Since the Supreme Court ruling in Dobbs, social media has erupted with exhortations for people to delete period tracker data. Fearing dragnet surveillance, other corners of the internet have called on cisgender men to start using period trackers to corrupt the data. Advice, good and bad, has been flowing rapidly through social media. Much of this advice misunderstands the technology, the applications of the data, and the law enforcement actions that could result from access to this data. Nevertheless, the simple fact that these fears are so visceral and relatable highlights a gap in American consumer protection law.
Understanding the technology
To first understand why we need a structural, rather than an individual, solution to the problem, let’s first explore the dynamics of the data ecosystem as it relates to menstrual trackers.
Most menstrual trackers consist of a mobile app with some basic inputs to allow a person to track their menstruation. Some have features to allow the user to specify how heavy their flow is, what their mood is, or a handful of other features that may be helpful to track ovulation, irregularities in cycles, hormone levels, birth control adherence, and so forth.
Before we go into the details, let’s make one thing clear: regardless of how an app stores its data, deleting the app alone is no guarantee that the data is deleted. Data in local storage may persist even after the app is deleted, although this depends on the phone, the operating system version, and the user settings. In Android, for instance, it’s possible to retain data after app deletion, although this prompts a user dialog. Unfortunately, if you ignore or misunderstand the prompt, it’s very hard to find where the data resides unless you are highly competent navigating the Android file system. On some versions of iOS, the application can also store local data in iCloud (more later) or in the Keychain, and deleting the app does not remove this data. The “offload app” feature, which some users may mistake for “uninstall app,” explicitly retains data. Backups, for instance on iTunes, can also create a local copy of data on a different device, and syncing your phone again can reload the data (and the app) back onto your phone. In short, one should never assume that deleting an app implies the permanent deletion of the data.
With that said, let’s look at the differences between the storage methods described above.
- Local Data is stored on the device, and the only people who can see the data are people who have physical access to the device;
- Public Cloud storage means data is stored on a public cloud provider, typically Amazon Web Services, Microsoft Azure, or Google Cloud Platform. The visibility of the data depends on many factors that the user almost certainly cannot determine alone;
- Data Center storage means data is stored on computers that the app maker exclusively controls, although they may not own the data center itself. Again, the visibility of the data depends on many technical considerations.
These three modes of storage affect how easy or difficult it is for an American law enforcement agency can get access to the data. For locally stored data, law enforcement would require physical access to your device. If they cannot get access to your device, they cannot get the data (with a few exceptions I will describe in the next section).
For data stored on the public cloud, law enforcement can get access to the data either by serving a search warrant to the app maker or the cloud provider itself. Acts like the US CLOUD Act can even compel the foreign release of data by companies that operate in the United States; this includes, of course, Amazon, Microsoft, and Google. In such a case, the app maker may resist providing access to the data, but if the cloud provider holds the encryption keys, then law enforcement has an alternative path to accessing the data. For this reason, I almost always advise technology companies using the public cloud to use a technique known as “Bring Your Own Key." This helps remove this threat vector against user data.
For data stored in a private data center, usually only the app manufacturer has access to the encryption keys. Even if law enforcement physically removes the drives, the data will be unreadable. Moreover, if the company that makes the app is domiciled overseas, and domiciles their data overseas, then it is much less likely that American courts will be able to reach the data. In my personal, not-a-lawyer opinion, this is the strongest way to protect your data.
One weakness however: if the data is stored on someone else’s device, such as in a private data center, it’s possible that employees have access to that data. Here, you have to rely on the strength of data protection laws and personal and professional ethics to create a negative incentive for employees to misuse the data, but you cannot yourself guarantee a denial of access. For this reason and others, some people recommend using apps that only use local storage. This has some drawbacks which I will now discuss.
Understanding local storage
Local storage can feel like the safest way to prevent access to your data. However, there are a couple of weaknesses with this approach. First, local storage is only as strong as the access to your phone. This is the achilles heel to local storage as a data protection option. I don’t have statistics, but from my personal experience, most smartphone users I see use terribly insecure ways to guard access to their phones, using only 4-6 digit pins, swipe patterns, Face ID, Touch ID, or other biometric access methods. All of these are so insecure as to be useless when considering law enforcement capabilities.
