Stardust rule following increases after Roe reversal, but its privacy claims are not watertight – TechCrunch

Period Tracker App Stardust rose to the top of the US Apple App Store following the Supreme Court’s decision to overturn Roe v. Wade after the app promised to encrypt its users’ private data to keep it out of government hands.

But TechCrunch discovered on Monday that the current version of the burgeoning Stardust app is sharing phone numbers of app users with a third-party analytics firm, which could be used to identify individual app users.

The decision to overturn Roe overturned 50 years of constitutional abortion rights protections in the United States, allowing each state to create laws to criminalize abortion. The decision has led to calls for users to remove their period-tracking apps from their phones, fearing that data collected by these apps could be used against them to prove that an abortion was obtained illegally.

Others are ditching their current period trackers and instead turning to apps like Stardust following the company’s strong statement released in light of the decision to cancel Roe. Stardust said it will implement end-to-end encryption so it is “not able to pass any of your period-tracking data” to the government, helping to attract hundreds of thousands of downloads this weekend -end before the release of the new version of the application with encryption, which is scheduled for release on Wednesday.

TechCrunch conducted a network traffic analysis of Stardust’s iPhone app on Monday to understand what data was flowing in and out of the app. Network traffic has shown that if this user signs in to the app using their phone number (rather than through a sign-in service provided by Apple or Google), Stardust will periodically share the user’s phone number with a service third-party analytics tool called Mixpanel.

Mixpanel is an analytics service widely used by app developers to track usage of their app and help identify errors or other ways to improve the app. It does this by tracking how someone uses the app and sending the data back to Mixpanel’s servers. Stardust also shared details with Mixpanel of the phone the app was installed on, the iPhone model and software version, and the mobile carrier the phone was connected to.

While analyzing network traffic, TechCrunch did not see any health data shared with Mixpanel. But sharing a phone number tied to a specific user of a period-tracking app with a third party, like Mixpanel, could allow prosecutors to compel Mixpanel to hand over that data, even though Stardust claims that’s not the right thing to do. case.

Stardust founder Rachel Moranis told TechCrunch that “the current (old) version of Stardust leverages several Mixpanel data collection mechanisms that we disabled/removed in the new version. Besides not sending [personally identifiable information] At Mixpanel, we have also disabled IP tracking for our users to protect against the use of this metadata to identify our users.

In a tweetStardust said it was “working” on a way to allow users to log in anonymously.

Stardust’s privacy policy, updated on June 26, says the app isn’t as secure as it claims. He notes that the app collects a variety of data about users’ devices, activity and location, including through cookies and other tracking technologies. It also provides some exceptions with respect to data sharing, noting how it may disclose de-identified data with certain vendors, with the user’s consent, or when required by law – if it has to “comply or respond to law enforcement or legal process.” or a request for cooperation from a government or other entity, whether or not legally required.

It also seems to contradict the part of the policy that insists the company will never share users’ ages or “any data relating to your health with third parties.”)

Since Roe’s overthrow, tech companies have been preparing for a new regime under which they could face legal orders requiring the transfer of users’ pregnancy-related data to authorities and state attorneys. Some of the biggest tech companies have yet to say how they will handle data requests related to surveys about people seeking or offering abortions. This has contributed to a rush to find apps and services that use end-to-end encryption, which prevents anyone, even the creator of the app, from accessing a user’s data.

Thanks to its announcement to switch to encryption, Stardust’s app attracted 135,000 new installs on June 24, a 4,400% spike in the number of installs it saw the previous day, or about 3,000 installs, according to data from application intelligence firm Sensor Tower. On Saturday, June 25, the app saw an additional 200,000 installs and hit #1 on the US App Store, up from its previous ranking of #119. Combined, both weekend days delivered 82% of Stardust’s 400,000+ total lifetime installs. .

TechCrunch asked the founders for more information on how the app implements end-to-end encryption. Stardust founder Moranis told TechCrunch that “all traffic to our servers is via standard SSL (hosted on AWS) and subsequent data storage on AWS RDS using their built-in AES-256 encryption implementation.” Although this describes the use of encryption to protect data in transit and while it is stored on Amazon’s servers, it is unclear whether this implementation would be considered true end-to-end encryption.

Given its complexity and the stakes involved, implementing end-to-end encryption is often a time-consuming and resource-intensive effort, where a single coding flaw could compromise user data protection. It’s also not uncommon for companies that use end-to-end encryption to publish articles and technical notes explaining how their systems work – often even a point of pride for some companies – or even open source and publishing their code, as cryptographic proof that their systems are secure.

When asked if the company had performed a third-party security audit of the app’s code, Moranis said the company intended to “fully release our implementation with a third-party audit once it is will be completed”, but no timetable was given. (TechCrunch will follow up when audit results are available.)

After hearing from Stardust, the company again quietly changed its privacy policy to remove mentions of end-to-end encryption.

It’s hard to counter people’s fears – the period-tracking app industry has already been found to engage in leaky data-sharing practices with third-party tracking and analytics companies, as well than with tech giants like Facebook and Google. One app, Flo, had to settle last year with the US Federal Trade Commission for violating its own privacy policy. Among other things, the app had falsely claimed that it only shared “non-personally identifiable” information with third parties – which a Wall St. Journal investigation found to be false.

Another app, Glow, had to settle with the state of California the year before for exposing women’s medical information.

Consumer Reports said in May that many apps continue to use third-party trackers and do not store consumer data locally on their devices where it cannot be shared or sold.

Additionally, period-tracking apps don’t have to comply with the federal privacy law known as the Health Insurance Portability and Accountability Act, or HIPAA.

However, with the threat of losing their entire user bases, many rule trackers have issued statements to assure customers that their data is safe. Flo, who completed an independent privacy review in March, said he would do “everything in his power” to protect user data and privacy. He also said he would launch a new “Anonymous Mode” feature that removes users’ personal identities from their Flo accounts.

Lance B. Holton