A few years ago a Princeton professor, Janet Vertesi, got pregnant. But being a bit savvy in the ways of online trickery she paid for maternity clothes in cash, used the Tor browser to surf baby sites and banned friends and family from discussing the good news on Facebook or via texts. She didn’t want her unborn child to be tracked by advertisers and data brokers.

Kashmir Hill a journalist heard about this and when she was on the way to becoming heavy with child she decided to do the opposite. She downloaded a bunch of pregnancy related apps and decided to track the trackers with a tool called Recon. She also enlisted help from the Electronic Frontier Foundation. Her intention was to discover what data the apps were harvesting and whether it was secured.

Here are her top line findings:
  • She used a bunch of period trackers apps and all were passing along user information to third-party analytics companies, social networks, and advertisers. These included Google, Facebook, Adobe, DoubleClick and Crashlytics. The data could help these companies to tag a smartphone as belonging to a “person trying to get pregnant.” 
  • There were security issues with many apps such as the lack of PIN codes and privacy issues such as one app collecting a person’s location each time the app was used. The app company, in its privacy policy, said that it uses location data to provide users with “location-based information and advertising.” 
  • An app called Bump warned that it planned to record phone calls placed by its users from within the app. The Bump permits users to search for and call stores to host a baby registry; its privacy policy said that if you made a call to a vendor from within the app, “we will record the phone call and any message you leave for the third party, as well as call information such as the number dialled, the date and time of the call and its duration, and your location as determined by your area code or as otherwise permitted.” 
  • An app called What To Expect app passed Hill’s email address to other companies, including Pottery Barn Kids and Huggies, who immediately began spamming her inbox. The fact that that user information would be shared with “advertisers and sponsors” was buried 2,600 words the privacy policy pretty much ensuring app users wouldn’t see it. 
  • A Washington state woman named Amy Pittman used the What To Expect app when she first got pregnant. She later had a miscarriage. But a week before she would have otherwise given birth, she received a congratulatory package in the mail from the baby formula maker Similac, one of the companies to which the app sells its user list. 
  • Many of the apps weren’t using encryption to send information along to their servers. As a result women writing in the apps’ message forums about personal things could have their messages intercepted by someone sharing their Wi-Fi network or providing their Internet service. 
  • An app called Glow app was passing along the phone’s IMEI, a permanent serial number for the device, to Appsflyer, an ad company. The number can be used to persistently track the user of the phone, as it can’t be changed even if the device is factory-reset.

In many cases Hill said she wasn’t able to find out how the information gathered on her will ultimately be used.
She added she expected to be deluged with ads online for baby products, but that didn’t happen until she actually started buying baby products after her daughter was born.

The apps asked for all sorts of information and many implied, without stating, that they were authoritative sources of medical information. However, when confronted about this they tended to row back and say they were just offering advice.

Some of them changed their policies when confronted by Hill. For instance, the Glow app owners said they wouldn’t collect the IMEI as long as an advertising ID is available; which is an identifier for your phone that can be changed.

Kafkaesque

The data brokering from some apps was harder to trace and Hill said concluded that murky nature of privacy in a world where a seemingly endless network of companies you’ve never heard of are collecting information about you and trying to monetize it.

The data-trading business is Kafkaesque and you don’t know who knows what about you or how it’s influencing what you see or how you’re treated; and information will inevitably leak out across platforms possibly leading to negative outcomes.

On the surface many of these apps can be useful but it’s what goes on beneath the surface and behind the scenes that is worrying.

For total online privacy check out BullGuard’s recently released VPN.