Data Marketplace Selling Info About Who Uses Period Tracking Apps

A data marketplace called Narrative, which lets anyone sign up and purchase information related to the users of specific apps near-instantly, has been offering data from users who it says downloaded period tracking apps, including some of the most popular period tracking apps such as Clue. The data does not include information harvested from the Clue app itself, but rather is a list of devices that have the app installed that in turn could be used to identify users. Motherboard bought a sample of the data for $100 within minutes of finding it on the platform.

The ease of access to such data has taken on a new significance in the wake of a leaked draft opinion from the Supreme Court earlier this month. If Roe v. Wade is overturned as was signaled in the leaked draft, abortion will be illegal in many states across the country. Privacy experts immediately said that period tracking and other apps could become a target for law enforcement agencies or motivated vigilantes to exploit to identify potential people seeking abortions or those providing them. Earlier this month, Motherboard reported on multiple location data brokers who stopped providing data related to abortion clinics after scrutiny. 

To be clear, data for sale on Narrative does not include specific information about women's menstrual cycles. It is information on what devices downloaded a specific app. If a third party wanted to identify who used a certain family planning or period tracking app, the data for sale on Narrative would be a potential first step towards doing that.

Zach Edwards, a cybersecurity researcher who closely follows the data trading marketplace and who first flagged Narrative to Motherboard, described Narrative as “a choose your own non-compliant data adventure,” which “includes everything from Planned Parenthood app data, countless period trackers, and a variety of other sources that seemed to be available for anyone wanting to track people and their private medical decisions.”

Edwards found that a search on the Narrative marketplace for “period” revealed a wealth of period tracking apps that Narrative customers could buy data related to. These appeared to include “Period Calendar Period Tracker” which has over 100 million downloads, according to its page on the Google Play Store, as well as Period tracker by Pinkbird which has over 5 million downloads and Clue which is used by more than 13 million people. Narrative also advertised data related to users of Planned Parenthood Direct, an app made by the family planning and health organization that lets users order birth control.

The concern generally is that data from or related to period tracking apps could be used to target people suspected of getting abortions. In 2019, Missouri’s top health official said the state reviewed Planned Parenthood patient data, in some cases including their menstrual cycles, looking to find those who had failed abortions. One concern some privacy experts have is that information about a woman's menstrual cycle could be used to infer a pregnancy, miscarriage, or abortion depending on the granularity of the data.

“​​If you are in the United States and you are using a period tracking app, today is good day to delete it before you create a trove of data that will be used to prosecute you if you ever choose to have an abortion,” Eva Galperin, director of cybersecurity at activist organization the Electronic Frontier Foundation, tweeted earlier this month. Elizabeth McLaughlin, an activist and founder of The Gaia Project for Women’s Leadership tweeted that “If you are using an online period tracker or tracking your cycles through your phone, get off it and delete your data.”

But less precise data could also pose a risk. Jerome Greco, a public defender in the digital forensics unit of the legal aid Society in New York City, previously told The Verge that “I think in the future it could become more broad, and they could be aggregating data and parsing data to try to identify suspects.”

On Monday, Motherboard bought $100 worth of data related to users of the Clue app from the Narrative marketplace. Clue is a particularly high profile period tracking app and recently got FDA approval as a “digital contraceptive.” The purchase itself took minutes, and the compiled data arrived later the same day. The resulting file included a list of over 5,500 unique identifiers for devices that Narrative says belong to Clue users. Generally, these sorts of identifiers, which often come in the form of a long string of characters and digits, are known as mobile advertising IDs, or MAIDs, and have been a cornerstone of the online advertising industry for years. MAIDs allow the advertising industry to track a specific mobile phone’s activity, as each MAID is unique to each device.

Members of the advertising industry have said that MAIDs are anonymous, but as Motherboard has shown, an entire sub-industry exists that links these identifiers to peoples’ real names and physical addresses. Senator Ron Wyden previously told Motherboard that the existence of this industry “makes a mockery of advertisers’ claims that the truckloads of data about Americans that they collect and sell is anonymous.” In other words, companies can source these mobile identifiers and then combine it with other information to unmask or target those devices or the people behind them.

The Clue-related data Motherboard purchased includes Android Advertising IDs, based on the data’s distinct format. These are the unique code that the Android operating system assigns to a phone, and how advertisers track Android users across different apps and services. Narrative told Motherboard in an email that the data included users’ Android Ad IDs.

Motherboard provided a copy of the purchased data to Clue; Clue said in a statement that “it does not correspond to Clue user ad IDs. We don’t know what this is, or how Narrative got it, but it doesn’t identify Clue users. We categorically do not sell personal data.”

The data was structured in such a way that “data buyers can pick specific mobileIDs—basically specific people—and request additional data from Narrative partners to be sent about that specific individual record,” Edwards said.

On its website Narrative says it provides “everything you need to buy and sell data.” It offers access to an array of different types of data, including precise location data, transaction data, information on TV viewership, and age and gender. It also offers “identifier mapping,” which the website says is “mapping between two identifiers that indicates that both belong to the same user.”

Narrative isn’t the company that harvests this data from mobile phones. Narrative instead acts as a middleman and makes buying access to data much easier and relies on “providers” that source the information. Narrative providers include Complementics, a location data gatherer that Motherboard previously linked to a company that sells data to Immigration and Customs Enforcement; Mobilewalla which used its location data to monitor Black Lives Matter protests; and FullContact, a company that Motherboard previously found worked in the industry of unmasking anonymous phone identifiers.

The Clue-related data is marked as coming from two different providers, but the data doesn’t name them.

After Motherboard contacted Narrative on Monday, the company removed the Clue and other period tracking app data from its marketplace. The company also removed data related to users of the Planned Parenthood Direct app.

“No menstruation or pregnancy tracking app install data has ever been purchased through Narrative’s platform before. However, in light of potential forthcoming changes to laws regarding women’s reproductive rights, we have updated our policy to remove those datasets from the Marketplace to prevent any potential misuse of the data,” the company said in a statement.

“Customers that purchase app install data from third parties via the Narrative Data Streams Marketplace receive a list of anonymized identifiers of mobile devices that have that specific app installed on their phone. The data does not provide information about actions taken within or usage of the app. Most of our customers use app install data for advertising or competitive intelligence use cases,” it added. “Narrative’s terms and conditions expressly prohibit the use of any data acquired via Narrative for ‘conducting or providing surveillance, or gathering similar intelligence on any individual or entity, including but not limited to investigating or tracking data subjects or any other data sources.’”

Update: This piece has been updated to include a new statement from Clue.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.