You, me, and Facebook makes three

Privacy International talks about period-tracking apps and the perils of sharing secrets with apps.

Privacy International talks about period-tracking apps and the perils of sharing secrets with apps.

Some smartphone apps remind users to take their medicine; others monitor sleep quality, count steps and calories, and so on. There’s no shortage of apps to monitor our health and wellbeing. Often such programs require users to share very personal data about their feelings, moods, diagnoses, and more. Alas, not all of them handle such private information with the care it requires.

At 36C3, the human rights organization Privacy International shared the results of studying intimate apps that help women predict their periods, monitor reproductive health, and plan pregnancies. As it turned out, some of them abused the trust of users all the way up to sharing intimate information with Facebook and others.

What exactly did Facebook get to see?

In compiling the report, the researchers scrutinized two apps: Maya and MIA (5 million and 1 million Google Play downloads, respectively). The study was very straightforward: Privacy International simply looked at the outgoing traffic of the apps, which they ran in a sandbox, and analyzed the data they were transferring, including its destination. The results were interesting, to say the least.

At first launch, even before acquainting users with their privacy policies, both apps contacted Facebook and other partners. Maya sent data to the CleverTap analytics platform, and MIA to AppsFlyer, which also provides analytics services to developers.

Right away, MIA wanted to know whether the user had installed the app to plan a pregnancy or just to monitor her menstrual cycle — and promptly informed its partners of the answers. The same fate awaited details, including timing and duration, about the woman’s cycle. Next, the program tried to find out as much as it could about the user: feelings; contraceptive practices; caffeine, alcohol, and smoking habits. The app even tried to collect information unrelated to women’s health, such as about hairstyles and manicures.

Based on the information it collected, as well as its own conclusions on what phase of the cycle the woman was in, the app offered topical articles. This would seem harmless and even useful but for one thing: The list of articles — from which it was manifestly clear what the user had reported to the app — was sent to Facebook and AppsFlyer.

Maya’s approach was somewhat less creative. The app passed along everything it learned — information about wellbeing, mood, contraceptives, personal hygiene products, sexual activity, and so on. The program did not ask about hairstyles or manicures, but it did offer a personal diary function, and dutifully forwarded the contents to Facebook and CleverTap.

In addition to all of that information, the apps transmit other personal data as well, such as e-mail address or unique device identifier. For users with a Facebook account, that information alone could be enough to identify them, even if they haven’t installed the Facebook app on their phone. In other words, Facebook knows perfectly well whose data it’s getting.

Why companies want so much personal data

Armed with information about a user’s health, mood, and intimate life, ad networks, including Facebook, can more profitably sell advertisers’ goods and services. For example, ads targeting pregnant women specifically cost ten times as much as nontargeted ads because they’re far more likely to lead to a purchase. (A pregnant woman’s shopping needs are predictable to an extent, and moreover, it’s possible she’s a first-time shopper who knows little about the brand choices, so the advertisers that get to her first have a great chance to influence her choice.)

Advertising is not the worst of it. Intimate health information falling into the wrong hands could affect, for example, the cost of health insurance. A potential employer who knows a job applicant is planning to get pregnant might give preference to another candidate. A pregnant woman might not even be allowed on an international flight. And you would hardly want Facebook to be privy to details you wouldn’t share with your closest friend.

Maya’s developers claim that all data the app requests is necessary for its operation. That’s partly true: Hormonal drugs, increased stress, and habits such as smoking can alter the menstrual cycle, and mood swings, abdominal pain, and other symptoms can indicate that menstruation is on the way. However, a significant portion of the requested information has little to no effect on the accuracy of the diagnosis.

Developers abandon Facebook Analytics

There is good news, however: Neither Maya nor MIA transmits information to Facebook anymore. The researchers contacted the apps’ developers, who quickly removed the Facebook Analytics tool, which was responsible for sending the data. True, both apps still use CleverTap and AppsFlyer.

So it turns out that there was no real need to transfer the data to Facebook — the developers had simply integrated an additional analytics system without ever considering what data would go where.

Maya’s creators say third parties do not have access to the information on CleverTap’s servers. The platform’s developers state that the solution is in compliance with the General Data Protection Regulation (GDPR), and that its analytical algorithms process anonymized pools of data. If that is indeed the case, then the threat to privacy from this app can now be considered minimal.

The situation with MIA, which serves AppsFlyer analytics, is more nuanced. In response to the researchers’ inquiry, the company said that it prohibits clients from harvesting users’ intimately personal data, including health information. AppsFlyer claims to have contacted the developers of the MIA app for them to review their approach to analytics. But as the researchers note, AppsFlyer is rather hazy about what data it believes it should collect from apps that work specifically with health information.

How to prevent personal data abuse

When communicating any data — particularly intimate data — to an app of any kind, remember that the app might share your data with another party. If you cannot do without a particular service, consider the following recommendations:

  • Choose apps wisely. Read reviews on Google Play and the App Store, and check what users are saying about the developers online. The program you’re interested in might have been caught sending data somewhere it shouldn’t have. Or it might have a spotless reputation. That can also happen.
  • If an app wants your sensitive data, take a look at its privacy policy. It might openly state that your data will be passed to third-party companies, which is a bad sign. But even in the absence of a specific clause, if the policy is worded vaguely or incomprehensibly, it could be that the developers are trying to hide something.
  • If you do need a period-tracking app, then at least you know that two of them — Maya and MIA — have already stopped collaborating with Facebook. Privacy International’s report also mentions other programs that did not demonstrate any nefarious practices.
  • Don’t give apps more information than necessary — think carefully about what they genuinely need and what they can do without. That doesn’t mean you need to return to the age of pen and paper, just that you should be aware that any information you hand to apps is unlikely to remain completely private.