A Forbes analysis of two pregnancy and ovulation trackers owned by a $3.6 billion media conglomerate show they reserve the right to share data with law enforcement at their discretion. Privacy activists want such companies to do more to protect users in a post-Roe v. Wade United States.
Ever since the leak of the Dobbs v Jackson court decision in early May, fears have grown around how police might seek to get data from period and pregnancy tracker apps as they seek to investigate illegal abortions in a post-Roe v. Wade America. An analysis of two popular pregnancy tracking apps shows there’s good reason for concern, as privacy policies tend to give tech companies a lot of discretion when it comes to sharing user data.
The app makers also reserve the right to share data with “legal and regulatory authorities, upon request, or for the purposes of reporting any actual or suspected breach of applicable law or regulation.” They also retain the right to share information with “any relevant party, law enforcement agency or court, to the extent necessary for the establishment, exercise or defense of legal rights.”
This may seem just like boilerplate language designed to protect the company from any liability, but some of the Ziff Davis businesses’ competitors have stronger privacy policies. For instance, another popular pregnancy tracker, Ovia Health, says it will only share such data with governments “if required by law, subpoena, directive from a regulatory authority or as otherwise necessary to comply with legal requirements” or to “protect the safety of users of the apps or others.” Ovia also has a dedicated page regarding law enforcement requests, in which it says it actively seeks to limit data disclosures and will “reject any invalid requests.”
Despite urgent concerns around such apps and how they protect data, privacy experts say they’re not the most pressing concern for women seeking an abortion. What really matters is that tech companies provide more factual information on how people can safely access legal abortions and not remove material from its platforms entirely for fear of abortions being illegal in some states, says Eva Galperin, director of cybersecurity at the Electronic Frontier Foundation (EFF).
But, as Forbes has repeatedly documented over recent months, police will go down every avenue they can to gather data on a suspect and are happy to raid tech companies big and small. Looking into the future, should police in states where abortion is illegal begin actively investigating those seeking to terminate a pregnancy, it should be expected that all kinds of companies will be raided for data, adds the EFF’s Galperin.
“I don’t think these policies will be affecting users tomorrow, but I do think there is a strong risk that they will be relatively soon. And it is important to hold these companies accountable for what they do with user data before the abuse actually happens,” Galperin says. “Given the variety of period tracking apps out there, I don’t see why users should stay with any app that doesn’t make a strong and public commitment to protecting their personal data and taking steps to limit what the company can turn over to third parties.”
Ziff Davis’ subsidiaries said they were looking at whether any changes to their privacy policies were required in light of Roe v. Wade being overturned by the Supreme Court. “We are evaluating the developing situation as it pertains to our policy. We do not have more information to provide at this time,” said a spokesperson for What to Expect and BabyCenter.
‘Ad networks know more about you than you’
Forbes analysis of the apps also revealed how they share basic user information, such as what state a user lives in and their IP address (which can also be used to infer in what town or city a person resides), with a range of third parties. Such parties include Facebook and various ad trackers, such as NASDAQ-listed Taboola, Comscore subsidiary ScorecardResearch, $1.3 billion-market cap company Magnite, as well as lesser-known providers Adjust and Upland Software, among a handful of others. No medical information or in-depth user data was being shared at the time of Forbes’ research.
Sharing metadata with third-party ad networks is common across many mobile applications, especially free ones. But there’s now a unique threat when it comes to pregnancy trackers. While the data doesn’t include content like the user’s due date or any changes to the pregnancy, all those third parties have a strong indication a person is pregnant or planning to be. (Retailers, in particular, have made headlines for serving expecting mothers with ads for baby-related products before the fathers even knew about the pregnancy.) “Ad networks know about you way more than you do,” says Gabi Cirlig, a cybersecurity and privacy researcher who helped verify Forbes’ findings.
Put simply: it’s not just the app makers and their partners at tech giants like Google and Facebook, but also a network of myriad ad networks that know a lot about who is pregnant and when. That leaves law enforcement with all manner of avenues in terms of gathering data for investigations into individuals who try to get abortions in states where it’s illegal.
Privacy activists are now calling not only for more detailed and protective privacy policies, but also greater transparency from app makers. “As states start investigating and prosecuting people for their pregnancy outcomes post-Roe, these companies ought to stand up for their users and fight back tooth and nail against government demands for user data,” says Riana Pfefferkorn, research scholar at the Stanford Internet Observatory. “But they also need to be committed to doing what they say they’ll do. Don’t tell me you’ll push back against overbroad legal requests unless you’re both actually going to do it and willing to publish a transparency report that proves it.
“Your users are spooked. If you respect them, you’ll thrive. If you sell them out, you’ll fail.”