How much does the menstrual management app send your personal information to Facebook?


by

Erol Ahmed

Some people may be using apps to understand the menstrual cycle, but the information collected by the menstrual management app provided by Facebook has already been sent to Facebook before the user agrees to the privacy policy. I understand that. Menstruation management apps are packed with personal information such as menstrual cycles, user moods, lifestyles, and sexual life details. Privacy International reveals how these are sent to Facebook and third-party apps.

No Body's Business But Mine: How Menstruation Apps Are Sharing Your Data | Privacy International
https://www.privacyinternational.org/long-read/3196/no-bodys-business-mine-how-menstruation-apps-are-sharing-your-data

Privacy International surveyed 36 apps in 2018 to find out how users' personal information is handled on various apps, and 61% opened Facebook data as soon as they opened the app. I understand that you want to send. Data transmission was done regardless of whether the user has a Facebook account or logged in to Facebook, and the data included very sensitive personal data.

Because this data transmission is done via Facebook's SDK (Software Development Kit) , SDKs such as websites that embed Facebook's `` Like '' button and apps that use `` Login with Facebook '' Will automatically send the data.

When Privacy International published this in 2018, two-thirds of the companies included in the report said they updated their apps. Therefore, Privacy International has newly decided to investigate a menstrual management app that contains more sensitive personal data.

The following apps were surveyed by Privacy International.

Maya-record menstrual period

Period Tracker MIA Fem: Ovulation Calculator

My Period Tracker / Calendar

Period tracker & Ovulation calendar by PinkBird

Physiological calendar

Mi Calendario by Nosotras

Among them, the second 'physiology calendar' from the bottom did not share data with Facebook, but it seems that data sharing was seen for the other five. In particular, “MIA Fem” and “Maya” shared personal data extensively with third parties, but the app called Maya said that Privacy International shared information with developers, saying that both Facebook's core SDK and analytics SDK Has been removed from Maya. ' On the other hand, Privacy International says that the MIA Fem developer contacted them to “don't publish their answers”.


by

Eric Rothermel

The details of how each app handles data are as follows.

◆ Maya
Maya is a popular app that has been downloaded 5 million times on Google Play.

The first thing that Privacy International surveyed about Maya was that Maya sent Facebook “when users opened the app”. Even one act of “opening a menstrual management app” speculates the possibility that the user is a woman, is a menstrual age, is trying to give birth or is trying to avoid having a baby ... It is possible to. Apps are also required to agree to a privacy policy, which raises concerns about transparency because Maya already starts sending data to Facebook before the user agrees.

Maya also asks the user to enter the 'current state'. Health data such as blood pressure and acne / swelling data is sent to Facebook when entered or edited. Personal information beyond medical data, such as the method of contraception used, is also sent to Facebook.



In addition, data related to feelings such as happiness, anxiety, and excitement are sent, but this is a very big problem. This is because understanding how users feel for advertisers helps them target their “weak moments”. Understanding the time when teenage boys and girls feel depressed will make it easier to sell supplements that allow them to concentrate and become bullish. Understanding a person's mood is the first step in manipulating the person.



Maya ’s privacy policy states that “personal data will not be disclosed to advertisers,” but at the same time, “personal data will be used to target audience ads according to our advertiser ’s wishes. It will be used '.

In addition, Maya, like other menstrual management apps, also has a place to enter information such as “when sexual activity occurred” and “when there was contraception”. And this information is sent to Facebook as human-readable data, unlike other data entered as numbers. In this regard, Privacy International says, “We understand that we need user data to provide services. However, between data on whether there was sexual activity without contraceptives and the prediction of the cycle of the menstrual cycle Is difficult to understand. '


by Sharon McCutcheon

In addition, Maya has a section where users can write diaries and notes. It is expected that very sensitive information will be entered here, but when Privacy International entered that `` very personal data is written here '' and analyzed the traffic, it was totally It turns out that the text is shared with Facebook.

And further investigation revealed that these personal data were sent not only to Facebook but also to a third party labeled 'wzrkt.com'. wzrkt is an abbreviation for “Wizard Rocket”, the previous name of a mobile marketing company known as CleverTap in 2019. It is important to understand that sharing information with Facebook and CleverTap starts before the user agrees to the privacy policy.

◆ MIA Fem
Another menstrual management app “MIA Fem”, which is different from Maya, also has the same conventions as Maya. MIA Fem also asks users to agree to a privacy policy, but sharing information with Facebook begins before the user agrees, and data is sent when the user opens the app. Information is also shared with a mobile marketing company called AppsFlyer.

In the case of MIA Fem, there are steps to select the purpose of using the app from “knowing the menstrual cycle” or “maximizing the possibility of pregnancy” before starting to use the app. This is a natural question for the application, but it is a valuable question for advertisers. If you choose the latter answer to a question, information is instantly shared with Facebook and third parties, and users are targeted for advertising. In the United States, the average person's personal data is worth $ 0.1 (about 11 yen), while the pregnant woman's data is said to be worth $ 1.5 (about 160 yen).

Like other menstrual management apps, MIA Fem asks you about your period, length of your period, period of your period, and data is shared with Facebook and AppsFlyer.

MIA Fem also has a data entry option that asks a wide range of lifestyle questions, not only about mood and health, but also about coffee, alcohol and tampon use. When Privacy International confirms, simply selecting this data will not share information with Facebook ...



When you press the button 'Analyze symptoms', articles on the Internet based on the selected information will be displayed. For example, if you select “masturbate” in the sexual activity section, an article titled “Masturbate: What you want to know but be embarrassed to hear” appears.



When an article is displayed, the app sends information about what kind of article was displayed to the user and information entered by the user into the app to Facebook. Looking at the traffic analysis screen below, you can see that an article about masturbation was displayed.



In addition, traffic analysis shows that articles based on information such as alcohol consumption, sex life, and pain felt during the ovulation period are displayed.

According to a survey conducted by Privacy International, apps other than Maya and MIA Fem were also sending data to Facebook when the app was opened. Privacy International says the Mi Calendario app uses an older SDK and has security concerns.

◆ Conclusion
First, for app developers, Privacy International recommends that you carefully consider the potential for harm to users when designing your app and carefully evaluate the impact on privacy and risk. Many menstruation management apps collect unnecessary data to provide services, but they were called to collect only the necessary data. It is important to share data only with the people who need it to provide services. Especially when using third-party tools such as Facebook SDK, it is required to check the data sharing settings.


by Tim van der Kuip

And for general users who use the app, it is recommended to review the existing privacy settings. For Android, periodically reset the advertising ID from “Settings” → “Google” → “Advertising” → “Reset Advertising ID”, and for iPhone, “Settings” → “Privacy” → “Advertising” → “Advertising” It is possible to reset from 'Reset Identifier'. Similarly, you can choose to “opt out of personalized ads” on Android or “restrict tracked ads” from iOS. It is also recommended that you regularly check the permissions granted to each app and limit them to only those required to use the app.

◆ Data Protection Law
How a user ’s personal data is protected depends on whether the app development base is in the EU, provides services to users in the EU, or is based outside the EU It depends on whether the service is provided. However, Privacy International calls for high standards such as the EU General Data Protection Regulation (GDPR) to be useful to everyone, so companies, etc., are required to comply with GDPR regardless of whether they are within the EU or not. It is. GDPR gives data control companies: 'Contact information for the company that controls the users, the purpose and legal basis of personal information processing, data recipient information, including third parties, and basic data protection rights. Etc. '

in Software,   Security, Posted by darkhorse_log