Period Tracking in a Post-Roe World

The absolutely despicable decision from the United States Supreme Court has prompted many on Twitter to share their opinions on how to be “safe” online. Rightful anger is turning into an absolutely ridiculous free-for-all, as semi-qualified people are regurgitating their semi-literate takes unto the World Wide Web. There’s a lot of fear-mongering and false information going around what kind of online risks people are facing. Often these threads are short and contain frantic unspecific information that just fuels FUD.

In this article I’ll try to give some information that is actually based on reality. It is always difficult to give “generic” advice, because security advice should always be tailored to a specific situation. I will try to give some advice that will fit in this situation, and add caveats and further information when necessary. First, we’ll talk about some ways you can anonymise your “research” about abortion, then we’ll talk about period tracking and what apps I would personally recommend.

NB: I can only judge these apps according to their security/privacy. I don’t purport to know much about their usability.

Also, I will try to be as non-technical as possible in this article. This means that this article will oversimplify several concepts, to hopefully make them clear to non-technical users. I might follow this article up with some more technical analysis of period tracking apps.

I will also link several articles from the EFFs excellent Surveillance Self-Defense program.

Caveat: app stores and mobile platforms

One big caveat for this article are app stores that are primarily found on Android and iOS. Please keep in mind that on the Play Store and the App Store you are always logged in with your account. So there will be record of you downloading and installing the app. Under Android you can use an alternative app store called F-Droid. This allows you to download and install applications without a login. I don’t use iOS so I don’t know this for sure, but if I understand the Apple ecosystem correctly, something like this doesn’t exist for that platform.

The other caveat is that mobile platforms will save a backup of your apps and their data in the cloud (Google Drive/iCloud). For iCloud, you can disable using iCloud for individual Apps. For Android this depends on your android version/phone manufacturer.

Think about these things if you decide to use certain apps, like a period tracker.

Researching topics

On the internet, you will find two types of advice on how to anonymise your browsing. One will suggest using a VPN, the other using Tor. Both of these tools have their own advantages and disadvantages, and each have to be used correctly to be effective. I personally prefer Tor, since VPNs have some very big downsides that aren’t immediately apparent to non-technical users. I still mention them here, because they are often the first type of tool people hear about, and I want to caution against them.

Please also note that any anonymising way falls flat if you identify yourself via another way. This should be a no-brainer, but if you log into a website via a VPN or Tor, you are no longer “anonymous” to that website.

VPN

VPNs are a technology that can be used for different purposes. In our case, a VPN anonymises your traffic to your ISP. Because of the way the internet works, your ISP can see all websites you visit, but not what you do on the websites itself. They see that you visited google.com, but not what you search. They will see that you visited youtube.com, but not what videos you watch, etc.

If this is a concern for you, you can use a VPN. This will make your ISP unable to see which websites you visit. But this will just “shift” the traffic to your VPN provider, which essentially (for these purposes) becomes your ISP. This means you need to trust your VPN provider as much as your ISP, if not more. This means you really need to research which VPN you want to use. In general, the way I understand the situation in the US, your data will not be safe from the government because courts can get to that data via subpoena. So you will want to find a VPN provider that doesn’t save any data. But even if your provider says they don’t save any data, there is no way to know that they are not lying. Because if they have data, they will have to give it away. Another way is to use a provider where jurisdiction by US courts does not extend. This is difficult to gauge.

One advantage a VPN has over Tor, is that it tunnels your complete traffic, not only your web browsing.

In general I would not recommend a VPN, unless you know what you are doing and you fall in the category I describe above.

For more information, you can read the EFFs guide on choosing the right VPN.

Tor

This is a protocol and a browser that completely anonymises your traffic. It is impossible for anyone to uniquely identify the websites you visit, and it is also impossible for the websites to identify you. Tor can be downloaded on the website of the Tor Project. I would recommend using the Tor Browser. In this application, the protocol is bundled with a special browser that also has several different anonymising settings. Tor is different from a VPN in that it encrypts your connection in multiple layers, and then sends it along multiple other computers before it reaches the website you are opening. This means your traffic is fully anonymised (there are some things to be considered still, these are described in the Tor FAQ).

