The post-Roe data privacy nightmare is way bigger than period tracking apps

It’s a lot more complicated than just deleting one or two apps.

Kevin Lamarque / reuters

Since the Supreme Court’s draft decision overturning Roe v. Wade leaked, influencers, activists and privacy advocates have urged users to delete period-tracking apps from their devices and remove their information from associated services. With abortion now outlawed in several states, data from such apps could be used in criminal investigations against abortion seekers, and a missed period — or even simply an unlogged one — could be used as evidence of a crime.

These services, like many “wellness” apps, are not bound by HIPAA, and many have long histories of shady practices resulting in fines and regulatory scrutiny. Mistrust in them is well-founded. However, calls to delete period tracking or fertility apps are obscuring what privacy experts say is a much larger issue.

“Period tracking apps are the canary in the coal mine in terms of our data privacy,” says Lia Holland, campaigns and communications director for Fight for the Future, an advocacy group focused on digital rights. While submitting data to a cycle tracking app could lead to being "outed by your phone," they said, there are numerous other ways actionable data could make its way to law enforcement. “That outing [...] could just as easily happen because of some game you installed that is tracking your location to a Planned Parenthood clinic.”

India McKinney, director of federal affairs for the Electronic Frontier Foundation, offered similar words of warning about commonplace and seemingly innocuous online activities. "Search history, browser history, content of communication, social media, financial transactions [..] all of this stuff is not necessarily related to period trackers but could be of interest to law enforcement.”

This isn't an abstract problem either: Before the constitutional right to an abortion was overturned, there were already cases where pregnant women had their search histories and text messages used against them after their pregnancies ended.

In one widely cited case, a woman in Mississippi who had a stillbirth at home was charged with murder because she had searched for abortion pills online. (The charges were eventually dropped.) In another case, an Indiana woman was sentenced to 20 years in prison for feticide after prosecutors cited her text messages as evidence her miscarriage had been a self-induced abortion. “Prosecutors argued that she’d taken abortion-inducing drugs purchased online, which is illegal in the United States, but police could not find evidence, beyond text messages discussing it, that the drugs were purchased,” according to The Cut. Her conviction was ultimately overturned but only after she spent three years in prison.

There are other, more insidious ways people seeking abortions can be tracked online. A recent investigation from Reveal and The Markup found that Facebook’s advertising tools — which siphon data from vast swaths of the web, including some hospitals — were used by anti-abortion groups to keep tabs on people seeking abortion services, despite Meta’s rules against collecting such data. Data collected by the groups was also shared with separate anti-abortion marketing firms, which could allow them to target ads to “abortion-minded women,” according to the report. Experts who spoke to Reveal noted that the same data could easily be turned over to law enforcement.

Merely visiting a physical location could be enough to put someone at risk. Data brokers already track and sell location data related to abortion clinic visits. Last month, Motherboard reported that one data broker, SafeGraph, was selling a week’s worth of location data for Planned Parenthood and other clinic locations that included “where groups of people visiting the locations came from, how long they stayed there, and where they then went afterwards,” for as little as $160. The source of those datasets showing visits to reproductive health clinics? “Ordinary apps installed on peoples’ phones.”

After the report, SafeGraph said it would stop selling datasets related to locations of family planning centers. But that doesn’t mean the apps on your phone stopped tracking where you’re going. And SafeGraph is just one of many companies in the shadowy and mostly unregulated multibillion-dollar data broker industry.

“Most people don't know the apps on their phone are doing this,” says Holland. “And in fact, a lot of developers who build these apps — because they use these very easy-to-use preset tools that have that blackbox surveillance hidden within them — don't even know that their own apps are endangering abortion patients.”

Concern about this sort of broad location-tracking led lawmakers to urge Google to change its data collection practices for the protection of people seeking reproductive healthcare. They cited the now-common practice of geofence warrants, which are “orders demanding data about everyone who was near a particular location at a given time.” Last month they cautioned that if Roe were to be overturned "it is inevitable that right-wing prosecutors will obtain legal warrants to hunt down, prosecute and jail women for obtaining critical reproductive health care." Despite the urgency around data collection practices for tech companies — and what new legal obligations they might now have to turn that data over to law enforcement — the industry's largest companies have thus far remained silent.

So while concerns about period tracking apps are valid, they are only a small piece of a much larger problem. And deleting the services from your phone won’t be enough, on its own, to ensure your personal data can’t be used against you. But though users may be badly outmatched by a vast and largely unregulated industry, they aren't entirely helpless.

Holland and McKinney pointed to the importance of protecting your private messages and browsing history, via encrypted messaging apps and privacy-protecting browsers. When it comes to menstrual tracking apps, Holland recommends looking for apps that only store data locally, not in the cloud. And if you’re visiting a place where you don’t want your phone to track you, the safest option is to simply leave your phone at home, says McKinney. “Your phone is tracking you so leave it at home if you don't want it to know where you go.”

Ultimately, though, both Holland and McKinney agree the onus of privacy should not fall on the individual. Lawmakers need to enact privacy legislation that curtails around what kind of data apps can collect. “Right now, there's not a whole lot of restrictions on what companies can do with people's data,” says McKinney. “We really do need legislation to fix a lot of the stuff on the back end, and not make it so that [I] have to do research to figure out what are the best privacy practices that I need to undertake before I deal with a particularly stressful situation in my life.”