A UK-based research group reports that period tracking app Maya and MIA are sharing sensitive data with Facebook.

Period tracking apps found to share data with Facebook

By Laura Lovett
Share

Period tracking apps have sprouted up all over the app stores. But those apps might not be as private as users think. An investigation from a UK-based research group Privacy International found that some apps are sharing users’ personal information including details about a user’s cycle and even the last time they had sex — with social media giant Facebook.

The report found that most popular apps including period trackers by Leap Fitness Group, Flo, Simple Design and Biowink’s Clue all passed the test and are not sharing with Facebook. 

The report said that period trackers Maya and MIA are both sharing data with Facebook. The report zeroed in on Maya which has roughly 5 million downloads. Researchers found that the tracker was telling Facebook when users opened the app, their medical history, what contraception they were taking, and even mood.

“Confidentiality is at the heart of medical ethics and countries that have data protection laws traditionally have a separate regime for health data, which includes health data, which are considered sensitive data,” the nonprofit wrote in the report. “Thus, when Maya asks you to enter how you feel and offers suggestions of symptoms you might have — suggestions like blood pressure, swelling or acne — one would hope this data would be treated with extra care. But no, that information is shared with Facebook.”

The research group explains that it’s not uncommon for app developers to use Facebook’s SDK for Android, which lets them “integrate their apps with Facebook’s platform and contains a number of core components: Analytics, Ads, Login, Account Kit, Share, Graph API, App Events and App Links. For example, using Facebook's SDK allows apps to use a "Login with Facebook" based authentication, meaning users can log in using their Facebook account.”

Since these allegations Maya responded to the nonprofit saying: “We understand your concern that in addition to providing the analytics SDK, Facebook is also a social network and an ad network. We have hence removed both the Facebook core SDK and Analytics SDK from Maya. Version 3.6.7.7 with these changes is live on the Google Play Store and will be submitted for review to the Apple App Store by this weekend. We continue to use the Facebook Ad SDK, post opt-in to our terms and conditions and privacy policy. Maya does not share any personally identifiable data or medical data with the Facebook Ad SDK. The Ad SDK helps us earn revenue by displaying ads that our users can opt out of by subscribing to Maya's premium subscription.”  

MobiHealthNews has reached out to Maya for comment and will update the story accordingly. 

WHY IT MATTERS

Privacy has been a long concern in the digital health world. As technology becomes a larger part of health stakeholders have discussed the dangers of sharing patient’s most personal information.

Investigators in the report point out that this personal data could help advertisers take advantage of people when they are vulnerable.

“There is a reason why advertisers are so interested in your mood; understanding when a person is in a vulnerable state of mind means you can strategically target them,” researchers wrote. “Knowing when a teenager is feeling low means an advertiser might try and sell them a food supplement that is supposed to make them feel strong and focused.”

THE LARGER TREND

The digital health world is no stranger to data leaks. In April smoking cessation apps came under fire after a JAMA study found that out of the 36 apps studied 33 transmitted data to a third party. Additionally, 17 of those apps either “lacked a privacy policy, failed to disclose the transmission policy in the text or said that the transmission wouldn’t occur.”

It’s not just apps in the privacy spotlight. Big name tech giants have also come under the microscope. In June a lawsuit was filed against Google and the University of Chicago Medical Center for violating patients’ privacy following a data-sharing partnership that the two parties inked two years ago. However, at the time Google argued that it always followed the HIPAA rules.

“We believe our healthcare research could help save lives in the future, which is why we take privacy seriously and follow all relevant rules and regulations in our handling of health data. In particular, we take compliance with HIPAA seriously, including in the receipt and use of the limited data set provided by the University of Chicago,” a Google Spokesperson, wrote in an email to MobiHealthNews. 

In the US, politicians have taken notice of these leaks. In June, senators Amy Klobuchar (D-Minn.) and Lisa Murkowski (R-Alaska) introduced legislation to strengthen privacy and security protections for consumers’ personal health data, specifically the data involved in DNA testing kits and health tracking apps.