
Menstruation Apps Are Sharing Users' Data - 0xmohit
https://www.privacyinternational.org/long-read/3196/no-bodys-business-mine-how-menstruation-apps-are-sharing-your-data
======
bound008
For those bringing up HIPAA I hate to let you know that none of these apps are
covered by HIPAA, and none of them can be fined under HIPAA.

If your friend tells you they have a disease, and you tell someone else, are
you breaking HIPAA? No.

In order to break HIPAA you have to first be a covered entity. An example of a
covered entity is a Doctor (or provider).

If you tell Google or Facebook that you have some kind of condition, that
information is not covered by HIPAA because they are not a medical provider,
and therefore have no legal obligation to keep that information private.

~~~
baddox
That's interesting. When I was in college I worked tech support for the
residence halls, and we went through what I remember to be a short HIPAA
compliance program in case we encountered any medical information while
servicing another student's computer. Perhaps that was just a (reasonable)
precautionary policy of the university rather than a strict legal requirement
under HIPAA. Or perhaps I'm simply misremembering, and it was some other
compliance program other than HIPAA.

~~~
godelski
If you're servicing a computer that person isn't exactly sharing that
information with you. Well, probably not intentionally.

~~~
jstarfish
Doesn't always matter. Some states even impose mandatory reporting
requirements on computer technicians (at least as far as victimization of
minors is concerned).

------
matahwoosh
Very recently there was a flurry of articles about Apple copying popular apps,
among them woman health apps [1]. Although they were not wrong to voice their
concerns about Apple, it's hard to cheer for the app makers when you later
find out they don't exactly value your privacy and are not upfront with you,
as a user, about that.

[1] washingtonpost.com/technology/2019/09/05/how-apple-uses-its-app-store-
copy-best-ideas

EDIT: language

~~~
leppr
Amazing that the monopoly taking a 30% cut doesn't feel like it has to resort
to selling user data. I wonder if app makers on a free and transparent
platform would act more ethically?

~~~
stochastic_monk
You mean turn down free money be being less evil? Somehow I don't expect this
to be the case.

~~~
52-6F-62
Reminds me of the old "if I wasn't taxed then I could give to charity!"

------
autoexec
People should really just assume every scrap of data they input into their
phones is being sent to at least one company who will happily sell it to
anyone who asks. Never use your phone for anything you wouldn't be happy with
being publicly known and associated with you forever.

That's not what our devices _should_ be, but that's the reality we live in.
These devices aren't for us, they are to enable other companies to use us.

~~~
saagarjha
> People should really just assume every scrap of data they input into their
> phones is being sent to at least one company who will happily sell it to
> anyone who asks.

There are a number of apps that don’t let this information leave your device
at all, or end-to-end encrypt it. You just have to find them.

~~~
grecy
Just wait till someone with very deep pockets buys them.

i.e WhatsApp

~~~
cameronbrown
WhatsApp isn't compromised though, regardless of its parent entity. They'd
rather have the user base not generating data for anyone than an independent
WhatsApp.

~~~
beagle3
Facebook has, in fact, used WhatsApp data to improve the Facebook connectivity
graph. They haven’t messed with the actual message texts. Yet.

------
api
I assume that virtually all mobile apps are sharing your data. That's the
entire business model of mobile: offer a "free" service as a pretext to get an
app onto the phone and then spy on the user as much as possible.

It's part of why I avoid apps whenever possible. I only install an app if it's
a service I really need and there is no other way to use it, e.g. via the web.
Web sites can still track but they can't suck location data, sensor data, etc.

------
michelinman
Back in 1988 I wrote a holiday/sick calendar app with basic reporting. The
first thing management in EVERY department did was predict the sick days. I
found that out 5 years after I had left.

~~~
copperx
How did they predict sick days? A statistical model?

------
mirimir
What ever happened to the idea of local storage? And yeah, I know, income.
This is one reason I hate smartphones and apps.

