• ndiscussion 114 days ago
    To quote a dead comment:

    "Am I missing something, or are they really being let off with less than a slap on the wrist, and no fines? Not really sending a great message here, FTC."

    Agreed. This is one of the most egregious abuses of privacy imagineable.

    • philsnow 114 days ago
      > This is one of the most egregious abuses of privacy imagineable.

      For people who haven't used these kinds of apps, Flo includes day-by-day tracking of:

        - sex and sex drive
          - didn't have sex
          - protected sex
          - unprotected sex
          - high sex drive
          - masturbation
        - mood: 
          - calm
          - happy
          - [...]
          - sad
          - depressed
          - obsessive thoughts 
          - apathetic
          - very self-critical
        - symptoms (cramps, tender breasts, acne, many more)
        - vaginal discharge (none, spotting, sticky, eggwhite, etc, "unusual")
        - other (travel, stress, disease/injury, alcohol)
      There's a ridiculous amount of potential here for just purely creepy oversharing of information that a woman might presume is safe to enter into an app.

      There's also a lot of things here that are maybe legally dangerous to be disclosing outside of a doctor-patient context (the last several "mood" items).

      This is abhorrent.

      • kevin_thibedeau 113 days ago
        It's worth pointing out that traditional data brokers are able to track menstrual cycles based on purchase activity. Nobody can opt out of this and it's been going on for a few decades. It can be used for ad targeting by presenting the target with the optimal content for each week.
        • SilasX 113 days ago
          Yes, there was this study about clothing purchase correlation:


          • saagarjha 113 days ago
            How does this work? Is it that women change their general purchase habits around that time, or that they buy specific products?
            • kevin_thibedeau 113 days ago
              You run a 28 day autocorrelation and see what pops out. Start with the obvious purchases then artificially synchronize the purchase history of a group of women to be on the same phase and run another autocorrelation on their aggregate purchases to get the non-obvious signal.
              • elliekelly 113 days ago
                I would imagine women who are buying menstrual products are very likely either about to begin their period or are in the midst of it. Also, things like midol are probably strong indicators.
                • saagarjha 113 days ago
                  Hmm, I'm not sure–all the women I know buy massive packs from Costco because it's something that they might as well buy in bulk and save money on. I didn't think of medicine, though–you're probably right about that.
                  • viraptor 113 days ago
                    Painkillers and chocolate purchases should be slightly correlated.
              • A4ET8a8uTh0 113 days ago
                I did not hear about that one. It does sound interesting. Is there some sort of of study discussing it you could link?
                • manicdee 113 days ago
                  For me the canonical example is this story in Forbes about a man who complained to Target about baby-product advertising directed at his teenage daughter.


                  • josefx 113 days ago
                    To spoil an important point of the article: They had a personalized Target account and the daughter had been openly buying pregnancy related products for weeks, her father was the only one not aware of it.
                • amptorn 113 days ago
                  Why is that worth pointing out?
                  • raae 112 days ago
                    It shows how this could be done for cycle analytics as well...If I remember the target case correctly it was not the buying of a pregnancy test, but general products like more body lotion etc. Things that correlate to the symptoms of the hormons present.
                • koolk3ychain 113 days ago
                  This is freaky, with this data and a rough identity (ads wise) you could literally AB test what ads / suggestive content affects someone's mood and relationship. How bone headed do you have to be to actually ask "what could someone do with this info, seems innocuous to me"?
                  • Ar-Curunir 113 days ago
                    Perhaps they didn’t think it was innocuous at all?
                • averysmallbird 114 days ago
                  The FTC brings privacy cases under its 'unfair and deceptive acts or practices in commerce' prohibition, which does not provide it the legal basis to impose civil penalties. There are possibly other things it could have required (the recent Ever case requiring deletion is a good example), but it is currently constrained on what it can force for a first violation. The two Democratic FTC Commissioners issued a useful statement on what else they would have required: https://www.ftc.gov/system/files/documents/public_statements...
                  • swebs 114 days ago
                    You can revive a dead comment if you feel it was unjustly killed. Just click the timestamp then click "vouch".
                    • ndiscussion 113 days ago
                      Thanks for this, I've heard of this option but assumed it was unavailable to my account.
                      • saagarjha 113 days ago
                        It's available to everyone with a fairly reasonable amount of karma (30, I think?)
                    • hombre_fatal 113 days ago
                      I don't see how it's worse than the ubiquitous data brokers built into our society like the private credit bureaus that charge you to access your own data which has a de facto green light from us and our government.

                      It would be inconsistent to punish this little app severely when we don't care about much more egregious violations. It's tragic that we're only able to care about small things that fit into our tiny laser beam of public outrage.