The ability for law enforcement to break a pin depends greatly on the device and its operating system version. But at least as of 2018, it was clear that 4 and 6 digit pins were trivially broken by GrayKey devices. The exact current capabilities of this technology are not known, as far as I can tell, but I would simply assume that any pin less than 8 digits is insecure.
Biometric access methods are even worse. US Courts are still divided on the question of whether police can force unlock a device using biometrics. In 2019, a Northern California district judge ruled it illegal; more recently, however, a judge ruled in a January 6 Insurrection case that biometrics could be used to force the device open. Regardless, once a law enforcement officer has your device physically in their hands, there’s little you can do to stop them. At least one video shows a police officer pointing a phone at a handcuffed man’s face, presumably to unlock it.
That is to say, unless you strongly protect your phone by disabling biometrics and using a full-strength alphanumeric password, local storage may actually be the least secure way to store your menstrual cycle data.
There’s another angle to local storage, too, that I’ve already discussed: backups with iCloud or other syncs. Many iOS apps can store data in iCloud. Law enforcement authorities have leaned heavily on iCloud access to get data in the past, including iMessage data, and used that to prosecute drug traffickers and civil rights protestors. For newer iPhones, Apple claims to no longer be able to provide this data, but not everyone has a newer iPhone.
Moreover, backing up your device to iTunes or your PC, for instance to transfer photos, can create local copies of data on another device. You might not think about these backups when trying to delete your data. Moreover, it’s possible that the next time you connect your phone, the sync tool puts the data back on your phone. It’s annoying and hard to track down which backups contain what data, so the only guarantee here is to never sync your phone.
In short, local storage can be made extremely secure, but it’s very easy to accidentally turn your local storage situation into a cloud situation without even realizing it. Last but not least, choosing a local storage option for securing your data means it’s up to you to keep the device up-to-date and secure. If you lose the device, you lose access to the data. These risks have to be considered when choosing a solution.
The need for better data protection
If you made it past the many hundreds of words I’ve written on the particular benefits and drawbacks of various storage methods, then you might arrive at the conclusion that deleting data is hard. You’d be right. Because the United States has no federal data protection standard that applies to this kind of data, and has no federal legal right to be forgotten, what we’re left with is a bad situation where we either have to take the app developers at their word that they manage data securely, or we have to train millions of people on how to keep their devices secure and up-to-date. I’m going to be honest: I use a full-strength password for my phone, and it’s a huge pain in the ass. The battle for secure local storage is an uphill battle against the army of convenience.
It would be much more scalable and secure if infrastructure and security experts could protect the data. To do this, we need a strong data protection regulation that guarantees the right to be forgotten and provides for independent audit to give users peace of mind that data has been deleted. Much like deleting an app is no guarantee that locally-stored data is erased, deleting an account is no guarantee that your data is deleted along with your account. Your data almost surely lives on in the company’s databases. Period tracking data is only a minor threat in the risk of prosecuting abortion, but stronger guarantees that we could enforce the deletion of data would remove the personal burden of data security and improve global health outcomes for people with periods.
These fights are not new and not unique to period tracking. The period tracker outrage has underscored how little progress we’ve made in data protection regulation initiatives in the US overall. House Democrats, never missing the opportunity a good crisis presents, are working towards legislation to secure period data.
But why stop there? Period tracker data is not the only data police use to politically prosecute people. Why not work towards a stronger, general data protection regulation? After all, if we secure period tracker data, the police will simply look to facial recognition data or mood tracker data or fitness tracker instead. In fact, they already have. The fight for digital privacy rights is the same fight as the same for abortion rights. Closing the data protection regulatory gap would not only protect people seeking abortions now, it will also help keep people safe in the next fight, whether its for the right to birth control access, trans healthcare, or consensual sex between adults. The time is now to solve the right problems.