alt Hacker NewsPeriod tracking app, Flo, found to be selling user data to Meta
Comments
Yikes - selling "When did I last Orgasm" to Mark Zuckerberg's team seems like an undesirable "leak" of information.
.. To be clear, "wired app to standard ad-tech surveillance plumbing, sending concepts like user logged period and pregnancy mode entered, through its pipes, to improve ad revenues through Meta's targeting platform" .. ad-events .. this is the kind of behavior that happened, in plain-ish speaking terms, per what I read in my non-expert capacity.
Q: (answered) Now I want to know who runs (ran?) Flo - can we find their Board of Directors & C-level people on LinkedIn to profile what kind of industries lead to this kind of (I believe) privacy violating behaviors? It's a biased question on my part, as Correlation is not Causality! Onwards ..
My limited, biased, AI-driven research suggests the violating behavior ran from June 2016 through February 2019, and that generally the Company was designed to be consumer-app with subscriptions and is healthcare-adjacent, targeting an unregulated non-HIPPA market.
- INVESTORS = consumer subscription apps with ad-driven growth loops
- BUSINESS MODEL =
(1) free or freemium consumer apps where
(2) growth depends on paid acquisition through Meta/Google/TikTok ad platforms, which
(3) requires sending conversion events back to those platforms to optimize ad spend, and
(4) the SDKs that do this are designed by ad networks to hoover up everything by default.
- EXECUTIVE =
* No Privacy / Data Protection C-level officers during violating period
Privacyguides has some recs for private health apps (https://www.privacyguides.org/en/health-and-wellness/#menstr...)
I don’t have the right configuration of equipment to use an app like this, but does anyone know why this needs to be a service-driven app? What piece of functionality requires a server to track your health?
Meta only cares about ad revenue so could they be researching or have discovered a link between buying trends and links to a woman's cycle?
[drip.](https://bloodyhealth.gitlab.io/) [source](https://gitlab.com/bloodyhealth/drip)
- around since 2019. Last update 2 months ago
- iOS, Android
- React Native
- around since 2024. Last update 2 weeks ago
- Android
- Kotlin
- around since 2015. Last updated 3 weeks ago.
- iOS and Android
- Dart
- around since 2023. Last updated 2 years ago.
- iOS
- Swift
I think the biggest thing I'd like to see is a data format standard defined. You should be able to "take your data with you" and go anywhere you like. If you decide an app is unethical or if your favorite OSS app stops being updated, it should be simple to switch. Many apps let you export your data. Maybe someone can make a converter between popular proprietary apps and a common data structure spec
Why would anyone think that a non-HIPPA compliant app would keep medical information private to the level of security needed for medical data? Flo has definitely breached user trust, but that trust seems misplaced from the get-go.
I don't have a period, so I'm not the best person to do it, but there really needs to be a solid FOSS alternative to flo. If GNU had more women, it'd probably already exist
Now is a good time to bring up.
https://bloodyhealth.gitlab.io
A secure open source period tracking app.
It's really sad that we have all this technology but we can't trust any of it.
This is one more reason sector-specific privacy expectations probably need to be harder-coded. Hoping every consumer app will independently exercise restraint has not gone especially well.
This article is about a lawsuit filed in 2021.
> It seems like we can’t just necessarily leave it up to companies – or their ragtag teams of crackpot lawyers rewriting privacy policies every few months – to keep our private data private.
It's not a medical requirement from a doctor, so just keep a diary if you want to. Not everything needs to be an app. All the money spent on regulations and regulators to cover increasingly niche opt-in services that are entirely unnecessary is a waste.
I will say, with codex/cc access and a free weekend you could make an app that covers like 99% of this app’s purpose. The harder part would be the art/making it cutesy, as some other commenters have pointed out. Plain SwiftUI or compose just isn’t eye catching enough
Hey surely Meta wouldn’t send that data to a government interested in regulating women’s reproductive rights
its crazy to me that Flo is used so widely, as its started by Russian men and their treatment of data has bee public for a while, it just hasnt spread fast enough. I know theres at least one other option called Calessa (http://Calessa.app)
That's incredibly creepy.
This one seems clear cut as a HIPAA violation. Glad to hear that interpretation was upheld.
However, regardless, we really need to just kill the data broker business model.
Speaking as someone who implemented GDPR for my startup when the law first came into effect, there were certainly rough edges.
But the core premise that you simply cannot sell user data to sub-processors without consent is a powerful one that I believe would fix a lot of broken things in the US system.
(Not least because the USG buys private data that would be unconstitutional for it to directly collect, but also things like the incentives for your cell phone provider to sell your location data to advertisers.)
Does anyone happen to know if Meta and Google have ever recovered these judgements from the app developers? All of the industry terms of service specifically forbid SDK licensees from sending sensitive personal data to the platforms, and they require the licensee to indemnify the platform against any judgement that arises from violating those terms. See Meta's statement on this verdict, which seems pretty reasonable to me. This 100% looks like the fault of the app developer:
“User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.” Meta maintains that any transmission of sensitive health data is due to a failure to comply with its terms of use.
[dead]
I don't actually see this as a problem, and instead it's a PSA everyone needs to internalize:
If you put data onto a networked device it may be sent to some place else.
If you don't want your data being shared:
Use a device that does not have any networking capability (both hardware and software wise)
Use a pen and paper, you can shred and destroy as you see fit.
If you're using an application on a mobile device with mobile data/wifi, the chances are, your data is being uploaded.
If the app could make another $0.05 selling your location to kidnapping gangs, they'd do it. There's no such thing as an app that cares about your privacy or your interests.