Day: 21 June 2022

How Period-Tracker Apps Treat Your Data wsj.com

Nicole Nguyen and Cordilia James, Wall Street Journal:

Different types of data, including information that can be subpoenaed from period trackers, can create an extremely detailed profile of you when combined. Prof. Fowler says she thinks it is likely that user data will have greater importance if more places criminalize abortion.

While period trackers collect and store health data, there aren’t typically special protections governing that information, said Prof. Fowler. Apps can use your data how they choose as outlined in their privacy policies, she said, adding that ideally the data would be stored on your devices — rather than in the cloud — and not be subject to third-party tracking.

Period tracking apps’ sometimes sketchy privacy policies and the legal jeopardy in which they can place users is something explicitly called out in Sen. Elizabeth Warren’s announcement of a bill to curtail data brokers.

Apple’s first-party Health app is the only one that encrypts users’ data end-to-end. Unfortunately, it is halfway between an all-in-one health tracking app and a repository for other apps’ data. I do not have experience with entering a menstrual cycle, but I find manually adding cycling distance or — new in iOS 16 — medication to be confusing and inelegant.

Even if a period tracking app is sharing data with Health, it is worth remembering that its own in-app privacy and data use policies apply.

U.S. Senate Bill Would Ban Data Brokers From Sharing Location and Health Data arstechnica.com

Jon Brodkin, Ars Technica:

A bill introduced by Sen. Elizabeth Warren (D-Mass.) would prohibit data brokers from selling Americans’ location and health data, Warren’s office said Wednesday.

“Largely unregulated by federal law, data brokers gather intensely personal data such as location data from seemingly innocuous sources including weather apps and prayer apps—oftentimes without the consumer’s consent or knowledge,” a bill summary said. “Then, brokers turn around and sell the data in bulk to virtually any willing buyer, reaping massive profits.”

I do love the sound of this. Though Brodkin says it bans selling certain data types, it is actually more comprehensive — if passed, data brokers would be prohibited from doing just about anything with location and health data “declared or inferred”.

It seems too good to be true, and my hopes were quashed when I read this piece from Jeffrey Neuburger of the National Law Review:

[…] The bill makes exceptions for health information transfers done lawfully under HIPAA, publication of “newsworthy information of legitimate public concern” under the First Amendment, or disclosure for which the individual provides “valid authorization.” The FTC would be responsible for adapting the HIPAA-related term “valid authorization” to fit the location data context. It is possible that the conspicuous notice and consent processes surrounding the collection and use of the data — as is currently in place in many mobile applications — will suffice.

If all big ideas for protecting privacy come down to the same notice and consent laws that have had mixed results around the world, I do not think we will find ourselves in a better place. Everyone will simply be more irritated by the technology they use while finding few privacy benefits. I understand the value of someone consenting to have information collected and shared, but there needs to be a better model for confirming an opt-in and limitations on its use.

Julia Conley, Common Dreams:

Warren noted that location data has already been used by federal agencies to circumvent the Fourth Amendment by purchasing private data instead of obtaining it via a subpoena or warrant and to out LGBTQ+ people.

I continue to wonder how much of a factor it is that law enforcement and intelligence agencies rely on anti-privacy companies and data brokers as a workaround for more scrutinized legal measures.