[BreachExchange] Be careful, ladies: Period-tracking apps could reveal your most intimate information

Audrey McNeil audrey at riskbasedsecurity.com
Thu Aug 4 19:48:33 EDT 2016


http://www.kansas.com/news/nation-world/national/article93700862.html


For years, millions of women have used mobile apps to help track their
menstrual cycles and get a better handle on their fertility. But now, it
turns out, some of those apps may have been leaking this intimate
information.

Glow, one of the most popular apps in this market, had a major flaw that
could let anyone who knew a user’s email address access that person’s data,
according to a recent investigation by Consumer Reports. That’s a big deal
because Glow prompts users to reveal a lot, including the last time they
had sex (and in what position), how many drinks they’ve had each day and,
of course, when Aunt Flo is in town.

Glow’s issues also shine a light on the regulatory gray zone that
encompasses period-tracking, fitness trackers and other health-related
apps. The data users put into the apps aren’t automatically covered by
HIPAA, the federal health privacy law that shields, for instance,
information shared with your doctor. Instead, the Food and Drug
Administration has said it would exercise “discretion” on whether it would
pursue privacy violations by many health apps.

“This kind of information for women is very intimate,” Patient Privacy
Rights founder Deborah Peel said. “The implications are really huge: There
are absolutely no laws that protects that information from being sold,
disclosed, or traded - for any purpose, be it marketing or research.”

Although HIPAA-based regulation has rules about data security, fertility-
and period-tracking apps generally aren’t required to go through security
testing before they make it onto users’ smartphones. But Consumer Reports
did its own security audit of Glow and found several problems.

The most troubling involved a feature in which a Glow user could link their
account with another person to share information. But Consumer Reports
discovered that anyone who knew a user’s email address could start getting
that data without the user’s explicit permission. That means practically
anyone, including stalkers or abusive exes, could have found a window into
the intimate data the app tracked.

Glow, which was developed by a tech incubator started by PayPal co-founder
Max Levchin, worked quickly to fix the problem after Consumer Reports told
the developers about the issue. It also sent an email to users informing
them about the bug and advising them to check their linked accounts.

“Of the more than 4 million users across our apps, far less than 0.15
percent of our users could have potentially been impacted, but there is no
evidence to suggest that any Glow data has been compromised,” Jennifer Tye,
the head of Glow’s U.S. operations, said in an emailed statement.

Last fall, Glow said it helped more than 150,000 couples conceive and
promoted research that it said showed that users who meticulously tracked
ovulation cycles in the app were 40 percent more likely to get pregnant
than casual users. But, as Wired reported at the time, some experts were
skeptical that Glow was really the reason those couples got pregnant.

In an interview, Tye told The Post that the company’s apps don’t seek to
replace services offered by fertility specialists. Instead, Glow’s apps
“help women and couples track various aspects of their reproductive
health.” Having that information on hand could help those struggling with
infertility work through the issue with their doctors, she said.

However, a recent study published in the Journal of the American Board of
Family Medicine found that many popular fertility- and period-tracking apps
struggled to accurately predict when women were most fertile - with Glow
ranking near the bottom of the reviewed apps.

Despite concerns about their effectiveness and Glow’s security problems,
the market for these apps is still booming - several of them rank high on
Apple’s App Store listing of health and fitness apps.

But privacy experts worry the women who use these apps may not fully
realize that their data is thinly protected. Alison Contreras, the lead
researcher on the study that raised questions about the effectiveness of
popular fertility-tracking apps, said a surprising number of the apps that
her team reviewed “didn’t have any privacy policy at all.”

Glow does have a privacy policy, which says it does not sell or rent
personal information to third parties - but that it may share data in “an
aggregate and anonymous format.” The company also reserves the right to use
information “to deliver targeted marketing.” Information about when a woman
is trying to have a baby is valuable to marketers because motherhood is one
of the few life events in which consumers often get hooked on new brands,
according to Peel, the Patient Privacy Rights founder.

“Generally, our policy is very consistent with what lots of other companies
out there say,” said Tye, the Glow executive. She said the app does not
currently feature marketing or advertising from other brands.

Some other period-tracking app privacy policies are more vague. Period
Tracker Lite’s privacy policy, for instance, provides few details - and a
2013 investigation by the Financial Times concluded the app shared user
data with third parties. The developer, GP Apps, did not immediately
respond to an inquiry about its current practices. A 2014 Federal Trade
Commission study of the larger health app market, in which period-tracking
apps are a major player, also found that many of the apps the agency
reviewed shared users’ information with third-party advertising and
analytics firms.

Concerns about privacy and security have left some experts skeptical about
fertility- and period-tracking apps operating outside of the traditional
regulatory framework for health data. Although these apps could help
researchers learn more about women’s health, app-makers should also
acknowledge they’re “handling medical information that should be treated
with the right safety precautions and confidentiality,” Contreras said.

“There’s definitely the need for some sort of HIPAA-compliant app that
would allow a patient to directly communicate with physicians,” she said.


Read more here: http://www.kansas.com/news/nation-world/national/
article93700862.html#storylink=cpy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160804/18e8b1a3/attachment.html>


More information about the BreachExchange mailing list