It was discovered that the free menstruation management application 'Stardust' shared the user's phone number with the outside, and the operator explained that it was 'not for sale'.



After the Supreme Court ruled to overturn the Law vs. Wade ruling that admits women's abortion in the United States, the popularity of the physiology management app ' Stardust ' surged and jumped to the top of the rankings on the App Store. Stardust had just promised to encrypt the user's personal information and not share it with government agencies, but it was discovered that the app shares the user's phone number with a third-party analytics company. increase.

Period tracker Stardust surges following Roe reversal, but its privacy claims aren't airtight | TechCrunch
https://techcrunch.com/2022/06/27/stardust-period-tracker-phone-number/

The # 1 Period Tracker on the App Store Will Hand Over Data Without a Warrant
https://www.vice.com/en/article/y3pgvg/the-1-period-tracker-on-the-app-store-will-hand-over-data-without-a-warrant

The Supreme Court's overturning of the Law vs. Wade decision overturns the constitutional protection of the right to abortion and allows individual states in the United States to enact legislation that criminalizes abortion. This ruling has forced users to remove their menstrual management apps from their smartphones. The reason for this is that the data collected by the Physiology app can be 'used to prove that the user has had an illegal abortion.' Therefore, attention has been focused on how to handle the data of the physiological management application.

What attracted attention here was Stardust, which just announced that it would 'make it impossible to share user's personal information with government agencies' by implementing end-to-end encryption. However, foreign media TechCrunch analyzed Stardust's network traffic to look at the data that goes in and out of the app, and if the user logs in to the app using a phone number, this phone number is a third party called Mixpanel. It has been revealed that it is shared with the analysis company of.

Mixpanel is a company that provides widely used analytics services for app developers to track app usage and identify errors and ways to improve their apps. The company's analytics service is done by tracking how someone is using the app and sending the data back to Mixpanel's servers. In addition, Stardust shares not only the phone number with Mixpanel, but also the model and software version of the terminal on which the application is installed, the mobile phone company used by the phone, etc.

TechCrunch said, 'We couldn't see the health-related data Stardust shares with Mixpanel, but the phone number associated with a particular user using the Physiology app is a third-party like Mixpanel. If you share it with a company, prosecutors can force you to get the data via Mixpanel, even if Stardust claims you can't share your personal information. '

Meanwhile, Stardust founder Rachel Moranis said, 'The current version of Stardust uses a Mixpanel-related data collection mechanism that has been disabled or removed in the new version. The new version of Stardust uses personally identifiable information. In addition to not sending to Mixpanel, we are disabling IP tracking to protect users from metadata that is used to identify them, 'Tells TechCrunch.

Stardust also tweeted that it is working on building an 'anonymous sign-in method' so that you don't have to enter your phone number when logging in to the app.




Stardust updated its privacy policy on June 26, 2022, which 'sees that it's not as protected as the app claims,' TechCrunch said. Therefore, 'Please note that Stardust collects various data about your device, activity and location through cookies and other tracking techniques. We also isolate some exceptions to data sharing with our providers. With the consent of the user, we may disclose non-personalized data 'when we need to comply with or respond to law enforcement agencies or legal processes' as required by law. Please be careful. '

According to app research firm Sensor Tower, Stardust announced on June 24 that it will perform end-to-end encryption, with 135,000 new installations of the app, 4400% of the previous day's installations. Is also increasing. Furthermore, on the 25th of the following day, the number of newly installed apps increased to 200,000 times, and the App Store ranking jumped from 119th to 1st.

TechCrunch asked Moranis, 'How does Stardust implement end-to-end encryption?' 'All traffic to the server is standard SSL hosted on AWS and built-in AES- It takes advantage of the 256 cryptographic implementation and goes through subsequent data storage on Amazon RDS . ' This describes how data is encrypted in transit and while it's stored on Amazon's servers, but it's not clear if this implementation is considered true end-to-end encryption. No, 'TechCrunch points out. 'Once the end-to-end encryption implementation is complete, we plan to fully publish the implementation along with a third-party audit,' Moranis said, but the timeline for information disclosure has not been published.

After being pointed out by TechCrunch, Stardust updated its privacy policy stating, 'We don't sell your data, we don't sell it,' explaining that we have never sold user data. I am. According to TechCrunch, Stardust has updated its privacy policy and then removed the mention of 'end-to-end encryption.'

Privacy Policy — Stardust
https://www.thestardustapp.com/privacypolicy

in Mobile,   Software,   Security, Posted by logu_ii