Study: Fertility apps collect, share intimate data without users' knowledge or permission

The majority of top-rated fertility apps collect and even share intimate data without the users' knowledge or permission, a collaborative study by Newcastle University and Umea University has found.

Researchers are now calling for a tightening of the categorization of these apps by platforms to protect women from intimate and deeply personal information being exploited and sold.

For hundreds of millions of women fertility tracking applications offer an affordable solution when trying to conceive or manage their pregnancy. But as this technology grows in popularity, experts have revealed that most of the top-rated fertility apps collect and share sensitive private information without users' consent.

Dr Maryam Mehrnezhad, of Newcastle University's School of Computing and Dr Teresa Almeida, from the Department of Informatics, Umeå University, Sweden, explored the privacy risks that can originate from the mismanagement, misuse, and misappropriation of intimate data, which are entwined in individual life events and in public health issues such as abortion, infertility, and pregnancy.

Dr Mehrnezhad and Dr Almeida analysed the privacy notices and tracking practices of 30 apps, available at no cost and dedicated to potential fertility. The apps were selected from the top search results in the Google Play Store and let a user regularly input personal and intimate information, including temperature, mood, sexual activity, orgasm and medical records.

Once the apps were downloaded, the researchers analysed GDPR requirements, privacy notices and tracking practices. They found out that the majority of these apps are not complying with the GDPR in terms of their privacy notices and tracking practices. The study also shows that these apps activate 3.8 trackers on average right after they are installed and opened by the user, even if the user does not engage with the privacy notice.

Presenting their findings at the CHI 2021 Conference, taking place on May 8-13, Dr Mehrnezhad and Dr Almeida warn that the approach of these apps to user privacy has implications for reproductive health, and rights.

Users of these apps are normally women who are considered marginalised user groups and the data concerning these groups is personal, more sensitive, and identified by GDPR legislation as 'special category data' requiring extra protection."

Dr Maryam Mehrnezhad, Newcastle University's School of Computing

Dr Almeida added: "Data are kept in such a vulnerable condition, one in which a default setting allows not only for monetizing data but also to sustain systems of interpersonal violence or harm, such as in cases of pregnancy loss or abortion, demands a more careful approach to how technology is designed and developed.

"While digital health technologies help people better manage their reproductive lives, risks increase when data given voluntarily are not justly protected and data subjects see their reproductive rights challenged to the point of e.g. personal safety."

The study shows that majority of these fertility apps are classified as 'Health & Fitness', a few as 'Medical', and one as 'Communication'. The authors argue that miscategorising an unsecure app which contains medical records as 'Health & Fitness' would enable the developers to avoid the potential consequences, for example, of remaining in the app market without drawing significant attention to it. This means that fertility app data could continue to be sold to third parties for a variety of unauthorised uses, such as advertising and app development.

The team is currently looking into the security, privacy, bias and trust in IoT devices in Femtech. In light of their research, these researchers are calling for more adequate, lawful, and ethical processes when dealing with this data to ensure women get protection for the intimate information that is being collected by such technologies. They advise to seek to improve the understanding of how marginalised user groups can help to shape the design and use of cybersecurity and privacy of such technologies.