Data privacy in the post-Roe era

In 2022, when the U.S. Supreme Court overturned Roe v. Wade—ending the constitutional right to an abortion—privacy advocates warned women against using smartphone apps to track their periods.

The calls came out of concerns that the data collected by these apps could put women at risk of prosecution in states where abortion became illegal.

Now, nearly two years later, American women remain uneasy about the privacy of these popular apps, but few have taken steps to protect themselves.

That's one of the main takeaways of a new study looking at women's use of period trackers and how they view the privacy risks that come with these tools, especially in the post-Roe era. The research was published as part of the Proceedings of the 2024 CHI Conference on Human Factors in Computing Systems.

The study, which polled 183 women across the United States, finds that many women feel in the dark about how their data are used and shared on these apps and are unsure how to take control.

"This is really a call to action that we need to provide more awareness and education," said Duke University assistant professor of computer science Pardis Emami-Naeini, who led the research.

Nearly a third of American women use apps to track their menstrual cycles, plan and prepare for symptoms, and identify their most fertile days. However, their convenience can come at a high cost for users.

That's because period tracking apps track more than just your period. They collect sensitive information that can include whether their users are trying to have a baby if they get pregnant or have a miscarriage, or even sexual activity.

If these data were combined with location tracking showing what medical facilities users have visited, it's possible these apps could be used to suggest that someone has had or is considering an abortion.

Because period-tracking apps aren't covered under federal data privacy laws like the Health Insurance Portability and Accountability Act or HIPAA, no law prevents private companies from sharing this information with third parties, such as advertisers or insurance companies, or handing it over to law enforcement.

Previous research reveals an "alarming status quo," said student co-author Jiaxun Cao of Duke and Duke Kunshan University.

In a review of 23 popular period- and pregnancy-tracking apps, 61% allowed location tracking, 87% shared their users' data with third parties such as advertising and analytics companies, and two-thirds shared data "for legal obligations."

Nearly a third displayed no information about their privacy practices at all.

And even when privacy policies are available, they can be misleading. In 2021, the developer behind Flo, a period-tracking app with more than a million users, settled federal charges that the company leaked intimate details about users' periods and pregnancies with online advertising giants like Facebook and Google despite promising to keep them private.

Deleting an app from a device doesn't make the data magically disappear from the developer's server or stop it from being shared and sold, either. "Some companies hang on to data for years after the consumer stops using the app," said co-author Hiba Laabadli, a dual-degree student at Duke and Duke Kunshan.

To better understand women's concerns surrounding privacy and period-tracking apps, the researchers conducted an online survey with 183 American women aged 19 to 75. Half of the participants lived in states where abortion is banned; the other half lived in states where abortion is legal.

Each participant was asked how concerned they would be about hypothetical scenarios involving period trackers with different ways of collecting, storing, and sharing user data.

The study found that a number of common app practices raised red flags for users.

The top concern was who might gain access to their data. Respondents said that sharing information about their periods and pregnancies with the government or law enforcement was "unacceptable."

Nearly a third said apps sharing their data with third parties such as advertisers and insurance companies was also worrisome, particularly if it was used to target them with unwanted ads or boost their insurance rates.

Women were also wary of apps that collected more data than they considered necessary for the app to function, such as users' whereabouts or information about their moods or sexual activity.

Given these concerns, the researchers expected that women would be taking more steps to safeguard their information in the wake of Roe.

But actually, not so, Cao said.

When asked about the landmark ruling, most respondents—60%—recognized the heightened urgency of data privacy risks in the post-Roe era, but fewer than 10% took steps to mitigate them, such as by deleting the app or reading the app's privacy policy.

In fact, more than 90% of participants took no precautions at all, either because they weren't sure how to proceed, because they relied on the service to help manage their periods, or because they lived in states where they didn't feel the need to exercise caution.

Nearly 40% of participants reported feeling uninformed when it came to their apps' privacy practices.

"The majority of women are concerned but they don't do anything about it because they don't have the knowledge. They don't know what to do," Emami-Naeini said.

Only half of the respondents think users themselves are responsible for ensuring that their personal information stays safe. The vast majority—nearly 90%—considered that to be the job of the app developers to give users more control over their data, make user control settings more accessible and straightforward, and make their privacy policies more transparent and easier to understand.

Since the landmark Supreme Court decision, more than two dozen states have banned or severely restricted abortion access.

As a next step, the researchers plan to look at the privacy implications of integrating AI chatbots like ChatGPT into period trackers and other health care apps.

"Our biggest recommendation is for app companies to be more transparent about what they're doing," Emami-Naeini said.

The researchers will present their findings on May 13 at the Conference on Human Factors in Computing Systems (CHI 2024) in Honolulu.