Period tracking app Flo released an “Anonymous Mode” on Wednesday, which lets people use the app without linking their data to their name, email address, or IP address.

The new feature — which the company says it hopes will set a new standard for privacy protections in health apps — is a direct response to privacy concerns stemming from the overturn of Roe v. Wade in June. Following the ruling, reproductive justice advocates raised the alarm over the possible use of the sensitive data collected by period tracking apps in prosecuting abortion seekers.

“The world is not designed for privacy,” said Roman Bugaev, chief technology officer at Flo, in an interview with The Verge. “We need to rethink all of the internet with this in mind.” 

“The world is not designed for privacy”

In the aftermath of the US Supreme Court decision to end federal protection for abortion, period tracking apps like Flo came under particular scrutiny as users worried that the data trail from those apps could be used against people suspected of having an abortion. Experts say this kind of data request is not the main way law enforcement is likely to pursue cases, but the result was still a new sensitivity toward data collection for any product related to reproductive health. When the decision leaked in early May, most cycle tracking apps said that they did not plan to make changes to their policies. 

Period and cycle tracking apps tend not to have great privacy protections, and Flo, which has around 40 million monthly users, has stumbled publicly in its handling of user data. Last year, it settled with the Federal Trade Commission over allegations that it shared health information with outside companies after promising users it would keep data private. 

The team learned a lot about the importance of privacy and user trust through that process, Bugaev says. “That’s why we decided to double down on this.”

After the leak of the draft opinion revealing that the Supreme Court was planning to overturn Roe v. Wade, Flo started having conversations with users who said they were worried about using cycle trackers that linked their identity to their data. “They were worried about the implications of continuing to use period tracking apps like Flo,” Cath Everett, vice president of product at Flo, told The Verge. “So we knew that we had a user problem and a real issue that they wanted us to solve.”

A screenshot of the Anonymous Mode feature reading “Anonymous Mode active” and with an option to request account deletion. A screenshot of the Anonymous Mode feature reading “Anonymous Mode active” and with an option to request account deletion.

Flo

The actual decision was released in late June. Since then, 12 states have banned most abortions, and bans are working their way through the courts in others. Conversely, some states like Rhode Island and Connecticut have put new protections around abortion rights in place. 

Flo fast-tracked development of the anonymous feature when Roe v. Wade was officially overturned. But solving the issue was not as simple as just deleting users’ contact information and other account details. The strength of an app like Flo is in the insights it can give to a user by finding patterns in many different data points, and sending that data over the internet from a phone to Flo’s cloud servers would normally leave many identifying pieces of metadata, like IP address logs, that would tie information back to specific users.

To remove this potentially identifying information, Flo worked with web infrastructure company Cloudflare to implement an emerging web standard known as “Oblivious HTTP.” As described in Flo’s whitepaper, Oblivious HTTP separates data content from IP address information by using a relay service to transfer encrypted data between an app user and Flo’s servers. Essentially, the relay will know where the data request is coming from but not what it contains, and Flo can see what the data contains but won’t know where it comes from.

“The beauty of Anonymous Mode is that it makes it possible for users to still have the personalized experience and the insight based on the data that they’re providing but, at the end of the day, that that data cannot be tracked back to them,” Everett says. 

Because of the nature of the Anonymous Mode, the team won’t be able to see exactly how many people activate the feature, Bugaev says. But they’ll be able to get a general high-level estimate, and they’re expecting it to be in the millions. 

The Anonymous Mode may not be for everyone, Everett says — Flo users who chose it will lose some features. They’re not able to use the paid version of the app, which includes video courses and chats with the Flo Health Assistant. They can’t connect with a wearable device. They also can’t transfer information to a new phone if theirs is broken or stolen. The team wanted to include as much functionality as possible but had to make some tradeoffs because of the challenges in building a truly anonymous product, Bugaev says. 

The team at Flo says it hopes the mode inspires other groups to build similar systems that also put anonymity at the forefront. “I think we should work together on some of these issues,” Bugaev says. “It’s very hard to move the whole industry along.” 

Source link