                      • zinekeller 114 days ago
                        I do get with the frustration, but with the current state of US (federal) laws it is probably the best remedy available now (unlike GDPR where you can really go and score larger fines and even jail time if it is grossly negligent or intentional).
                        • gameswithgo 113 days ago
                          management could be jailed for fraud.

                          it is the usual thing where the powerful we say “best we could do” but for the weak we find a way to get them in jail if we don’t like them

                          • trollski 113 days ago
                            i get the frustration.

                            no you dont

                        • MarkSweep 114 days ago
                          If anyone is looking for an alternative to Flo, as of iOS 13 the built-in Health app has similar functionality:


                          • mtlynch 113 days ago
                            I know of another one called POW! made by indie developer Benedicte Raae:


                            The data is all client-side encrypted, so she doesn't collect any sensitive user data that could be sold or abused.

                            I've never used it, but I think the privacy-first mission is cool.

                          • Darkphibre 113 days ago
                            Open inquiry: Anything out there recommended for Android or PC?
                            • BelenusMordred 113 days ago
                              Anything on f-droid is going to be good. Last time this story came up I saw a comment saying there was two prominent apps there.

                              It's scary how many people don't immediately go for the open source alternative before checking the Google play store. Most people publishing on f-droid use their real name, have verifiable open source activity, have a professional reputation to maintain and have their apps open to world to be scrutinised.

                              Checking F-Droid should be your first choice everytime.

                              • judge2020 113 days ago
                                > Anything on f-droid is going to be good

                                I fail to see how an app being on F-Droid inherently mean it’s going to be privacy-friendly.

                                • BelenusMordred 113 days ago
                                  Android SDKs themselves can be leaky and are incredibly widespread, this is a clear flaw in mobile appsec and not that well known.

                                  That said basically everything benefits from the sun shining in on it. F-Droid alerts you to anything dodgy under the hood, has reproducible builds[1] and in general has none of the complete shitshow that is playstore.

                                  In my 5EYES country Google's playstore has to secretly insert malware if the government wants it and there's no way for the end user to tell if that's the case.

                                  Tell me a common use for a mobile app and we can compare what is available on both play store and f-droid.

                                  [1] https://f-droid.org/en/docs/Reproducible_Builds/

                                  • judge2020 113 days ago
                                    I’m more pointing out how it’s not a silver bullet (and how a silver bullet for app privacy doesn’t exist); nothing is perfect and f-droid is no exception, even if it is better than Play Store. Nothing is stopping an app from uploading user data for a good purpose then selling it to third parties.
                                    • BelenusMordred 113 days ago
                                      > nothing is perfect and f-droid is no exception, even if it is better than Play Store

                                      Not wearing a seatbelt isn't perfect, and yet we all still do it :)

                                      • Ntrails 113 days ago
                                        > Not wearing a seatbelt isn't perfect, and yet we all still do it :)

                                        Provably false.

                              • smokey_the_bear 113 days ago
                                I recommend fertility friend, from their privacy policy

                                “ FertilityFriend.com is fully funded by its VIP service fees and has been so since we started. It does not rely on any type of data trading for any of its funding or any other purpose. In other words, you are not the product. Clear and straightforward, our charting service is what we sell and nothing else.”

                                They also have a more data driven approach to fertility than most other sources.

                                • jwlit 113 days ago
                                  For Android, there's Clue : https://helloclue.com/
                                  • zaq1 113 days ago
                                    I would recommend Drip, which is available on F-Droid. FOSS with very minimal permissions. I'd suggest checking it for trackers with ClassyShark (also on FD).


                                    Screenshots feature a modern looking UI.

                                  • bmvcant 113 days ago
                                    There is a secure app called garbage bin: Open the lid, firmly grasp your iPhone, place it over the bin, open your hand and drop it.

                                    Use pen and paper and the problem is solved.

                                    • yjftsjthsd-h 113 days ago
                                      No encryption, no backups, no on-device analysis (stats, charts), inconvenient to use: Not secure, not an app, not a good alternative.
                                      • etrabroline 113 days ago
                                        >not an app

                                        That foible stands out as humorous. Why does a solution to a problem need to be a smart phone app? lol

                                        Otherwise excellent points.

                                        • yjftsjthsd-h 113 days ago
                                          I was specifically responding to:

                                          > There is a secure app called garbage bin

                                          hence calling out that it isn't.

                                          (But sure, I actually am fine with non-app solutions when they're actually good)

                                  • Cd00d 114 days ago
                                    I'm curious if anyone has insight into the value of this kind of data.

                                    I work with alternative data for investors, mostly consumer spend behavior - things like point of sale transactions and online cart contents. These have value in that you can correlate panel behaviors with a company's revenue or identify trends in the market.

