Tech

The #1 Period Tracker on the App Store Will Hand Over Data Without a Warrant [UPDATED]

Stardust Period Tracker was the most-downloaded free app on iOS over the weekend.
​Stardust app screens via Apple Store
Stardust app screens via Apple Store

Update 6/27/22, 4:00 p.m. EST: Following Motherboard’s request for comment, Stardust changed its privacy policy to omit the phrase about cooperating with law enforcement “whether or not legally required;” the current policy is reflected below.

Stardust, an astrology-focused menstrual tracking app that launched on the App Store last year, is one of Apple’s top three most-downloaded free apps right now. From sometime around Sunday evening until Monday mid-morning, it was in the number one spot. It’s also one of very few apps that has put in writing that it will voluntarily—without even being legally required to—comply with law enforcement if it’s asked to share user data. 

Advertisement

After the fall of Roe on Friday, ending the Constitutional right to an abortion and making abortion illegal in more than a dozen states, many people used Twitter to urge others to delete their period tracking apps for privacy and security reasons. A widely-shared concern is that law enforcement can use personal data created in apps against people who’ve sought or gotten abortions illegally. 

Despite this, more people are downloading Stardust—which combines astrology with menstrual cycle tracking— right now than some of the most-downloaded apps in history. As of Monday morning, on the iOS App Store, Stardust was ranking above hugely popular apps including TikTok, YouTube, and Instagram. It was ranking above BeReal and NGL, two apps that have recently gone viral with teens. 

Stardust seems to have done a decent job of jumping on this moment when everyone is screaming into the Twitter void to “delete you period tracking app!” by marketing itself as the choice for safety-conscious people to track their cycles. The app has less than 300 followers on Twitter, but has made viral TikToks talking about privacy and landed coverage in Mashable. Its Twitter bio is “Privacy first period tracking app.”

Despite all of its privacy-first marketing, Stardust states in its privacy policy that if the cops ask for user data, it’ll comply, whether legally required to or not, and claims that the data is “anonymized” and “encrypted.” As of Monday, the privacy policy stated:

Advertisement

“We may disclose your anonymized, encrypted information to third parties in order to protect the legal rights, safety, and security of the Company and the users of our Services; enforce our Terms of Service; prevent fraud; and comply with or respond to law enforcement or a legal process or a request for cooperation by a government or other entity, whether or not legally required.”

Update: Following Motherboard’s request for comment, on Monday afternoon, Stardust said that it updated its policy; it now says it will “comply with or respond to law enforcement or a legal process or a request for cooperation by a government or other entity, when legally required. Any Health Data that the Company is legally required to share cannot be linked to you and will remain anonymous.”

“Whether or not legally required” is an unusual phrase to include in a privacy policy. Most apps simply state that they will comply to the extent legally required. There’s no reason for companies to comply with the cops if they don’t have to. But Stardust says it will. 

Stardust advertised that what differentiates it from other apps is an “encrypted wall” that they claim keeps data safe. “What we did was implement an encrypted wall between our users personally identifiable information (email/phone/apple id/ etc) and what they actually do on the Stardust app,” the company tweeted in a thread on Sunday about its data practices. 

Advertisement

This feature isn’t implemented yet: it will launch on Wednesday, according to Stardust, along with its Android app launch. It is not entirely clear what Stardust means by an “encrypted wall,” but Stardust explained that users create an encrypted identifier on their phones that the company doesn’t store, and that links users to their activity on the app. 

Still, Stardust claims that if it receives a subpoena asking for data on a particular user, it will not be able to hand anything over. “If the government issues a subpoena to find out about your menstrual tracking data, we will not be able to produce anything for them,” Stardust claims. Whether that’s true depends on how and what it stores. Stardust did not immediately respond to a request for comment. 

Its privacy policy states that it collects and may share “general age demographic information and aggregate statistics about certain activities or symptoms from data collected to help identify patterns across users.” In a section about sharing to third parties, it states it will not share anything except in a laundry list of cases, including subpoenas: 

“In response to subpoenas, court orders or legal processes, to the extent enforceable, permitted and as restricted by law (including to meet national security or law enforcement requirements); (ii) when disclosure is required to maintain the security and integrity of the App, or to protect any user’s security or the security of other persons, consistent with applicable laws; (iii) when disclosure is directed or consented to by the user who has input the Personal Data; (iv) in the event that we go through a business transition, such as a merger, divestiture, acquisition, liquidation or sale of all or a portion of its assets, your information will, in most instances, be part of the assets transferred. Information that is encrypted will remain encrypted and cannot be shared by us in decrypted form.”

Stardust tweeted that it offers an “an app experience on Stardust that lets our people share their tracking with their friends” and protect users from “bad actors” at the same time. The founders call this a “unique problem to solve.” These are diametrically opposed goals, unless security practices are airtight: either you can create an “app experience” that involves storing data with sharing features, or you can let people use the app without making accounts, and make your app less data-rich and valuable in the process.

The company tweeted that it’s still “working on an option” for anonymous use of the app, without creating an account.