~~~
MBCook
That’s how Apple Health works, and it will gain this feature in a week or so.

------
LeoNatan25
There was an article about how Apple was killing third party menstruation apps
with iOS 13 because it is now built into the health app. This is why you want
the OS to do it, rather than “start” “up” crapwares that sell data.

~~~
WA
I agree. Especially all the menstrual health apps seem to be insane data
grabbers. This should be something that belongs to a trusted company.

However, the cycle tracking capabilities of iOS 13 are fine as a replacement
for simple menstrual cycle trackers, but it's too simple to replace more
sophisticated cycle trackers that also allow to track more body signals such
as the temperature.

------
MBCook
iOS 13 will be out in a week or so with this feature built in. Hopefully that
will put an end to at least some of this shady market.

------
ragerino
I got myself a connected electric toothbrush and body balance.

After I found out that tracking the weight and my tooth brushing habits only
works if I share the data with a central server, I now basically have a
regular electric toothbrush and body balance.

~~~
jobigoud
Not only you have to sync it through their server but you probably also need
to go through their specific app or website to read the data back. And
sometimes they don't even have a way to download the historical records if you
want to archive them or process them yourself.

I find tracking weight still invaluable so I get along with it but was also
disappointed to learn I needed to send everything their way.

I wonder if it would possible/legal to intercept the requests from the device
and route them to a local server implementing the same API endpoints.

------
microcolonel
What are the essential features in these applications, are they not working on
standardized methods? There's one on F-Droid which probably isn't selling your
period, so if they're mostly similar, maybe that's an option.

------
H8crilA
What are menstruation apps useful for? Is it a part of the "track everything
about your health" trend?

~~~
AWildC182
If there was EVER any doubt about the demographics of HN... Let this be a
lesson to everyone that we work and live in a massive bubble.

~~~
cocoa19
Why don't you explain him rather than demonizing him in front of all HN
audience. Treat others as you'd like to be treated.

~~~
AWildC182
Plenty of other people already explained. I decided to leverage this as a
teaching moment.

~~~
H8crilA
Thank you for the kind lesson. I genuinely didn't know.

------
fortran77
Do they really need that photo? I find that to be in poor taste.

~~~
jedberg
A melting popsicle?

~~~
lucasmullens
It's alluding to menstrual bleeding. A delicious food looking like period
blood I think can fairly be described as "poor taste".

~~~
novia
Can we get over the menstruation stigma already? The article is about
menstruation tracking apps. You guys shouldn't be shocked by imagery alluding
to menstruation in such a context.

~~~
egdod
I'm over the stigma. But it's still a private bodily function, and I still
think it's in poor taste. It adds nothing to the article--it's just there for
shock value/entertainment.

Imagine if this were an article about... I dunno, an app that finds cheap
toilet paper near your zip code. Would it be laudable if it included a picture
of a smeary piece of melted chocolate?

~~~
novia
This isn't an app for locating menstrual supplies. It is an app for predicting
when your metaphorical popsicle will melt.

~~~
egdod
And?

------
chooseaname
Lead image is in pretty poor taste; so I was just told by a female.

Aside from that, what developer thinks, "Hmmm, I need to add analytics, let me
see what FaceBook has to offer?" Seriously?

~~~
yesbabyyes
An aside, but I see this a lot on HN:

> so I was just told by a female.

What does "female" connote (not a native speaker)? To me, and translated into
my language, it sounds like you're talking about a pet, a dog or some other
animal. "Oh, it's a female". Translating it to eg Swedish or French, it sounds
_really weird_ , whereas the respective word for "woman" would sound normal.

Is it different in English, or is this more a quirk of this forum/certain
subcultures?

~~~
timthorn
No, it sounds weird in UK English too, unless as an adjective applied to a
larger ungenered group. Eg "My female colleagues" sounds fine, as does "a
woman I work with"

~~~
yesbabyyes
Thanks, that's pretty much how I would express myself in English. In Swedish,
the words for "manly" and "womanly" ("manlig"/"kvinnlig") can be used for that
("my manly colleagues" would typically be understood as the men among my
colleagues, rather than the most bearded/musky/etc among them).

Now let's hear from a US English native!