                                    But, for data like ovulation schedules or events like pregnancy, it seems that it's a lot of work (and based on the FTC ethically questionable) to see one-off events or target specific consumers a small set of products.

                                    I must be looking at the available opportunities with some kind of blind spot, because I don't get why companies would pay for this sort of data.

                                    • antihero 114 days ago
                                      Are you kidding? As far as I know, there is no greater event generally in a persons life when their purchasing habits and lifestyle change, and they are looking for new brands, than pregnancy.

                                      Not only just for the huge amount of money people will spend on baby stuff, sorting out cribs, but then eighteen years perfectly time-able marketing for birthdays, different stages of development, loans, different cars, houses, college loans, It is probably the most valuable single even about someone from an advertising perspective and whoever can get in first is out to make bank.

                                      How valuable do you think it to build relationship with, track the preferences of, and pick a the perfect adverts and products to show a person who has purchasing power for someone for eighteen solid years? With 100% certainty of what they are going to need unless something tragic happens.

                                      Also knowing that based on the socioeconomic status whether they will be pressed for time and desperate for discounts, or be flush enough that they can afford to give their sprogg the most expensive things they will grow out of.

                                      • Cd00d 113 days ago
                                        I was not kidding. I guess I didn't realize they were selling data with PII, which is shocking. I'm actually surprised Google and Facebook were taking in other-party data that wasn't aggregated, just due to the privacy and perception concerns.

                                        That said, it still seems like a vector that's really problematic compared to gain. My personal anecdote is that my kids both only used Pampers Swaddlers diapers, simply because that's what the hospital gave us as we left - that is what I would see as a brilliant marketing partnership for P&G without risks of invasive perceptions.

                                      • ascagnel_ 114 days ago
                                        There's a lot of value in knowing about a pregnancy -- in the months leading up to a baby, you're spending a ton of money getting ready for the baby or on constantly buying new clothes for mom as the pregnancy moves along. Once the baby comes, you have a good chance for capturing a repeat customer on a bunch of baby-related items (diapers, wipes, etc).
                                        • joshspankit 114 days ago
                                          Also, if you’ve ever known someone who’s a new parent; the sheer volume of “welcome packages”, pamphlets, flyers, coupons, and free samples is staggering and clearly indicates (to me at least) that the customer value is uncommonly high.
                                          • erichurkman 113 days ago
                                            If you sell cribs, you likely only have 1 - 2 chances per couple's entire lives to sell a crib. Saturation and timing of ads are paramount.
                                            • TeMPOraL 113 days ago
                                              Oh god, that. When my wife gave birth, she received a "care package" that was just a box with few small items (water and some cosmetics testers, IIRC) and half a kilogram of flyers. I honestly was floored, and my deep hatred for the advertising industry had reached a new level. And then I noticed that the child health book they gave us - an official medical document that we'll be carrying for the next two decades - had multiple full-page ads in it. Because of course it did.

                                              Did I said it already that advertising is a cancer on modern society?

                                          • tcoff91 114 days ago
                                            You should read this article about Target going to great lengths to figure out which customers were pregnant. https://www.nytimes.com/2012/02/19/magazine/shopping-habits....
                                            • jmholla 114 days ago
                                              Some companies' business is that one off customer. Think of weddings and graduations. Entire businesses are formed around those too.
                                              • bumbada 113 days ago
                                                The value is enormous because women's hormones depend basically on the menstrual cycle and the modifications of that with things like the pill.

                                                People's behavior (women and men) depend a lot on hormones.

                                                Big big data you can identify lots of useful patterns of behavior and you could control those.

                                                • core-e 113 days ago
                                                  At a minimum the last few on the mood list (depressed obsessive thoughts, apathetic, very self-critical) seem like great indicators of when someone might be the most receptive to advertising for SSRIs.
                                                  • taneq 113 days ago
                                                    The fact that you can advertise these things at all is kind of shocking to me. I’d expect psychiatric drugs to be prescribed by a psychiatrist on their medicinal merits rather than purchased on an advertising-driven whim.
                                                    • klyrs 113 days ago
                                                      Wait til you learn how they advertise drugs to your psychiatrist!


                                                      • taneq 113 days ago
                                                        Oh, I mean there's all manner of conflict-of-interest, perverse-incentive type stuff going on there - you kind of expect that (sadly) in big business - but it's another whole level of dodginess marketing prescription pharmaceuticals directly to laypeople. It seems only one step above roaming the streets giving out "free samples" wrapped in twists of aluminium foil.
                                                  • marketingtech 113 days ago
                                                    Facebook and Google do not pay for this data. Flo sends it to them for free, because it improves the performance/ROI of Flo's marketing.

