In the wake of the leaked draft Supreme Court opinion that would overturn Roe v. Wade, privacy experts are increasingly concerned about how data collected from period-tracking apps, among other applications, could potentially be used to penalize anyone seeking or considering an abortion.
Millions of people use apps to help track their menstrual cycles. Flo, which bills itself as the most popular period and cycle tracking app, has amassed 43 million active users. Another app, Clue, claims 12 million monthly active users.
The personal health data stored in these apps is among the most intimate types of information a person can share. And it can also be telling. The apps can show when their period stops and starts and when a pregnancy stops and starts.
That has privacy experts on edge, because if abortion is ever criminalized, this data — whether subpoenaed or sold to a third party — could be used to suggest that someone has had or is considering an abortion.
"We're very concerned in a lot of advocacy spaces about what happens when private corporations or the government can gain access to deeply sensitive data about people's lives and activities," says Lydia X. Z. Brown, a policy counsel with the Privacy and Data Project at the Center for Democracy and Technology. "Especially when that data could put people in vulnerable and marginalized communities at risk for actual harm."
At least 26 states are "certain or likely" to ban abortions if the Supreme Court overturns Roe v. Wade, according to the Guttmacher Institute, a research group that supports abortion rights.
But some states have signaled an interest to go further. Two days after the leaked Supreme Court opinion was first reported by Politico, lawmakers in Louisiana advanced a bill that would classify abortion as a homicide.
Evan Greer, director of the digital rights advocacy group Fight for the Future, says period apps aren't the only ways technology can be used to connect someone to an abortion. If someone is sitting in the waiting room of a clinic that offers abortion services and is playing a game on their phone, that app might be collecting location data, she says.
"Any app that is collecting sensitive information about your health or your body should be given an additional level of scrutiny," Greer says.
Search histories could also be identifying, says Brown. Activist groups — regardless of what they're advocating for — might try to purchase a dataset that would show where people have been searching for information related to abortion.
That information could be used for predatory advertising, according to Brown, but it could also offer a way for private citizens to report another person for seeking an abortion. This could be especially risky in Texas, they added, given the state's controversial new abortion law known as SB 8.
The law bans abortion as soon as cardiac activity is detectable — typically around six weeks. It also empowers private citizens to enforce the ban through payments of at least $10,000 for anyone who successfully sues an abortion provider.
"Anybody could get their hands on this data by simply purchasing it from a company that is already collecting it," Brown says.
It's not uncommon for apps to cooperate with law enforcement during criminal investigations — oftentimes around child exploitative imagery in particular. If abortion is criminalized, experts say period-tracking data could become a target for investigators.
All of which makes an app's privacy policies especially important, but when it comes to privacy, these policies can be vague and in flux, according to Andrea Ford, a research fellow at the University of Edinburgh.
"It becomes really muddy when you get into abortion," Ford says. "If that [were to become] illegal in certain places, does that transcend the right to privacy that is written into the contracts in the way that child trafficking would?"
The Flo app has come under fire for sharing data before.
Last year, the Federal Trade Commission reached a settlement with the popular fertility and period-tracking app amid allegations that it misled users about the disclosure of their personal health data. The settlement followed a 2019 Wall Street Journal investigation that found the app informed Facebook when a user was having their period or if they informed the app that they intended to get pregnant.
In a statement to NPR, the company said it "firmly believes women's health data should be held with the utmost privacy and care at all times, which is why we do not share health data with any third party."
The company added that an external, independent privacy audit completed in March "confirmed there are no gaps or weaknesses in our privacy practices."
In a statement to NPR, period-tracking app Clue said "any data you track in Clue about pregnancies, pregnancy loss or abortion, is kept private and safe." As a European company, the company said it is obligated to apply "special protections" to reproductive health data, per European law.
Despite such pledges, Jason Hong, a professor at Carnegie Mellon University's School of Computer Science, cautions that the data a user inputs into a period-tracking app could reach far beyond the phone or the app they're using.
"It's really hard to understand how your data is being used and where it's being shared because it could be many many third parties, and those third parties can also resell to other third parties," Hong says. "Your data could actually be all over the network at this point. And it's really hard to track what's going on."
For those second-guessing their period-tracking app, Ford says there's a risk vs. convenience calculation that's different for each user. It depends in large part on where you live and what the laws are.
"If I lived in a state where abortion was actively being criminalized, I would not use a period tracker — that's for sure," she says.
But for those who choose to log their data online, there might be some options that aren't as risky. Ford says that apps built with a nonprofit model could offer more privacy.
Hong says paid apps could be better because they're less likely to track users, since they don't need to collect advertising data. Hong also advised users to read Apple's privacy nutrition labels, which are designed to show users how their data is used in simpler terms.
Apps that store data locally are also preferable, Greer explained, because when data is stored locally, the user owns it — not the company.
If police are interested in data stored on a user's device, they would need a warrant, which has a "much higher legal bar" than a subpoena, Greer says. But if the data is in the cloud and owned by a company, a subpoena would be necessary to access the data.
Ford says the most secure option might just be the most old-fashioned: tracking your cycle on paper.
"If you want to be safe, use a paper calendar."