What does the volatile global political environment have to do with the menstruation of millions of people? With whom do menstrual cycle apps share our medical data? And how can this information be used to criminalize women who choose to have an abortion?

More and more people are downloading menstrual tracking apps on their phones. Hence, these questions are becoming a major concern for researchers and academics. This is because the data stored in these apps is considered to be a “gold mine” for the market. Two recent investigations – one from the Minderoo Centre for Technology and Democracy at the University of Cambridge and another from Privacy International, each using different methodologies – reach similar conclusions: there’s a latent risk of this data ending up in the wrong hands, both in the private and public sectors. Governments can use this data for law enforcement purposes, while companies can utilize it for commercial purposes.

“Menstrual tracking apps turn personal health information into data that’s collected, analyzed and sold. This poses risks and harm to users and society, as menstrual tracking data can be used to monitor people’s reproductive lives,” says Dr. Stefanie Felsberger, lead author of the Minderoo report.

Femtech – the market for technology products focused on women’s health and wellness – is a lucrative business, expected to reach $60 billion by 2027. Menstrual cycle apps contribute at least 50% of this growing market and present themselves as closing the gender health gap, according to the Minderoo report. The three most popular apps alone have 250 million downloads overall.

These apps collect information about the user’s menstrual period, symptoms, emotions, exercise, sexual preferences and contraceptive methods – among other data – and generate predictions about ovulation dates, PMS and their next cycle. However, according to medical studies, they fail to accurately predict these events.

“If [cycle tracking] data falls into the wrong hands, it could cause harm that goes beyond reproductive health, such as intimate partner violence, risks to job prospects, workplace surveillance, or discrimination in health insurance,” Felsberger adds.

Commercial use of data

This is where the inextricable web of third parties with access to this data becomes important. Privacy International’s study – titled No Body’s Business but Mine: Vol 2 – focuses on whether, given the ongoing threats to sexual and reproductive rights worldwide, menstrual tracking apps are truly safe for those who use them. It also looks at how responsible these firms are with their privacy policies.

Concerns about data privacy have been around for some time, but have evolved over the years. In 2019, Privacy International conducted the first investigation into 10 apps, focusing on whether they shared data with Facebook. Now, taking into account changes in the political landscape, as well as technological transformations, such as the expansion of cloud-based services and artificial intelligence, they conducted another technical study with new questions.

This time, for a period of five years, they focused on Google’s most-downloaded apps and followed the invisible network of private third parties that show up in the process. And, while they found that, “overall, period tracking apps were not sharing users’ cycle data as egregiously with third parties as we found for some apps in 2019,” new privacy risks emerged. “we did observe several categories of third parties that many apps were integrating for different purposes, such as advertising software development kits (SDKs) or application programming interfaces (APIs) to service certain app functionalities, and these third parties often processed some degree of the user’s personal or device data,” the study says.

Fear of reproductive surveillance

In this regard, the researchers agree with the Cambridge findings. The biggest concern has to do with how this data could be used for reproductive surveillance. “Off-device storage introduces an additional risk: the possibility that such data could be seized and used against individuals (and without their knowledge), particularly in jurisdictions where reproductive care is criminalized or restricted,” an essay by Privacy International notes.

This concern extends to several Latin American jurisdictions, where abortion is still criminalized. And, in the U.S., many of the concerns have been heightened since the reversal of Roe v. Wade, particularly in states that have introduced restrictions and prohibitions on access to abortion. There’s a fear that apps will share incriminating data about their users’ sexual health (for example, weeks of missed menstruation) to comply with a police investigation, which could result in a violation of a woman’s right to privacy and health.

The warnings are supported by at least two cases. One in Nebraska – where a woman was convicted of terminating a pregnancy after prosecutors used Facebook messages in which she and her mother discussed purchasing an abortion drug – and another in the United Kingdom, where Carla Foster, a separated mother of three, was sentenced to 28 months in prison for accessing an abortion after the 24-week mark, which is the legal limit in Wales. The evidence against Foster included her online history, text messages and phone calls. Furthermore, as revealed by Tortoise Media, investigators also requested data related to period-tracking apps.

In addition to the black holes in some apps, according to Sian Norris – author of the book Bodies Under Siege (2023) – anti-abortion groups have also launched their own period-tracking apps. “FEMM Health is the brainchild of the World Youth Alliance, an anti-abortion organization financially backed by the Chiaroscuro Foundation. Chiaroscuro is primarily funded by Sean Fieler, a prominent donor to U.S. conservative organizations,” she writes in The Dial. This means, she continues, that “nearly half-a-million women are now sharing their sensitive reproductive health data with an anti-abortion organization.” Norris explains that, under privacy guidelines, the company can share user data with the courts.

In Latin America, there’s also concern about data collection. In 2023, a team of researchers from the Monterrey Institute of Technology and Higher Education – led by Paola Ricaurte Quijano – conducted a qualitative study titled My body is mine: menstrual apps and the sociotechnical normalization of gender. This qualitative study – which interviewed 32 people – found that, by design, apps reinforce binary conceptions and stereotypes of femininity. It concludes that there’s an algorithmic bias that benefits those with regular cycles more, while noting that most users don’t read privacy policies or consider data protection to be a requirement for installing the app. “They are simply in a passive position, because they do not see feasible solutions that they can carry out individually and practically to protect their personal data,” the report states.

However, given this situation, some users have begun to search for menstrual tracking apps that improve privacy. Others, meanwhile, have simply deleted these apps, for fear of the lack of data protection.

Apps take a stand

Not all is lost, however. According to Privacy International, some apps offer a notable feature from a privacy perspective: the option to store data locally on the user’s device. This means that menstrual cycle information entered by the user remains on their device and isn’t automatically transmitted to the developer, nor saved to the cloud. This approach can improve user privacy and control, as only the user (i.e., their device) processes and stores their data.

Furthermore, some apps – such as Flo and Period Tracker (GP Apps) – have publicly taken a stand against the criminalization of abortion and the excessive use of power by authorities in this post-Roe world. And new alternatives have emerged, such as an app called Euki. It was created by the Digital Defense Fund and Ibis Reproductive Health – two organizations centered on sexual health and social technology – and is the one that’s the most esteemed among privacy advocates. It was designed with a privacy-by-default approach, can be used without creating an account and is open source.

These privacy goals should be the norm, not the exception. The current regulatory landscape doesn’t impose sufficient accountability on apps to adopt better privacy practices. To ensure that developers include robust privacy-by-default while designing their apps, there must be explicit regulatory standards and safeguards that make privacy attractive to developers. Additionally, the exceptions that allow for the sale and sharing of user data with third parties must be reconsidered and limited.

Sign up for our weekly newsletter to get more English-language news coverage from EL PAÍS USA Edition