Period tracking app Flo is hoping its newly released “Anonymous Mode” will give users the confidence to continue using their product even as state law enforcement authorities around the country appear increasingly interested in soliciting data from apps to prosecute alleged abortion seekers. Privacy experts speaking with Gizmodo welcomed Flo’s update but warned it still falls short of meeting the definition of fully anonymous. Similarly, the experts said privacy-preserving features like these are fundamental and shouldn’t come as add-on options, particularly given the potentially horrific consequences of that data getting in the wrong hands.
Flo, one of the leading apps in its field supposedly boasting around 240 million users, announced the privacy-preserving mode in June, around one week after the Supreme Court overturned Roe v. Wade. The mode was officially released for iOS users on Wednesday with an Android version coming next month. Flo claims this new mode provides its users the ability to use its services without providing a name, email address, or identifiers from being associated with the health data. These features, according to Flo’s press release, mark a first for female health apps.
The company says it turned to web infrastructure company Cloudflare to help make all that happen. By using Cloudflare’s App Relay, Flo says it can ensure users’ privacy on “various levels”—from logged symptoms on a device to data transferred over the network—and ensure no single party processing a user’s data has a complete vision of who the users are are and what they’re trying to access. In theory, Flo says this approach should significantly reduce users’ digital footprints when communicating with Flo.
“Now, more than ever, women deserve to access, track, and gain insight into their personal health information without fearing government prosecution,” Cath Everett, Flo’s VP of Product and Content said in a statement. “We hope this milestone will set an example for the industry and inspire companies to raise the bar when it comes to privacy and security principles.”
Flo’s anonymous mode will reportedly come at the expense of certain features, according to The Verge. Anonymous Mode users, for example, won’t be able to connect to a wearable device and also can’t transfer their information to a new device.
Experts say Anonymous Mode is good, but not technically “anonymous”
Speaking with Gizmodo, Surveillance Technology Oversight Project Executive Director Albert Fox Cahn applauded Flo’s effort, which he described as a “huge step forward,” but cautioned against overstating its capabilities. Though an improvement, Fox Cahn worried that referring to the mode as “fully anonymous,” misses the mark.
“Flo has done a lot to limit the data it can access on the backend, but there are still some risks about how police could track this data if they ever seize a user’s device,” Fox Cahn said. “These sorts of privacy practices should be much more commonplace, but the sad truth is whenever we track our lives digitally, there is some risk it can be used against us in court.”
Flo did not immediately respond to Gizmodo’s request for comment.
Similarly, Fight for the Future Campaign Director Caitlin Seeley George told Gizmodo the new mode shows companies are paying more attention to post-Roe privacy concerns but expressed doubts over whether that’s enough to regain skeptical users’ trust. A Federal Trade Commission complaint last year alleged Flo shared the health information of users with third parties despite saying they would keep that information private. Some users also reportedly deleted their fertility tracking apps over privacy concerns following the Roe reversals.
Seeley George went on to say features like Flo’s so-called Anonymous Mode should be on by default for companies dealing with potentially sensitive user data. Those firms, according to Seeley George, should also encrypt messages end-to-endquit collecting and retaining location and search data, and refrain from selling information to companies that may abuse it.
“Ultimately, privacy should not be an added feature that companies only adopt after getting caught abusing their users’ data,” Seeley George said.
Advocates, researchers, and lawmakers have for months warned of a potential data privacy crisis sparked by the Supreme Court’s overturning of Roe v. Wade. With dozens of states outlawing and even criminalizing abortions, many fear local law enforcement could simply request user data from apps like Flo to potentially corroborate criminal prosecutions.
There’s already some evidence of this happening. Earlier this year, Nebraska authorities prosecuted a 17-year-old girl and her mother for an apparent at-home abortion. Prosecutors proved their case, in part, by obtaining Facebook messages between the girl and her mother which allegedly confirmed they purchased medication to induce an abortion. Although this case occurred before Roe v. Wade was overturned, advocates warn it’s a prime example of the potential real-world consequences of non-anonymized health data.
While it’s easy to single out Flo for adding a crucial privacy-preserving as an add-on feature, the unfortunate reality is that period trackers and pregnancy apps, in general, are often privacy nightmares. Mozilla reviewed 25 of these apps not long after the Supreme Court ruling and labeled 18 of them with a “privacy not included” stamp. Not a single one of the pregnancy apps reviewed met privacy researchers’ standards. Most of the apps, according to the research, did not have clear guidelines for how they would respond to data requests from law enforcement.
These aren’t the only types of firms capable of exchanging data on potentially pregnant people either. The Gizmodo investigation earlier this year identified 32 different data brokers across the US selling access to unique mobile IDs of nearly 3 billion profiles described as “actively pregnant” or “shopping for maternity products.”
“We need companies to collect and retain less data from the get-go, and to make ‘Anonymous Mode’ the default so that no one has to be afraid of who might gain access to their information,” Seeley George said. “This should be the standard not only for apps collecting health and reproductive-related data but for all apps.”