When I went to get a quarantine-releasing Covid test last year, I had no idea that my DNA could end up permanently in someone else’s hands.
There was no explicit warning when I booked the test online with Cignpost Diagnostics, trading as ExpressTest. I simply ticked a box next to the privacy policy, as we all do. Had I trawled through the 4,876-word policy and clicked a further link, I would have found a document on Cignpost’s “research programme”, and discovered that it reserved the right to sell customers’ DNA to third parties. And that the swabbers’ data would be retained indefinitely. Cignpost has since changed its privacy policy — the company said the document had been uploaded in error and that it has “not shared any human DNA” from Covid tests.
Opaque and confusing data policies have become ubiquitous, even as the harvesting and trading of users’ information from health-related apps has proliferated. Fears over data privacy have been reignited in the wake of the US Supreme Court’s decision to overturn Roe vs Wade, the landmark ruling recognising a right to abortion. Campaigners and cyber security experts now warn that fertility app data could be weaponised to detect and convict women seeking terminations.
In 2019, my younger sister’s experience of using Flo, a period-tracking app, underlined the reality of how easily we can lose control of our digital selves. She is now one of millions of women who have had their most intimate health data shared and sold. A 2020 Consumer Reports investigation revealed that five of the most popular period-tracking apps, including Flo, shared user data with third parties. Last year, Flo settled with the US Federal Trade Commission over allegations that despite promising to keep users’ data private, it had “shared sensitive health data from millions of users” with marketing and analytics companies, including Facebook and Google. Susanne Schumacher, Flo’s data protection officer, told me this settlement was “not an admission of wrongdoing” but was designed to “decisively put the matter behind us”.
The problem is that menstrual-tracking apps hoover up highly sensitive information about users, including libido levels, contraception use, and identifiers such as emails and IP addresses. And the private health data we upload to our apps is often available for anyone to buy.
“The entire universe of reproduction is a gold mine for advertising and market data,” says India McKinney of the non-profit Electronic Frontier Foundation. Companies are greedy for those lucrative insights. Some employers have even bought data from period-tracking apps, McKinney says, to discover which employees were considering pregnancy.
Concerns about how data might be used to spy on American women seeking to circumvent the abortion ban appear well-founded. In May, a Vice investigation found that SafeGraph, a location data firm, was charging $160 for a week’s worth of data on where people who’d visited Planned Parenthood came from and where they went afterwards. In 2017, a mother-of-three in Mississippi was charged with second-degree murder after a prosecutor used her browsing history for abortion pills to imply motive after she lost her pregnancy. Charges were later dropped.
On its own, fertility app data would probably not be enough to prove an abortion. But pooled with other details such as location or search history, it would be relatively easy to identify a woman considering termination. Even if information is anonymised, you only need two or three data points to figure out who someone is. “Each company collects data about you,” says McKinney. “That’s sold to a data broker who aggregates it. And so there’s this profile on you as an individual.”
There are two potential remedies. One is for governments to get much more robust about regulating the activities of companies that seek to make cash from their citizens’ most intimate details. Or, users need to be much more careful about what they sign up to — even if it means reading a 4,876-word privacy policy before checking that box.
