A few weeks back, you sent us Qs about the SCOTUS decision to overturn Roe, and we consulted some experts to answer them for you. First up is Saskia Coplans (she/her), co-founder and director of information security consultancy Digital Interruption and security software developers REXSCAN. She’s here to shed some light on period tracking apps and whether or not we need to delete them.

We’re a little confused about whether or not we should delete all period apps or if those owned by European companies are ok. What’s your take?
Clue, based in Berlin, for example, has released statements saying they do not and will not share data regardless of where you are in the world. They’re also subject to the jurisdiction of the German and European courts, who apply European privacy law, namely the General Data Protection Regulation (GDPR). However, regardless of where the business is located, the GDPR only relates to citizens of the EU and does not cover Americans. Any challenge to Clue’s position should a subpoena be issued will boil down to interpretation of the US law or in this case, regulation, and that will be decided by the courts, not Clue.

Take the messaging app Telegram, for example. They argued against sharing data with authorities based on the GDPR and were then compelled to share data with American, Russian, and even German authorities.

Should we delete our apps if we live in a state where abortion is still legal?
Whether to use an app or not is a personal choice and will always come down to the level of risk you are prepared to take. What I can do is explain how they work and, from a technology perspective, the issue they present. Users need to read apps’ privacy information carefully and try to make an informed decision. The Stardust period tracker, for example, promised it will encrypt users’ data to prevent the government from accessing it. However it’s not clear when they will do this, and encrypting data doesn’t necessarily mean it can’t be decrypted. Also, on further interrogation, it turned out that Stardust was sharing users’ data, including their phone numbers, with third parties.

Would I use a tracker in a state where abortion is still legal? Probably. But I would be very careful which one.

You’ve mentioned data a lot. How can data be used against us by the government or law enforcement?
The government has the power to subpoena personal data and surveil citizens. In fact, in some cases, the government can demand access to data without a subpoena where they can demonstrate an imminent threat to national security or the safety of an individual.

Law enforcement actually has several powers it can enact to access your data. And it’s not just through subpoenaing cellular providers and tech companies. They can subpoena your entire device, or get a search warrant to go through your phone or tablet, and often the evidence they need to obtain the warrant is gathered through data they have collected in the public domain. Open-source Intelligence (OSINT) is where data is available in the public domain via media, internet, public government data, and professional and public publications. It’s also where commercial data and technical data are gathered and analyzed. This data (which includes apps) can reveal a lot about both groups and individuals and is the subject of widespread data-sharing partnerships across multiple government agencies.

So, it isn’t just period apps that could present risks for people seeking abortions in other states (or helping people do so)?
Exactly. All of the above can cover any app including your period tracker, but it’s not just that app that’s tracking you. All your data from multiple sources could be subpoenaed and could be used to build a case. So, if you go to another state, how did you get there? Where did you stay? Did you use apps for travel, accommodation, to message a friend? Which apps were logging your location movements? You left your phone at home, but who’s home? Did you take time off work? Who did you tell?

A fairly robust case hypothetically could be presented to support the accusation that someone had an abortion regardless of whether it included data from a period tracker based on data collected via other apps, OSINT, and the movements of the handset itself.

Yikes. So, should we delete our data? If so, how can we do that?
Deleting the data you store locally on your phone will mean it can’t be accessed by law enforcement if they get a warrant to search your device but it will not mean it’s been deleted from the servers where the app stores data, so that data could still be subpoenaed. The only way it can be removed from those servers is for the company that provides the app to do it, so you will have to request deletion. An app’s privacy notice or policy will tell you how to request this.

The GDPR has a universal “right to erasure” for all EU citizens, but in the US, this is not the case, though there may be provisions at the state level. If you have been using an EU-based app (like Clue), you can request that they delete all your data and they will have to comply within 30 days.

Want more info? Here are some digital security tips, tricks, and guides:
-How you can protect yourself, post-Roe
-Digital Defense Fund Abortion Privacy Guide
-Security and Privacy Tips for People Seeking An Abortion