or Google Drive account only.”

The wearable devices fared slightly better in Mozilla’s study, as none received the “*Privacy Not Included” label. But only one service provider – a sexual and reproductive health app called Euki – earned a spot in Mozilla’s “Best Of” category for offering robust protections and not collecting any personal data. 

All data entered into the app is stored locally on the user’s device, and can set up a passcode to protect the app from anyone searching their device. Euki also offers users the option of typing in the fake passcode 0000, which will lead to a false screen with fake information. 

But Euki does still give users links to external resources within the app – companies who might not have as robust protections on data sharing as Euki does, Mozilla said. 

In a statement, Ibis Reproductive Health, a non-profit organization which developed Euki with international activist group Women Help Women, said it was "pleased" to see the app receive such recognition.

"Our ultimate goal remains getting Euki to anyone who can benefit from a comprehensive, inclusive and of course secure app for sexual and reproductive health," Ibis Reproductive Health said. "Access to abortion services is essential health care, a critical part of our human rights, and abortion access must be protected. Euki can help and we want to ensure that it gets in the hands of anyone who can benefit from its unique features and privacy protocols."

Already, there have been examples of companies – though not specifically health tracking companies – that turned over information to law enforcement pertaining to individuals seeking abortions. Recently, a mother in Nebraska was charged with helping her teenage daughter end her pregnancy at about 24 weeks after investigators obtained Facebook messages in which the two discussed using medication to induce an abortion and plans to burn the fetus afterward.

In addition to its current 20-week abortion ban, Nebraska tried — but failed — earlier this year to pass a so-called trigger law that would have banned all abortions when the U.S. Supreme Court overturned Roe v. Wade.

Facebook spokesman Andy Stone defended the way the company handled authorities’ request for information in this case after a gag order about it was lifted.

“Nothing in the valid warrants we received from local law enforcement in early June, prior to the Supreme Court decision, mentioned abortion,” Stone said. “The warrants concerned charges related to a criminal investigation and court documents indicate that police at the time were investigating the case of a stillborn baby who was burned and buried, not a decision to have an abortion.”

Facebook has said that officials at the social media giant “always scrutinize every government request we receive to make sure it is legally valid.”

The social media giant said it will fight back against requests that it thinks are invalid or too broad, but the company said it gave investigators information in about 88% of the 59,996 times when the government requested data in the second half of last year.

Experts are concerned those law enforcement requests could soon turn to period, pregnancy and fertility-tracking apps. The implications, Mozilla researchers say, are deeply troubling. 

“If the question is, how could the data be used to potentially harass, track, arrest, prosecute women seeking abortion in a state where it's illegal? I mean, the possibilities are endless,” Caltrider said, noting that “there aren't clear answers yet” on whether companies will be forced to give up personal information to law enforcement over reported concerns that an individual might be seeking an illegal abortion. 

"It's really truly frightening if you think that you share this data with a company and somehow it ends up for sale from a data broker," Caltrider said. "And people can actually buy it and use it to dig into it to be like, 'we need to find women that are trying to seek abortions out of state, so we can hunt them down.'"

Federal rules protecting sensitive patient health information largely do not apply to tech companies. Legal experts warn there’s more to a user’s digital footprint.

"What about information that can be used by others to infer or to infer a certain probability that somebody is pregnant?" asked Nik Guggenberger, an assistant professor of law at the University of Houston. "What about location data? Around OBGYN clinics? What about certain types of personal care that one might one might buy? That's that's all uncharted territory."

"It would be naive to think that by either making them more secure or avoiding those kinds of apps that one can withdraw from that type of data collection," Guggenberger told Spectrum News. "Your credit card company knows what you buy. CVS or Walgreens or whatever pharmacy you rely on knows whether you buy a pregnancy test or nausea medicine. And most of the apps that that we use, they track location, and location is really so revealing as to what we do, oftentimes. And that's maybe something that might not be that obvious."

Some companies studied by Mozilla have, in the months since Roe was overturned, updated users on how they will protect their data. Flo in mid-June added an “Anonymous Mode” to its app, an optional feature that “protects and de-identifies your data even further by removing personal email, name and technical identifiers,” the company wrote in a statement. 

Should an individual choose to use the app in Anonymous Mode, their data would no longer be accessible should they lose their device. 

 

“In the event that we receive an official request to identify a user by name or email, Anonymous Mode will prevent us from being able to connect data to an individual, meaning we would not be able to satisfy the request,” Flo said in response to questions about complying with potential subpoenas. 

It is unclear how Flo plans to comply with law enforcement requests for individuals who do not opt in to the Anonymous Mode, and Spectrum News has reached out for clarification. 

Spectrum News has learned that the House Oversight Committee is looking into the matter and has asked several developers and data brokers to provide more information about their practices. The panel is reviewing that information.

Spectrum News has also reached out to Ovia and Euki for comment.

The Associated Press contributed to this report.