For years, millions of women have used mobile apps to help track their menstrual cycles and get a better handle on their fertility. But now, it turns out, some of those apps may have been leaking this intimate information.
Glow, one of the most popular apps in this market, had a major flaw that could let anyone who knew a user’s email address access that person's data, according to a recent investigation by Consumer Reports. That’s a big deal because Glow prompts users to reveal a lot, including the last time they had sex (and in what position), how many drinks they’ve had each day and, of course, when Aunt Flo is in town.
Glow’s issues also shine a light on the regulatory gray zone that encompasses period-tracking, fitness trackers and other health-related apps. The data users put into the apps aren’t automatically covered by HIPAA, the federal health privacy law that shields, for instance, information shared with your doctor. Instead, the Food and Drug Administration has said it would exercise "discretion" on whether it would pursue privacy violations by many health apps.
“This kind of information for women is very intimate,” Patient Privacy Rights founder Deborah Peel said. “The implications are really huge: There are absolutely no laws that protects that information from being sold, disclosed, or traded — for any purpose, be it marketing or research.”
Although HIPAA-based regulation has rules about data security, fertility- and period-tracking apps generally aren't required to go through security testing before they make it onto users’ smartphones. But Consumer Reports did its own security audit of Glow and found several problems.
The most troubling involved a feature in which a Glow user could link their account with another person to share information. But Consumer Reports discovered that anyone who knew a user's email address could start getting that data without the user's explicit permission. That means practically anyone, including stalkers or abusive exes, could have found a window into the intimate data the app tracked.