84% of period tracker apps share data with third parties

ORCHA report on data security in period tracker apps


Featured image: ORCHA report on data security in period tracker apps

A research team at ORCHA, the Organisation for the Review of Care and Health Apps, has examined the privacy policies of 25 period tracker apps and revealed significant flaws.

This follows the US Supreme Court’s decision to overturn the constitutional right to an abortion, leaving privacy experts concerned that data from period-tracking apps could be used to penalise anyone seeking to terminate a pregnancy.

Intimate data stored in some of these apps can show details of sexual activity, contraception used, and when the user’s period stops and starts.

Amongst the 25 period tracker apps from 24 app developers it examined, ORCHA discovered only one single app which kept all the sensitive data on the mobile phone or device owned by the user.

The rest shared it with the app developer.

Furthermore 84% of the apps allowed the sharing of personal and sensitive health data beyond the developer’s system, with third parties. At 68%, the majority did so for marketing, 40% for research and 40% for improving developer services of the app itself.

Amongst those sharing data with third parties, only one single app demonstrated best practice by explicitly asking users for permission within the app itself, rather than bundling this into the Terms and Conditions, which very few people read.

ORCHA believes there is an industry-wide issue with where and when users are asked for their permission to share their data.  This often comes at the beginning of the app registration process, with new users being asked to tick overall consent to Terms and Conditions and the Privacy Policy. Having signed away control of their personal data within minutes of downloading a new app, it then becomes hard to regain control.  Five of the apps tested offered no email address or telephone number for the app developer, which would have allowed users to request that their data be deleted, although this is a legal requirement.

 Tim Andrews, COO of ORCHA, said:

“It would be best practice for an app to have a ‘consent’ page that’s easily accessed from the main menu. Each individual permission could then be ticked or unticked at any time. So, a user wanting to guarantee privacy, could easily change their mind and untick the permission to share with third parties.”

 Beyond sharing data with third parties, ORCHA found other data security concerns including:

  •       Almost half of the apps tested which processed personal and sensitive data, demonstrated poor compliance with GDPR.
  •       Only two showed evidence of conformity to best practice certifications including ISO27001 and Cyber Essentials.
  •       Eighty per cent of the apps reviewed did not meet the wider quality standards needed for them to be included on ORCHA Health App Libraries for NHS providers.

Fatima Ahmed, Registrar in Obstetrics & Gynaecology and ORCHA’s clinical lead for maternity and women’s health, said:

“Period tracker apps have come into sharp focus for alarming reasons – but they are probably the tip of the iceberg when it comes to data security. And even app developers who promise to stop sharing names and addresses, for example, should be aware that people can be identified by an IP address.”

To find out more details and discover two best practice apps, access the full report here.