Deleting your period tracker won’t keep your health data private

July 19, 2022
Information security expert Anton Dahbura says ‘anonymous mode’ and other attempts to protect user health data may lure people into a false sense of security in the post-Roe world
GETTY IMAGES / MICROVONE

As soon as news leaked in May of the possible reversal of Roe v. Wade, a drumbeat began on social media: Delete your period trackers. With abortion rights under threat, new fears arose that the health data stored on such apps, which track fertility and menstrual cycles, could be used as evidence of criminal activity in states where abortions could be outlawed.

With the U.S. Supreme Court’s subsequent ruling on June 24, the calls for data security have intensified, and a number of app developers and tech companies have upped their privacy protections in response. The issue has the attention of the U.S. House of Representatives, where a new bill called “My Body, My Data” is circulating, and one panel is investigating tech companies’ practices. An executive order President Joe Biden signed Friday aimed at protecting abortion access also seeks to shore up digital privacy.

Data security experts warn, however, that this issue runs deeper than any app. “The underlying risk is that a person’s phone—the phone itself, not necessarily individual apps or web browsers—maintain a significant amount of data even when apps are deleted,” says Anton Dahbura, executive director of the Johns Hopkins University Information Security Institute. “I’m concerned that people will be lulled into a false sense of security if they’re led to believe that their phone itself is somehow safe.”

And it’s not only phones, he says—it’s any tablet, computer, smartwatch, or digital assistant. “If a law enforcement agency has access to a person’s devices, including data that’s supposedly been deleted, the information that can be harvested is likely to be overwhelming.”

In a conversation with the Hub, Dahbura offered more insight on the vulnerabilities of reproductive health data in an age where terminating a pregnancy constitutes a crime in parts of the country.

How concerned should people be about period tracking apps?

Depending on how they’re designed, they could be of great concern, especially when you’re talking about the ability for law enforcement to demand access to the data. It could be subpoenaed by law enforcement in states where abortion is illegal and where there’s suspicion the law has been broken. So I do think individuals need to be careful about the apps they use, because unfortunately the technology could be, in effect, weaponized.

The whole model for apps has been to harvest as much data as possible in order to use that data for different purposes, including marketing. Some apps exist solely for this purpose. With the abortion bans, this model is being turned inside out, and it’s problematic. For some apps, making any significant changes to protect data privacy could dramatically cut into the company’s business model unless they find other ways to operate, like paid subscriptions.

But also, it’s incredibly difficult to anonymize anything completely. So some solutions that apps are now offering, like “anonymous mode,” may sound good on paper, but it’s not clear what’s technically achievable. What will matter more is the degree to which law enforcement is allowed access to someone’s device. With full access, it would not be hard for them to figure out exactly what you’ve been up to, including things like web searches on abortion options, or calls to clinics. Cell phone companies also maintain location information and other data in their own storage systems, and law enforcement could access that.

So the issue isn’t so much the apps and the data they contain, but the phone itself.

Yes. Your phone, along with any tablets, laptops, or other devices you use. If someone gets access to these, it’s entirely possible for them to investigate your activities. It even goes beyond the devices. I call this “the golden age of forensics.” There are video cameras and license plate trackers all over the place, your credit card and financial activity is tracked, even some models of cars now have trackers built in.

In the current U.S. landscape, pregnant women seeking abortions in states where it’s illegal could be treated like criminals, hypothetically. If you watch true-crime shows on TV, you know that it’s all about forensics. The techniques we see used there are the exact same ones we’re talking about being used against women who have either had an abortion or are pursuing it.

Have we seen examples of this?

There are some precedents in our court systems, but with the new Supreme Court ruling I have full confidence we’ll see criminal investigations of this nature with abortion. If we’re living in a system where the act of abortion is defined as a crime, people will get paid to do their job to investigate and prosecute the crime. There’s no question in my mind that this will happen.

What actions could people take to protect their reproductive health data?

Do as much as you can to avoid leaving a digital trail, but even then it’s dicey. I know a lot about the technology and it’s incredibly challenging. You could do a lot of research about deleting apps, reconfiguring privacy settings, putting maximum privacy controls on your iPhone and so forth—but I think that’s going to give a false sense of security. So I really can’t advocate for “click on this option” and “do this.”

It’s a very tricky issue, but people have to be careful and assume that their online activity can be monitored, and that their data is being gathered and used. It’s a difficult message to get across because our phones are so convenient and we’re so used to Googling everything. We can’t spend five minutes without our phones.

On the larger scale, how should we approach the issue of digital privacy?

It’s always important to think hard about the devices you use and how you interact with them. And people do need to pay more attention to privacy in general. Because for a lot of people, the mentality is, well, I’m not doing anything wrong, so why do I care if my phone is tracking me or cameras are monitoring me? But I’ve always said, what seems OK today, what seems innocuous, might not be OK tomorrow. There are many issues we probably can’t even think of right now, where our data could be turned against us in the future or used in ways we don’t all agree with.

With some types of crime, obvious severe crimes, I think just about everybody would agree they’re wrong and that it’s justified to track the perpetrators and invade their digital privacy, for the greater good. But the abortion issue is an unfortunate example where there’s not unanimous agreement by any means on what constitutes criminal behavior.

 

This article originally appeared on The Hub >>

Categories:

JHU Information Security Institute