Menu Close

Washington Post: A popular fertility app shared data without user consent, researchers say

Read the original article here.

By Tonya Riley

August 20, 2020 at 7:30 a.m. EDT

Fertility app Premom says it offers more than a half-million users a “simple, effective and affordable solution for all trying to conceive.”

The popular app, which consistently ranks among the top search results for fertility apps in both the Apple App and Google Play stores, asks users to upload details about their sexual health to receive personalized, remote analysis to help predict how to get pregnant.

But Premom’s app for Android was also collecting a broad swath of data about its users and sharing it without their permission with three Chinese companies focused on advertising, according to research the International Digital Accountability Council provided to The Washington Post. IDAC, a nonprofit that monitors and works with apps and developers to protect consumer privacy, sent letters on Aug. 6 to the Federal Trade Commission and the attorney general of Illinois, where Premom is headquartered, alleging the data-sharing was deceptive and potentially ran afoul of federal and state law.AD

While many apps use third parties to collect analytics or target ads, IDAC researchers say Premom users had no way of opting out of this tracking by both the app and the third parties that received their data, which IDAC contends was a violation of Google’s rules.

“There’s pretty extensive and sensitive data collection going on here with respect to a large number of users who don’t have any reason to know about this data collection,” said Quentin Palfrey, president of IDAC, which launched in April after incubating for more than a year with the Future of Privacy Forum.

“It’s particularly concerning when we see this behavior with respect to an app that’s targeted at women trying to become pregnant,” Palfrey said, though there’s no evidence the app is transmitting health data to third parties. Premom has the ability to track users’ location, log which other apps they have installed, and collect unique identifiers from people’s devices that could allow other companies to trace their activity across other websites, the researchers found.

When The Post reached out to Premom for a response to the researchers’ findings, the company said it would stop sharing data with Jiguang, one of the Chinese companies researchers flagged. Premom, in its Aug. 6 reply, said it was “in the process of removing” Jiguang. The app was updated one day later, according to the Google Play Store. Premom then confirmed that the third-party company’s access was revoked, a statement supported by IDAC researchers who said they no longer saw evidence of transmissions from the app to the company.

Premom “prioritizes the safety of its users’ data above all, and is constantly evaluating its policies, procedures, and use of third-party tools to ensure the application is compliant with global data privacy laws,” its legal counsel and spokeswoman Desiree Moore said in an email. “Premom is also committed to limiting its use of any analytical or other tools provided by third parties that do not comport with Premom’s internal privacy standards and practices, and as information evolves.”

IDAC researchers also provided The Post with what they said were transmissions showing Premom was sharing similar data with two other Chinese companies, Umeng and UMSNS. Premom said it “does not currently use” either company and did not reply to requests for comment on researchers’ data showing the sharing took place until June 19, in a previous version of the app.

Researchers say potentially tens of thousands of users who have yet to update the app could still be sharing data without their knowledge.

Google temporarily removed Premom from its Play Store on Aug. 6, after an inquiry from The Post. The app was back online the next day. Google spokesperson Scott Westover said the app violated its policies but declined to elaborate on how or whether any changes were made to allow the app to go back up. Premom said the removal was not related to the allegations made by IDAC.

Premom isn’t the first fertility-related app to draw scrutiny from privacy experts. An analysis by Consumer Reports earlier this year found that five top pregnancy apps shared app data with advertisers. Privacy experts have also raised concerns about Ovia, a pregnancy-tracking app that shares users’ data with their employers and insurers.

In this case, IDAC researchers also expressed concerns that Jiguang masked the data it sent back to its servers through a layer of custom encryption not common in most apps. This makes it difficult for researchers to track. TikTok used a similar obfuscation technique up until November, according to a recent report from the Wall Street Journal.

“The techniques are the ones you see with malware,” Serge Egelman, research director of the Usable Security & Privacy Group at the International Computer Science Institute at the University of California at Berkeley, said of Jiguang’s data collection. Egelman is also chief technology officer at App Census, which partnered with IDAC on the study, though he was not personally involved.

