Thursday, 30 June 2022

Your Health Data Isn’t Safe Post-Roe, Even If Some Apps Promise It Is

(Photo: Gilles Lambert/Unsplash)
Most know by now that last week, the Supreme Court finalized its decision to overturn Roe v. Wade, the 1973 landmark ruling that constitutionally protected the right to abortion. The product of the decision is a jumble of states with varying levels of protection and prosecution. But among people’s concerns regarding bodily autonomy, medical legal checks and balances, a new, insidious problem has quietly risen to the surface: health apps are using people’s grief and anxieties to market their products. 

As many have pointed out, post-Roe America presents a complication that pre-Roe America did not: an unprecedented level of digital surveillance. Those seeking reproductive care in certain states now run the risk of being prosecuted by a court system that will subpoena service providers and software developers for any data that hints at a pregnancy. Ever since the Supreme Court’s Roe decision draft leaked last month, people have worried that digital period trackers (or health apps that otherwise contain a period-tracking feature) might reveal a blip in someone’s menstrual cycle, thus aiding abortion prosecution. 

This, unfortunately, is a well-founded worry. Like we discussed in May, digital evidence has already been recruited in court cases concerning reproductive autonomy. Most health apps, including period trackers, store user data outside of the user’s device. This means the end user doesn’t retain all control of their data. Companies can decide independently if they want to sell user information to data brokers, who often supply data to the government for both malevolent and well-intentioned purposes. And if the government comes knocking, the company—not the user—gets to decide whether to open the door.

So then it’s a matter of getting companies to promise not to open the door…right? Perhaps not. The world’s most powerful tech companies are refusing to say whether they’ll continue their relationships with historied data brokers or respond to law enforcement subpoenas related to reproductive care. In light of the Supreme Court’s decision, Vice’s Motherboard asked a number of social media, telecommunications, digital finance, and rideshare companies if they will “provide data in response to requests from law enforcement if the case concerns users seeking or providing abortions.” Included were Apple, Facebook, Twitter, TikTok, Google, Amazon, Discord, and Uber. None of the companies provided an answer. 

Tech in general can be very “monkey say, monkey do.” If major apps and networks were to pledge not to share data with law enforcement when reproductive freedom is on the line, one could argue others, including smaller software developers, would do the same. Instead companies seem to be nervous to lead by example, electing to wait for someone else to pipe up—and likely make some measure of financial sacrifice—first. And until that happens (and companies actually follow through on their promises), it’s impossible to rely on any measure of health data integrity.

Meanwhile, smaller health app developers have seen a marketing opportunity in post-Roe anxiety. Stardust, a period tracking smartphone app that advertises itself as “women-owned, privacy-first,” quickly came up with a “hands off our bodies, hands off our data” marketing campaign over the weekend.  A majority of the app’s security messaging centers around end-to-end data encryption. But the app’s social media managers have ignored (and even deleted) comments asking whether Stardust will hand over data to law enforcement or work with data brokers: two practices that would essentially render the app’s so-called security promises moot. Stardust became the most-downloaded free app on iOS in the days immediately following the Supreme Court’s decision, despite its privacy policy stating it would comply with law enforcement data requests. ExtremeTech attempted to reach Stardust for comment regarding its marketing, potential relationships with data brokers, and any potential amendments to its policy. Stardust didn’t respond. 

Stardust turned off comments on its Instagram post about data security, for reasons we can’t quite imagine.

GP Apps, the developer behind the Period Tracker app, has similarly attempted to appeal to those anxious about Roe’s overturn (though with less of an activist tilt). It recently put out a statement assuring users that it would not work with law enforcement on abortion prosecutions.  “We want to assure our users that we are adamantly opposed to government overreach and we believe that a hypothetical situation where the government subpoenas private user data from health apps to convict people for having an abortion is a gross human rights violation. In such a scenario, we will do all we can to protect our users from such an act,” the statement reads. Further down it explains that users have a choice to use the app offline, thus keeping data local. Still, the app’s privacy policy generally says it will comply with subpoenas and other legal requests. Right now it’s unclear whether Period Tracker intends on amending the official policy, and it’s unlikely that a public statement would carry as much legal weight as a privacy policy. (One thing’s for sure: an Instagram post would not.) 

It’s a harsh lesson in media literacy. Until companies begin writing reproductive choice protection into their privacy policies, only rigorous, sophisticated external testing can reveal whether their apps are truly safe post-Roe. Without that, period trackers and other health apps can’t be considered truly secure—no matter what they’ve posted online or said at a press conference. 

Some hope legislation will help fill in the gaps. Senator Elizabeth Warren (D-MA) recently spearheaded the Health and Location Protection Act, which would ban the sale of all location and health data. The ban was specifically proposed in light of mounting worries regarding reproductive data privacy. Still, if the bill passes, it will only prevent companies from giving up user data in exchange for money; it will have nothing to do with private entities’ willingness to share information with law enforcement. 

Are the newfound risks associated with health apps worth the occasional convenience? Like many things, that’s up for individual users to decide. But as they currently stand, most health apps can’t entirely be trusted to keep user data private, and the stakes of a slip-up have never been higher. In keeping with the archaic theme, it might be best to stick to a pencil and paper.

Now Read:



No comments:

Post a Comment