Since the term was coined in 2016, femtech, a sub-sector in health technology dedicated to creating solutions that address female wellbeing continues to gain traction and attract VC funding globally. In Africa, however, the space is still very much in its budding phase. This segment is dedicated to telling stories of innovators, their solutions, the investors and challenges of the sector as it blooms in the continent.
Two months ago, we sought to understand how Nigerian women used a plethora of period apps for their reproductive health. We created a survey to find out which apps were common, what most women used it to track and what their disposition towards the privacy of their information on these apps were. Our survey reached women between the ages of 18 and 35, women at the peak of their reproductive life, more than half of which were single. Of the apps mentioned, two came out as the most popular period apps in use: Flo and My Calendar.
While most of our respondents used these apps to track their monthly cycles, a number of them used it for other reproductive health and fertility purposes.
We asked data experts at TechHive Advisory, a cybersecurity research and risk assessment company, to run checks on both apps to ascertain the level of security of user information on these apps.
The focus of these assessments were on in-built trackers and hidden permissions that users are often not privy to when signing up or creating their accounts. We’ll share some of their findings in this article. The analysis also looks at their privacy policy documents and how truthful they are in the information they provide users about where their data goes and the control it offers them over the information they leave on the app.
The concern with data privacy and period apps is similar to concerns about privacy and companies like Facebook. Data is the new oil, it is said. From information such as names, age and gender to other subtle online behaviour such as the sites visits, keyboard strokes and time spent hovering over an image, every footstep online is potential fodder for Big Data companies profiting from advertising revenue by collecting and selling these information to the highest bidders.
The more behavioural your data, the more it is worth to those who peddle it. Basic information such as age and gender can cost barely $1 per individual according to this Financial Times tracker but when a data collector can tell if you are a fitness buff or not, whether you love to travel or not, whether you have children or just bought a house, the value of your data begins to climb.
Not many of our respondents seem concerned about this from the data our survey reveals. A large percentage are “not really” concerned about where the sensitive information they upload to these apps go. There’s a tie between those who are expressly concerned or not concerned at all and a small percentage sometimes worry about data privacy.
On one hand, there is a possibility that many have come to the conclusion that targeted ads aren’t such a terrible exchange for the services they receive at no cost. On the other hand, without realtime repercussions of misplaced sensitive data, it is difficult to see what the impact it may have in one’s reproductive life really is. But this in no way reduces the chances of their potential misuse or harm.
Typically, most period app companies publish a privacy policy which states what data they collect, how it is used, who it is shared with often with the promise that the data is anonymised or that a user can rescind any permissions originally granted. But data is never completely anonymised.
“While a privacy policy gives us a fair idea of what the company does,” says Ridwan Oloyede, Partner (Privacy and Data Protection), Tech Hive Advisory, “What if the company is not being honest in what they state in their privacy notice?”
“This means reading the privacy notice is not going to save you.”
Apps often come with trackers (monitors app and general phone usage) and require mobile phone permissions (access to certain personal information) to enable their use. An app could request access to your folders or your emails. It could request access to your contacts or listen in on your phone calls. Information regarding these trackers and permissions are often to be disclosed to users before they download or create accounts on the app.
“How do you address all of these violations when you find out?” Oloyede asks. “That’s if you ever find out.”
According to Tech Hive’s findings, some of the period apps reviewed do not inform users of what permissions they grant the app, some of which Google deems dangerous, neither do they inform users about what trackers are embedded or the information being tracked.
Trackers: Flo has three trackers; two for analytics and one for advertisement.
Permission: Flo has 10 permissions. None is flagged as dangerous by Google protection levels.
Privacy Notice: Flo’s privacy notice made an express disclosure not to disclose personal data to advertisers, but did not address advertisement trackers embedded in the app. Also, there seems to be a contradiction between its privacy notice and the nature of ads tracker embedded in the app.
According to the notice, “We will never sell, rent, or disclose your Personal Data… We will also not use the information gained through your use of the HealthKit and Google Fit framework for advertising or similar services, or sell it to advertising platforms, data brokers, or information resellers.”
The App seemingly shares data with a third party, AppsFlyer, who also shares data with other third parties. According to the notice, one of the trackers “sends your data to some of its integrated partners (e.g. Pinterest, Google Ads, Apple Search Ads, FB marketing network, and a couple of others) to find you or people like you on different platforms, including social media websites.”
My Calendar by Simple Innovation
Trackers: Simple Innovation’s My Calendar has 13 trackers, seven for adverts, five for analytics and one for crash reporting. Its advertisement trackers are shared with third parties.
Permission: There are 10 permissions three of which have been flagged as dangerous by Google Protection levels. The app uses permissions that allows the app to read location from users’ media collection, read content of shared storage and write content on shared storage. Users are not presented with the option to consent to the dangerous permissions.
Privacy Notice: Though the notice is available on the Playstore, it cannot be accessed inside the App. The application did not provide a privacy notice before users sign up or create an account. And there is no request that allows the user grant permissions, despite 3 of them being flagged as dangerous.
Trackers: The App has two trackers, one for advertisement and another for analytics.
Permission: There are six permissions, including the use of fingerprint, but none of them is flagged as dangerous.
Privacy Notice: The notice is not clear on data subject rights and how to enforce them. The notice is not reflective of the type of processing carried out on the mobile app, it does not address the trackers, the identities of third parties and the permissions. The application did not present the privacy notice before users sign up or create an account.
Overall, the notice is poorly drafted that it does not excel at the one thing it should do right – transparency.
Other apps like Maya, according to a 2019 research by Privacy International discloses that the company does share very sensitive and private information of users with organisations like Facebook.
Perhaps being targeted with ads doesn’t sound as ominous when conversations around data privacy happen. But when you look at global politics and how Big Data companies have become very influential in community decision making, or how public institutions are now looking to use algorithms in their processes (think micro lending organisations and their operations) then it becomes a cause for concern to not know where the information provided to these app companies end up. According to Oloyede, the fact that such data could completely be repurposed should worry.
“If your app can consistently tell me that you do not have a well functioning heart for instance, and I can share that information with third pirates who can sell this to insurers, they are able to determine, oh this person could be high-risk, let’s lower the cover that they can enjoy,” Oloyede says.
These are ways in which data misuse can impact real-life outcomes.
The goal is not to stop using period apps, they remain very helpful tools for women in their reproductive age. What is important is transparency; that users are aware of where the data goes, what it is used for, and that they have control to say, I don’t want my data being used for this, and that demand will be met.
So be sure to:
Read privacy notices: A privacy notice provides an insight into the nature and extent of processing of data by an organisation, the rights of the data subjects and how to exercise these rights. Our survey shows that privacy policies are more often ignored than read.
A privacy notice is not exactly a contract between a company and an app user, Oloyede says, and there may be the use of conditional terminologies that suggest that a company is not forthcoming with all the information a user needs to know. For example, some apps might not mention its use of cookies or other tracking technologies even though these are present. It doesn’t hurt to know these things and understand that these are grey areas.
Modify the privacy settings: It is possible to restrain some of an app’s permission by adjusting the phone settings and the app settings to improve privacy and security. This offers you a bit of control.
Check the permissions: Some applications collect excessive permissions that are not relevant for them to function effectively. Excessive permissions could result in risks to the data subject. Consider disabling unnecessary permissions through the phone setting. You can find out what permissions an app has to your device by looking at the app settings on your App Store.
Avoid providing too much data: Only provide data that is necessary to the application’s functionality and performance and never more.