> This is one of the most egregious abuses of privacy imagineable.
For people who haven't used these kinds of apps, Flo includes day-by-day tracking of:
- sex and sex drive
- didn't have sex
- protected sex
- unprotected sex
- high sex drive
- obsessive thoughts
- very self-critical
- symptoms (cramps, tender breasts, acne, many more)
- vaginal discharge (none, spotting, sticky, eggwhite, etc, "unusual")
- other (travel, stress, disease/injury, alcohol)
There's a ridiculous amount of potential here for just purely creepy oversharing of information that a woman might presume is safe to enter into an app.
There's also a lot of things here that are maybe legally dangerous to be disclosing outside of a doctor-patient context (the last several "mood" items).
It's worth pointing out that traditional data brokers are able to track menstrual cycles based on purchase activity. Nobody can opt out of this and it's been going on for a few decades. It can be used for ad targeting by presenting the target with the optimal content for each week.
You run a 28 day autocorrelation and see what pops out. Start with the obvious purchases then artificially synchronize the purchase history of a group of women to be on the same phase and run another autocorrelation on their aggregate purchases to get the non-obvious signal.
Hmm, I'm not sure–all the women I know buy massive packs from Costco because it's something that they might as well buy in bulk and save money on. I didn't think of medicine, though–you're probably right about that.
To spoil an important point of the article: They had a personalized Target account and the daughter had been openly buying pregnancy related products for weeks, her father was the only one not aware of it.
It shows how this could be done for cycle analytics as well...If I remember the target case correctly it was not the buying of a pregnancy test, but general products like more body lotion etc. Things that correlate to the symptoms of the hormons present.
This is freaky, with this data and a rough identity (ads wise) you could literally AB test what ads / suggestive content affects someone's mood and relationship. How bone headed do you have to be to actually ask "what could someone do with this info, seems innocuous to me"?
The FTC brings privacy cases under its 'unfair and deceptive acts or practices in commerce' prohibition, which does not provide it the legal basis to impose civil penalties. There are possibly other things it could have required (the recent Ever case requiring deletion is a good example), but it is currently constrained on what it can force for a first violation. The two Democratic FTC Commissioners issued a useful statement on what else they would have required: https://www.ftc.gov/system/files/documents/public_statements...
I don't see how it's worse than the ubiquitous data brokers built into our society like the private credit bureaus that charge you to access your own data which has a de facto green light from us and our government.
It would be inconsistent to punish this little app severely when we don't care about much more egregious violations. It's tragic that we're only able to care about small things that fit into our tiny laser beam of public outrage.
I do get with the frustration, but with the current state of US (federal) laws it is probably the best remedy available now (unlike GDPR where you can really go and score larger fines and even jail time if it is grossly negligent or intentional).
Anything on f-droid is going to be good. Last time this story came up I saw a comment saying there was two prominent apps there.
It's scary how many people don't immediately go for the open source alternative before checking the Google play store. Most people publishing on f-droid use their real name, have verifiable open source activity, have a professional reputation to maintain and have their apps open to world to be scrutinised.
Checking F-Droid should be your first choice everytime.
Android SDKs themselves can be leaky and are incredibly widespread, this is a clear flaw in mobile appsec and not that well known.
That said basically everything benefits from the sun shining in on it. F-Droid alerts you to anything dodgy under the hood, has reproducible builds and in general has none of the complete shitshow that is playstore.
In my 5EYES country Google's playstore has to secretly insert malware if the government wants it and there's no way for the end user to tell if that's the case.
Tell me a common use for a mobile app and we can compare what is available on both play store and f-droid.
I’m more pointing out how it’s not a silver bullet (and how a silver bullet for app privacy doesn’t exist); nothing is perfect and f-droid is no exception, even if it is better than Play Store. Nothing is stopping an app from uploading user data for a good purpose then selling it to third parties.
“ FertilityFriend.com is fully funded by its VIP service fees and has been so since we started. It does not rely on any type of data trading for any of its funding or any other purpose. In other words, you are not the product. Clear and straightforward, our charting service is what we sell and nothing else.”
They also have a more data driven approach to fertility than most other sources.
I'm curious if anyone has insight into the value of this kind of data.
I work with alternative data for investors, mostly consumer spend behavior - things like point of sale transactions and online cart contents. These have value in that you can correlate panel behaviors with a company's revenue or identify trends in the market.
But, for data like ovulation schedules or events like pregnancy, it seems that it's a lot of work (and based on the FTC ethically questionable) to see one-off events or target specific consumers a small set of products.
I must be looking at the available opportunities with some kind of blind spot, because I don't get why companies would pay for this sort of data.
Are you kidding? As far as I know, there is no greater event generally in a persons life when their purchasing habits and lifestyle change, and they are looking for new brands, than pregnancy.
