It’s hard to imagine more intimate data than that collected by female technologies or “femtech.” These apps and devices not only monitor women’s menstrual cycles but also record their sexual encounters, orgasms, and pregnancies.
A new study shows that many femtech companies do not adequately safeguard such sensitive information. Some may even intentionally leak personal data to third parties.
The research, led by Dr Maryam Mehrnezhad at the Royal Holloway University in London, is part of a four-year investigation into cybersecurity, privacy, trust, and bias issues in the femtech sector.
Under the study, the team examined popular fertility apps, smart breast pumps, fertility trackers (such as bracelets and rings), kegel trainers, and sex toys. The team found a range of “inappropriate” security and privacy practices — many do not present valid consent, do not give extra protection to sensitive data, and track users.
Mehrnezhad told TNW that companies who compromise the data privacy of their users in this way “may do it unintentionally” or as a “deliberate attempt for commercial purposes.”
In 2021, period-tracking app Flo settled a class action lawsuit over allegations it shared users’ health data with Facebook. The judge found Flo guilty of informing Facebook of in-app activity — such as when a user was having their period. The social media platform would then use this information to display targeted ads.
One 2022 study found that 84% of period tracker apps share data with third parties. While most of this information is sold for commercial gain, sensitive health data could be used for more nefarious means.
“We have identified multiple threat actors interested in fertility and sex information,” said Mehrnezhad. These could be cyber-criminals, insurance companies, or even your employer.
Legal grey area
Currently, femtech sits in a legal grey area. These devices and apps are not considered “medical,” so they fall outside the purview of healthcare regulations. However, there are no specific laws in the EU or UK covering them either.
The closest bet are two sets of regulations within the EU’s sweeping data privacy law, the GDPR, which deal with general data protection and medical and health regulation.
“However, as shown in our work, alone or combined they fail to protect the user from malicious practices,” explains Mehrnezhad.
The researchers recommend stronger regulations and more industry oversight, including setting up entities to guide femtech developers toward best practice and ethical decision making. Currently nothing like this exists.
“We believe that the medical and health space is in need of domain-specific and sectoral regulations with attention to the needs of marginalised user groups such as women and those with physical and mental ability limitations,” said Mehrnezhad.
Historically, women’s health has taken a back seat to men’s — leaving a persistent gender gap in data, research, and law. Some 70% of femtech founders are women, many of whom developed their products to improve access to accurate health insights.
While research shows that more accountability and regulation is needed, Mehrnezhad stresses that providing users with secure, private, and safe femtech products should be the ultimate goal for all parties.
“We hope to see better collaborative efforts across the stakeholders to enable citizens to use femtech solutions to improve the quality of their lives without any risk and fear,” she said.
The good news is that some efforts in policymaking are afoot that could address the issue, including the creation of a European Health Data Space, that supports individuals to take control of their own health data.
For now, Mehrnezhad recommends that users of femtech apps and devices should pay special attention to privacy policies, opt-out of data tracking and unnecessary permissions, and uninstall all apps they are not regularly engaging with.