Should You Use This Encrypted Period Tracking App?

Should You Use This Encrypted Period Tracking App?
Screenshot: Lucas Ropek/Stardust

A period-tracking company proclaimed last week that it was dedicated to protecting women’s data rather than sharing it with cops in a post-Roe v Wade world. Stardust, a woman-owned period-tracking app, announced that it would be the first company of its kind to roll out end-to-end encryption. E2E limits data’s visibility to only the user, keeping personal information safe — and is widely considered on of the best privacy protections on the web. Stardust founder and CEO, Rachel Moranis, announced the plans in a video on the app’s TikTok account on Friday, claiming the change had already been in the works prior to Roe’s overturning. “What this means is that if we get subpoenaed by the government, we will not be able to hand over any of your period tracking data,” she said.

Stardust didn’t stop there, though. In a series of tweets, the company went on to state that it hopes to implement a host of new privacy protections, including a way for users to “completely opt out of providing any personal identifiable information (no account generation) and use the app fully anonymously, as well as full local data storage.” Following the announcements, Stardust saw a huge surge in interest — becoming the second most downloaded app in the U.S., as of Saturday.

Then the company had to do some cleanup. It wiped any mention of end-to-end encryption from its website. It admitted to — and pledged to stop — sharing data with at least one third-party marketing firm. And it changed its privacy policy to remove language about providing info to cops without any warrant.

The Supreme Court’s recent decision to overturn Roe v. Wade and end nearly half a century of constitutional abortion rights in America has already begun to bear ugly results. In a bevy of states, draconian “trigger” laws have materialised, effectively criminalizing most if not all instances of the medical procedure — and more laws are expected in the coming weeks. In this brave new world, civil liberties advocates have expressed concern for the ways in which women’s data could be used by law enforcement to monitor for digital evidence of pregnancies. Critics have worried about the data on period tracking apps in particular, which they say could be used to prosecute women who have sought abortions via data on pregnancies that end.

As with anything that sounds potentially too good to be true, critics were quick to point out some problematic elements of Stardust’s plans. Questions have swirled about whether the company’s new privacy measures will be as effective as they sound. Other critics have wondered whether, in this day and age, it even makes sense to use a period tracking app at all. It’s a good question — and worth considering given what’s at stake right now.

“If they want to survive, all of these period tracker apps out there need to really get their house in order and be building up user trust,” said Riana Pfefferkorn, a scholar at the Stanford Internet Observatory.

End to End Encryption?

Probably the most problematic thing about Stardust’s claims is that they seem to have changed over time. TechCrunch reported Monday that what the company was offering didn’t really sound like ironclad end-to-end encryption. The outlet wrote:

Stardust founder [Rachel] Moranis told TechCrunch that “all traffic to our servers is through standard SSL (hosted on AWS) and subsequent data storage on AWS RDS utilising their built-in AES-256 encryption implementation.” Although this describes the use of encryption to protect data while in transit and while it’s stored on Amazon’s servers, it’s not clear if this implementation would be considered true end-to-end encryption.

Following the interview with TechCrunch, Stardust apparently scrubbed its website of any mentioning of “end-to-end encryption,” essentially watering down what it had originally offered to users.

Even more problematically, further analysis of the company’s platform appeared to reveal that the firm was occasionally sharing individual users’ phone numbers with a third-party analytics firm called MixPanel. This kind of information sharing could quite easily lead to the identification of individual users — which is something the company has promised not to allow. After being confronted with this issue, Moranis told TechCrunch that the “current (old) version of Stardust leverages several data collection mechanisms of Mixpanel that we have disabled/removed in the new version. In addition to not sending [personally identifiable information] to Mixpanel, we have also disabled IP tracking for our users to protect from that metadata being used to identify our users.”

Meanwhile, Vice News was quick to point out that Stardust’s privacy policy left something to be desired. In a story published Monday, the news outlet pointed out that the app’s policy acknowledged that it would share information with police “whether or not legally required.” The policy clarifies that Stardust may…

…share aggregated, anonymised or de-identified, encrypted information, which cannot reasonably be used to identify you, including with our partners or research institutions.

When reached for comment by Gizmodo, a company spokesperson said that Vice’s story was based on an “outdated” privacy policy. A visit to Stardust’s website on Monday revealed that the language in its privacy policy had been changed. The spokesperson also provided us with a statement from Moranis, Stardust’s Founder and CEO, who again reiterated that the new feature was designed to avoid a digital subpoena.

“With the update set to go live…Wednesday, June 29th on all iOS devices and Android, user’s login information will not be associated with their cycle tracking data, and therefore their data will not be a subpoena risk,” she said.

We also asked for better information about the app’s plans for encryption, but have not heard back yet. We will update this story if we get a response.

It’s no surprise that companies like Stardust are now seeking to implement new privacy protections. In fact, such protections might be something of an industry imperative for period trackers, given the full-blown panic about digital health data that now exists after Roe.

In a Post-Roe World, Encryption is Always a Good Idea

Stanford’s Pfefferkorn said that, when properly applied, encryption could be used to protect against the harsh laws currently being passed across the country.

“The Dobbs decision [which overturned Roe] underscores the importance of adding strong encryption, by default, wherever it doesn’t currently exist already,” Pfefferkorn told Gizmodo. She added that companies like Stardust are “suddenly under a lot of scrutiny” and that their business model is under threat from the public panic spurred by the recent Supreme Court decision. She said, “That means being more transparent about the kinds of data that the apps collect and instituting better protections to prevent the data from falling into the wrong hands.

Pfefferkorn also recommended that women invest in existing privacy applications. One of the simplest ways to protect your online communications is to use an encrypted chat platform. For that, one of the best options is to download Signal, a chat app that offers true end-to-end encryption. It’s free, easy to use, and should ensure that your conversations stay private. That might be the best place to start.