“The data that we collect is strictly limited to what we need to provide the service and functionality as requested by developers,” a spokesperson for Jiguang said in a statement. “Such data collection is 100% in compliance with Chinese laws and regulations and also in compliance with Apple App store and Google Play store data collection rules and regulations. The data we capture is 100% transparent to developers through our developer service agreement.”

Premom’s privacy policy does mention sharing some data with AppsFlyer and Google Analytics, which may send that data to partners such as Pinterest, Facebook and Google. But IDAC researchers say that by explicitly calling the information they share “nonidentifiable,” the company is misleading users about how the kind of data they’re giving away can be used to track them across the Web and build valuable profiles to target them with ads.

“We believe there are material differences between what Premom states in its privacy policies and what our technical tests reveal,” IDAC said in its letters.

IDAC found that Premom tracked and shared IP and “media access control” addresses with all three Chinese companies. The MAC address are unique numbers assigned to devices that can’t be reset, making them useful for advertisers and analytics firms as they build profiles of consumer behavior. The FTC defines both as personal information under its Children’s Online Privacy Protection Act rules, though U.S. state laws are inconsistent.

“We hope that Premom has — or will — take immediate steps to address all the concerns IDAC raised in its letters,” Palfrey said. “Additionally, we hope that the FTC and the Illinois AG will look into our findings to determine if any further steps are necessary to prevent future misconduct, or to protect or compensate users who may have been harmed by Premom’s actions to date.”

The FTC declined to comment. The Illinois Attorney General’s Office said it was reviewing the letter.

Unlike some of its fertility app rivals, Premom isn’t backed by venture capitalist funding, and it wasn’t spun out of a Silicon Valley incubator. The app, which launched in 2017, is owned by Easy Healthcare Corp., an Illinois-based medical supplies e-commerce company. It offers users a way to upload pictures of their ovulation test strips, which Easy Healthcare also makes. The strips have more than 14,000 reviews on Amazon and are ranked a No. 1 best seller under “Ovulation Tests” on Amazon. The app offers a “pregnancy guarantee” that if users don’t get pregnant within nine menstrual cycles, the company will refund them for their purchases and provide them a free consultation.

Easy Healthcare’s testing strips encourage customers to download the free Premom app to supplement their fertility tracking. Conversely, users of the app are encouraged to buy the brand’s test strips.

The Post spoke to five Premom users about their understanding of the app’s privacy policies and data collection. While the users said they expected Premom was collecting some data in exchange for a free service, they were surprised by the description of IDAC’s findings.

“It concerns me that I don’t know exactly what they’re sending,” said Anna, a 33-year-old from Southern California who, like others, spoke on the condition that her full name not be used to maintain medical privacy, in response to IDAC’s findings shared with her by The Post. “I think all apps should make it clearer.” Anna decided to delete the app.

Privacy and security experts say that while allowing third-party users to access an app’s data has become an industry norm, companies expose users to a host of potential dangers. For instance, they may not know if a third-party company used by one of their apps has been breached and thus if their data has been compromised.

Jiguang uses mobile data provided by developers for targeted advertising and “AI and machine learning capabilities,” according to a 2018 filing with the Securities and Exchange Commission. Jiguang primarily focuses on serving Chinese developers but its software is available to clients around the world, the company says.

The sharing of U.S. user data with Chinese companies could also draw scrutiny from federal lawmakers who have raised concerns about the use of Chinese technology in the United States. The State Department recently urged American companies to ban the download of “untrusted” Chinese-owned apps such as TikTok and WeChat in light of concerns they could be compelled under Chinese law to share American user data with the Chinese government. TikTok, which President Trump is seeking to ban in the United States for national security reasons, has repeatedly denied that the Chinese government has demanded information about U.S. consumers and said it would not comply if asked.

When it comes to Premom, some users felt that deleting the app over privacy concerns wasn’t worth setting back their efforts to conceive. “You put all your data into it for months, you’re kind of stuck with it,” said Rachel, 28, another user. “I want that data to be there for my doctor.”