Not only just for the huge amount of money people will spend on baby stuff, sorting out cribs, but then eighteen years perfectly time-able marketing for birthdays, different stages of development, loans, different cars, houses, college loans, It is probably the most valuable single even about someone from an advertising perspective and whoever can get in first is out to make bank.
How valuable do you think it to build relationship with, track the preferences of, and pick a the perfect adverts and products to show a person who has purchasing power for someone for eighteen solid years? With 100% certainty of what they are going to need unless something tragic happens.
Also knowing that based on the socioeconomic status whether they will be pressed for time and desperate for discounts, or be flush enough that they can afford to give their sprogg the most expensive things they will grow out of.
I was not kidding. I guess I didn't realize they were selling data with PII, which is shocking. I'm actually surprised Google and Facebook were taking in other-party data that wasn't aggregated, just due to the privacy and perception concerns.
That said, it still seems like a vector that's really problematic compared to gain. My personal anecdote is that my kids both only used Pampers Swaddlers diapers, simply because that's what the hospital gave us as we left - that is what I would see as a brilliant marketing partnership for P&G without risks of invasive perceptions.
There's a lot of value in knowing about a pregnancy -- in the months leading up to a baby, you're spending a ton of money getting ready for the baby or on constantly buying new clothes for mom as the pregnancy moves along. Once the baby comes, you have a good chance for capturing a repeat customer on a bunch of baby-related items (diapers, wipes, etc).
Also, if you’ve ever known someone who’s a new parent; the sheer volume of “welcome packages”, pamphlets, flyers, coupons, and free samples is staggering and clearly indicates (to me at least) that the customer value is uncommonly high.
Oh god, that. When my wife gave birth, she received a "care package" that was just a box with few small items (water and some cosmetics testers, IIRC) and half a kilogram of flyers. I honestly was floored, and my deep hatred for the advertising industry had reached a new level. And then I noticed that the child health book they gave us - an official medical document that we'll be carrying for the next two decades - had multiple full-page ads in it. Because of course it did.
Did I said it already that advertising is a cancer on modern society?
At a minimum the last few on the mood list (depressed obsessive thoughts, apathetic, very self-critical) seem like great indicators of when someone might be the most receptive to advertising for SSRIs.
The fact that you can advertise these things at all is kind of shocking to me. I’d expect psychiatric drugs to be prescribed by a psychiatrist on their medicinal merits rather than purchased on an advertising-driven whim.
Oh, I mean there's all manner of conflict-of-interest, perverse-incentive type stuff going on there - you kind of expect that (sadly) in big business - but it's another whole level of dodginess marketing prescription pharmaceuticals directly to laypeople. It seems only one step above roaming the streets giving out "free samples" wrapped in twists of aluminium foil.
Facebook and Google do not pay for this data. Flo sends it to them for free, because it improves the performance/ROI of Flo's marketing.
Facebook and Google have no semantic understanding of this data, so it does not have inherent value to them in terms of creating configurable targeting segments. These are arbitrary data points sent by the app, and they might as well be labeled "A", "B", "C", and "D" rather than their sensitive names.
Flo can optimize their ads towards occurrences of event "A" or they can run ads towards "people who have triggered event B in the last week but not event C", but this doesn't offer specific value to other advertisers or FB/G themselves.
That said, when all of this is put into an ML black box, you never know how data points may be correlated. Maybe the system learns that people who trigger event "D" also end up buying baby clothes. That could lead to observable ad patterns, even if no one can explicitly tie event "D" to pregnancy.
> I don't get why companies would pay for this sort of data.
Knowing when someone is pregnant or trying to get pregnant seem like premium moments. Lots of money in fertility treatments and related services. Lots more money in maternity products and new baby products.
Having done a lot of research myself, there's a ton of folksy "tricks" online but precious little real research information available. A lot of the "tips" boil down to "be young and healthy" and "don't be old and unhealthy."
I've read some peer reviewed research as well but most of that is focused on outcomes and genetic testing of IVF embryos rather than natural fertilization. I get the impression that fertility isn't something that's well-studied outside of really generic health indicators like weight and age. And a lot of fertility information seems to focus on ages 20 to 35. They seem to assume that after that age you've given up on starting a family or that you already have one.
It is not because you are pregnant or because there is a baby on the way. It is because, during this time in a woman’s life she is very open for changes in her daily routines. Everything is interesting: from breakfast brands to shampoo brands, type and brand of car, even housing.
Skimmed the complaint. Seems like they got in hot water for deceptive disclaimers and not committing to the tenants of the privacy shield. Had their TOS said "we may disclose your data to advertisers" in small font and not voluntarily entered into the EU-U.S. Privacy Shield they would be okay.