One caveat about Tor is that it can be quite slow. It bounces your connection around several other computers, so you will have quite high latency (“ping”) and slower download speeds. This means that you will “reach” websites slower and they will also “render” slower on your device. Another is that it only works for that Browser. Other traffic (from programs on your computer) will not be anonymous.

Here are some guides on how to install Tor Browser:

For mobile platforms also make sure you understand the caveats.

Period tracking

I’ve seen advice ranging from “delete all of your period trackers” to “this specific app is perfectly safe and you should definitely use it”.

The first advice (delete all of your apps) is of course very safe. It’s also absolutely bonkers, and it doesn’t help users at all. In my opinion, if you want to blurt that hot take into the public sphere, you might as well not say anything at all.

Now that we’ve dealt with that, some apps. As you can guess, I’m a bit out of my depth with this topic. I’m not a health expert, and I can’t meaningfully test these apps. There seem to be two “big” apps that are currently circulating. I’ll write my opinion for each one. The first one (Clue) seems to be the more popular one, and the second one (Drip) seems to be the more privacy-focused one.

Clue

Clue is a commercial period and fertility tracking app from Berlin. They are currently heavily marketing their app to a US audience via Twitter posts and press releases. In these press releases they especially keep hammering home that they are a European company that falls under GDPR. GDPR is a big topic that I can’t address in this article, but suffice to say it is a quite strict data protection regulation that sets rules how EU companies have to handle data from EU residents. It sets a lot of restrictions and some rights that consumers have. There are two important things to know about this. The first one is:

GDPR does not apply to non-EU residents and citizens.

While Clue probably does not treat “American” data different from “EU” data, because that would just mean more work, they are perfectly able to do so. In practice this caveat likely does not matter. There is another problem that is likely more important:

GDPR has exceptions for law enforcement.

In Germany (where Clue is based), courts can request documents and information. Companies then have to provide this information. As far as I understand, this also applies to US law enforcement, because of Mutual Legal Assistance Treaties. In general, Germany does not require that something is illegal in Germany for them to serve document requests through these treaties.

Clue is currently misleading about this topic. They claim that they will only serve EU and German authorities. This is technically correct, but does not matter in practice. If i understand the process correctly, US law enforcement will contact German law enforcement, that will then contact the company. My information about this process is purely theoretical. I’m not a lawyer, so I don’t know if this actually happens, or will ever happen. I just want to shine a light on the fact that it is not as easy as “we are in the EU and GDPR is very good”. GDPR does not protect you as an non-resident and non-citizen of the EU. GDPR also does not protect you from criminal and civil liability!

All in all, this does not mean you should absolutely not use Clue. There are still some good arguments for using it over US-based applications. Just think about the consequences of using it, and try to think about your specific threat model.

Drip

Drip is a privacy-focused and open source application. Open source means that the source code for the application can be read and changed by anyone. Their privacy policy is refreshingly short. This is because they don’t collect any data. All data is kept locally on the device, and can be deleted from inside the app. This means that they can’t give any data to law enforcement, even if there is a subpoena. (An example of this strategy can be seen in the cases where Signal was subpoenaed) The app is funded by Mozilla and the German government (through Prototype Fund).

The app has some problems that may or may not be a deal breaker:

  • The newest version is only available via Google Play

They also provide instructions on their website to manually install the latest version, so this problem can be partly circumvented.

  • There is no iOS version currently

The development team is working on an iOS version, but it is not available at the moment. Even if they create an iOS version, there will not a be way to download this version anonymously (see caveats for more information).

An additional deal breaker for an American audience might be that this app does not currently allow you to enter Temperature in Fahrenheit. There have been some feature requests for this, but there is currently no one working on this feature (since the team seems to be busy with releasing an iOS version).

Conclusion

The internet contains a lot of information. Some of it is good, but a lot of it is bad, especially when people work themselves up to a frenzy. I hope that the advice in this article will be useful to people. Good luck, and stay safe out there!