                                                    Facebook and Google have no semantic understanding of this data, so it does not have inherent value to them in terms of creating configurable targeting segments. These are arbitrary data points sent by the app, and they might as well be labeled "A", "B", "C", and "D" rather than their sensitive names.

                                                    Flo can optimize their ads towards occurrences of event "A" or they can run ads towards "people who have triggered event B in the last week but not event C", but this doesn't offer specific value to other advertisers or FB/G themselves.

                                                    That said, when all of this is put into an ML black box, you never know how data points may be correlated. Maybe the system learns that people who trigger event "D" also end up buying baby clothes. That could lead to observable ad patterns, even if no one can explicitly tie event "D" to pregnancy.

                                                    • ogre_codes 114 days ago
                                                      > I don't get why companies would pay for this sort of data.

                                                      Knowing when someone is pregnant or trying to get pregnant seem like premium moments. Lots of money in fertility treatments and related services. Lots more money in maternity products and new baby products.

                                                      • jschwartzi 113 days ago
                                                        Yeah you can definitely sell anything to a couple who is trying to get pregnant, especially if you know they've been trying for a few months without success.
                                                        • ogre_codes 113 days ago
                                                          I'm sure you can successfully sell anything from coffee to yoga classes that helps with fertility. Just takes the right pitch and the right mark.
                                                          • jschwartzi 113 days ago
                                                            Having done a lot of research myself, there's a ton of folksy "tricks" online but precious little real research information available. A lot of the "tips" boil down to "be young and healthy" and "don't be old and unhealthy."

                                                            I've read some peer reviewed research as well but most of that is focused on outcomes and genetic testing of IVF embryos rather than natural fertilization. I get the impression that fertility isn't something that's well-studied outside of really generic health indicators like weight and age. And a lot of fertility information seems to focus on ages 20 to 35. They seem to assume that after that age you've given up on starting a family or that you already have one.

                                                      • digitalengineer 113 days ago
                                                        It is not because you are pregnant or because there is a baby on the way. It is because, during this time in a woman’s life she is very open for changes in her daily routines. Everything is interesting: from breakfast brands to shampoo brands, type and brand of car, even housing.
                                                      • tdaltonc 113 days ago
                                                        It looks like the "sharing" here was "using 3rd party analytics tools," or is there something more here?
                                                        • raae 112 days ago
                                                          There is also this interesting article about app like these sharing data directly to the employer: https://www.washingtonpost.com/technology/2019/04/10/trackin...

                                                          "Is your pregnancy app sharing your intimate data with your boss? As apps to help moms monitor their health proliferate, employers and insurers pay to keep tabs on the vast and valuable data"

                                                          • schoolornot 113 days ago
                                                            Skimmed the complaint. Seems like they got in hot water for deceptive disclaimers and not committing to the tenants of the privacy shield. Had their TOS said "we may disclose your data to advertisers" in small font and not voluntarily entered into the EU-U.S. Privacy Shield they would be okay.
                                                            • edoceo 113 days ago
                                                              Is this related to the US Fertility company's data breach?

                                                              Leaked SSN and DoB data, rouge code was on there for a month before they found it.

                                                              Edit: it's a different breach of a different fertility related company.

                                                              Finally data-breaches are sexy ;)

                                                              • henearkr 113 days ago
                                                                I hope the company Flo Health gets definitively banned from the Google Play store. They just show off how little they understand their business and the principles of medical confidentiality.
                                                                • cavisne 113 days ago
                                                                  Whats the actual mechanism here for Google to get value from this data?

                                                                  You cant create a campaign targeting is_menstruating=true so how are these opaque key value pairs making them money?

                                                                  • SergeAx 113 days ago
                                                                    So, what's the correct recipe here? Anonimyze your events before sending to third party analytics? Like event5, mood12?
                                                                    • yjftsjthsd-h 113 days ago
                                                                      Maybe there are some things where you just shouldn't use 3rd party analytics, if any.
                                                                      • arminiusreturns 113 days ago
                                                                        This, especially considering that most research has shown that it's trivally easy to take anonymized data and de-anonymize it.
                                                                        • SergeAx 113 days ago
                                                                          What is the difference between using Google Analytics and Google Spanner then? Or AWS Aurora vs AWS EC2 for that matter?
                                                                          • yjftsjthsd-h 112 days ago
                                                                            My understanding is that Google promises not to use data in gcp databases, while it openly says it will use Analytics data for its own purposes. But yes, you should carefully consider that!
                                                                      • j45 113 days ago
                                                                        This is abhorrent.
                                                                        • 908087 114 days ago
                                                                          Am I missing something, or are they really being let off with less than a slap on the wrist, and no fines?

                                                                          Not really sending a great message here, FTC.

                                                                          • 1-6 114 days ago
                                                                            A menstrual cycle company named Flo. App-tly named (excuse the pun).