~~~
mtrower
U.S. English native.

This ("a female") sounds just fine to me. My friends or I might talk this way
amongst ourselves(and no, I'm not talking about an all-male, socially mal-
adjusted circle of friends).

It's not what you'd call 100% standard mainstream English, but it's no so far
outside the norm that I'd think twice about it either. While it's probably not
how I'd teach a non-native to speak, I definitely wouldn't read anything into
its use here, either.

Chalk it up to subculture, I suppose, as suggested earlier.

------
triggercut
"You are being shown this ad because: \- assumptions made probably by men"

------
aguzzi94
Bad news for the soy boys!

------
OrgNet
who's horny

~~~
dang
Please don't do this here.

------
swiley
_ALL_ the apps are sharing your data.

If it didn't come from f-droid or you can't compile it yourself you absolutely
can't trust it. (even then you still need to be very carefull, just look at
what goes on in npm.)

A good number of closed source apps are pathological attacks on both your OS
and the public mind, using them is defintitely one of the less responsible
things you can do.

------
HarryHirsch
What happened to the idea of paper? There are no concerns about privacy, and
data are easily exported via photocopy.

~~~
skyyler
Paper gets wet.

Some critters like to eat paper.

Paper burns.

Paper has weight.

Paper has volume.

If you leave your papers at home, you can't easily access them by logging in
on someone else's papers.

Photocopying seems analogous to copying files at first, but consider the costs
of photocopying something. In addition to the expensive machine, you need
paper and toner...

~~~
cameronbrown
> Paper burns.

It shreds too. This is a feature.

~~~
yjftsjthsd-h
And bits can be zeroed just as much as paper can shred.

~~~
cameronbrown
Bits are a hell of a lot more fickle. I can't ever know for sure what will
happen to my data that thousands of companies have harvested online about me,
even if I ask every one of them to delete it all.

I can't have machine learning algorithms run on my paper to target me ads,
either.

------
RcouF1uZ4gsC
From [https://compliancy-group.com/hipaa-fines-directory-
year/](https://compliancy-group.com/hipaa-fines-directory-year/)

"The federal fines for noncompliance are based on the level of perceived
negligence found within your organization at the time oft he HIPAA violation.
These fines can range from $100 to $50,000 per violation (or per record), with
a maximum penalty of $1.5 million per year for each violation. View our HIPAA
fines chart below for the full HIPAA fines list."

And on the same page, according to the HIPAA Violation Penalty Tiers, the
fourth and worse tier is "The covered entity acted with willful neglect and
failed to make a timely correction".

I bet if these companies got sued for $50,000 per person using them who had
their data leaked to facebook, it would get everyone's attention really
quickly.

~~~
pixelbath
When writing medical software, HIPAA was an ever-present monster forcing me to
consider all potential ways we'd be under a company-ending event. Once your
fine totals exceed $100,000, you're required to issue a press release
detailing how bad the damage is, in addition to the fines that stack for _each
violation_ (each patient's record would be considered one "violation").

I'm surprised any company keeping health information would be willing to sell
that data without extensive legal protection, whether or not that data is
protected explicitly under HIPAA. Seems to me like this should be treated like
any other PHI breach.

~~~
zik
What about those DNA companies that collect even more sensitive medical
information - your DNA - and then straight up sell it to companies who'll use
it against you (health insurance)? Why are these guys not facing billions in
fines and being dissolved for egregious violations?

Edit: It seems that none of these are HIPAA violations because these companies
aren't classified as medical organisations.

~~~
kube-system
They wouldn't be subject to HIPAA, but they would be subject to GINA.

[https://en.wikipedia.org/wiki/Genetic_Information_Nondiscrim...](https://en.wikipedia.org/wiki/Genetic_Information_Nondiscrimination_Act)

