18/09/2019 1:24 PM AEST

Period-Tracker Apps Are Selling User Info To Facebook

Users tend to share a lot of person data with their menstrual apps.

Most of us have already accepted that the tool that lets us comment on a distant relative’s cute baby is also the tool that mines our data for nefarious purposes. It’s almost hard to keep track of all of the privacy violations Facebook has been accused of in the last few years, as things just keep getting added to that list.

The most recent: Period tracking apps. 

Last week, new research by advocacy group Privacy International found that two commonly-used apps, Maya by Plackal Tech (formerly known as LoveCycles) and MIA by Mobapp Development Limited, were found conducting “extensive sharing of sensitive personal data with third parties, including Facebook.”

Other apps, including My Period Tracker by Linchpin Health, Ovulation Calculator by Pinkbird and Mi Calendario by Grupo Familia also inform Facebook when the app is used, although they weren’t found to share quite as much personal data.

A person’s medical information “is among the most sensitive data one can collect,” the report says. “Countries that have data protection laws traditionally have a separate regime for health data, which are considered sensitive data.”

The user interface for Maya, one of the apps found to hand user info over to Facebook.

Many women use apps to keep track of their menstrual cycles, especially if their cycles are irregular or if they’re keeping an eye on their fertility. Period trackers can let users know when their next period is expected and when they’re ovulating, which can be useful for people who are trying to get pregnant. The apps also let users enter information about their moods or symptoms — if they felt unusually sad, for instance, or got headaches — so that they can better anticipate those side effects in the future.

There’s some variation between the apps, and most let users decide how much info they want to input, but they largely all offer the opportunity for users to get incredibly personal. There are options to input when users had sex (for pregnancy purposes), as well as describing incredibly personal details like their acne, breast tenderness, and vaginal discharge. Some also let users add info about masturbation and alcohol and cigarette use.

Both a user’s physical symptoms and their mood can be useful information for advertisers to have. The Guardian reported in 2017 that a leaked internal document from the company detailed how Facebook sells information on the “mood shifts” of its user base.

NurPhoto via Getty Images
The Facebook login screen is seen in this photo illustration on March 13, 2019 in Warsaw, Poland.

Both Maya and MIA inform Facebook as soon as a user opens the app — even before the user has been asked whether or not they agree to the privacy policy.

“This is the kind of practice that highlights how consent isn’t a sufficient guardrail against privacy violations,” Lindsey Barrett, an attorney at Georgetown Law’s Intellectual Property Rights tech clinic, told Buzzfeed. “No one reads privacy policies because they encounter too many of them for that to be reasonable, and even if they did, the policies are poorly written or won’t tell them what they need to know.”

Privacy International says Maya agreed to change their procedures by letting users opt in, as well as no longer linking their users’ analytics to Facebook. The group also contacted MIA, who did not want their response published. 

Other period tracker apps, including Clue, have changed their practices by no longer sharing a user’s Google advertising ID with Facebook after Privacy International called them out. Another, Flo, has promised to make similar changes, according to the Wall Street Journal. Some, like Period Tracker by GP International, were — thankfully — found not to share data with Facebook.