Eight months post-Roe, reproductive-health privacy is still messy

Data privacy awareness boomed last June when the Supreme Court overturned Roe v. Wade, limiting access to safe, legal abortion. Now, eight months later, privacy experts say not to let your guard down. Legislative bodies have made little progress on health data security.

We give up so much data each day that it’s easy to tune out. We blindly accept permissions or turn on location sharing, but that data can also be used by governing bodies to prosecute civilians or by attackers looking to extort individuals. That’s why, when SCOTUS declared access to abortion would no longer be a constitutional right, people began to scrutinize the amount of private health data they were sending to reproductive-health apps.

“The burden is really on consumers to figure out how a company, an app, a website is going to collect and then potentially use and share their data,” Andrew Crawford, senior counsel, privacy and data, at the Center for Democracy and Technology said.

There aren’t widespread industry standards or federal legislation to protect sensitive data, despite some increased regulatory action since last year. Even data that isn’t considered personally identifiable or explicitly health related can still put people at risk. Location data, for example, can show if a patient traveled to receive an abortion, possibly putting them at risk of prosecution.

“Companies see that as information they can use to make money,” Jen Caltrider, lead at Mozilla’s consumer privacy organization Privacy Not Included, told Engadget. Research released by Caltrider’s team in August analyzed the security of 25 reproductive-health apps. Eighteen of them earned a privacy warning label for failing to meet privacy standards.

So, what’s left for users of reproductive-health apps to do? The obvious advice is to carefully read the terms and conditions before signing up in order to better understand what’s happening with their data. If you don’t have a legal degree and an hour to spare, though, there are some basic rules to follow. Turning off data sharing that isn’t necessary to the function of the app, using encrypted chats to talk about reproductive care, signing up for a trustworthy VPN and leaving your phone at home if you’re accessing reproductive health care can all help protect your information, according to Crawford.

While industry standards are still lacking, increased public scrutiny has led to some improvements. Some reproductive-health apps now store data locally as opposed to on a server, collect data anonymously so that it cannot be accessed by law enforcement or base operations in places like Europe that have stronger data privacy laws. We spoke with three popular apps that were given warning labels by Privacy Not Included last August to see what’s changed since then.

Glow’s Eve reproductive-health app introduced an option to store data locally instead of on its server, among other security measures. Glow told Engadget that it doesn't sell data and employees are required to take privacy and security training.

A similar app, Flo Health, has introduced an anonymous mode and hired a new privacy exec since the report. The company told Engadget that it hopes to expand its anonymous mode features in the future with additions like the ability to stop receiving IP addresses completely.

Clue, another app that landed on the warning list, adheres to the stricter privacy laws of the European Union known as General Data Protection Regulation, co-CEO Carrie Walter told Engadget. She added that the company will never cooperate with a government authority to use people’s health data against them, and recommended users keep up with updates to its privacy policy for more information.

But there are no one-and-done solutions. With permissions changing frequently, people that use health apps are also signing up to consistently check their settings.

“Apps change constantly, so keep doing your research, which is a burden to ask consumers,” Caltrider said. “Use anonymous modes, when they're available, store things locally, as much as you can. Don't share location if you can opt out of location sharing.”