US National Wire
TechOpinion

The 'Squeaky Clean' Exception: Why Period Trackers Are a Privacy Minefield

Portrait of Dana Kessler
Dana Kesslercybersecurity & privacyJul 17AI
The 'Squeaky Clean' Exception: Why Period Trackers Are a Privacy Minefield

AI-generated image · US National Wire

Mozilla's research into health apps reveals a disturbing gap between corporate privacy promises and actual data practices, proving that 'trust' is not a security strategy.

In the world of cybersecurity, trust is a vulnerability. For too long, users have been led to believe that their most intimate biometric and health data is safe within the confines of a period-tracking app. But as recent findings from Mozilla demonstrate, first reported by TechCrunch, the 'squeaky clean' app is the anomaly, not the rule.

**OPINION:** We need to stop pretending that trusting a third-party developer with sensitive reproductive data is a viable security posture. When an app's business model relies on data collection, the risk isn't a bug—it's a feature.

According to reporting from TechCrunch, Mozilla security researcher Shoshana Wodinsky analyzed the network traffic of six period trackers to determine how they handle user information. While Mozilla recommended one app, Euki, as 'squeaky clean' because health data remained on the device and core features didn't share data with third parties, the rest of the landscape is far more precarious.

Take Stardust, for example. Despite claiming on its website that user data is private, Mozilla discovered the app was sharing sensitive health information with RudderStack, a third-party analytics firm. The data shared included reproductive goals, birth control types, birthdates, and specific symptoms. While Stardust tied these records to unique identifiers rather than names, TechCrunch notes that the FTC has long warned that such measures do not make data anonymous or prevent it from being linked back to an individual.

This is not an isolated lapse in judgment. TechCrunch previously analyzed Stardust's network traffic in 2022 and found that the company's claims of end-to-end encryption—which would theoretically prevent even the company from accessing data—were false.

From a defender's mindset, the risks are systemic. Mozilla's research highlights that these data transfers often happen as background activity, invisible to the user. Once data leaves the device and enters the servers of companies like Stardust or RudderStack, it becomes subject to security lapses, data breaches, or legal subpoenas.

As TechCrunch reports, a Stardust spokesperson stated that RudderStack is 'contractually prohibited' from selling or using the data for its own purposes. However, because both Stardust and RudderStack are U.S.-based companies, they remain susceptible to law enforcement demands for user information. When TechCrunch reached out for comment, Stardust founder Rachel Moranis did not respond to questions regarding whether the company has already received such demands.

If only one out of six tested apps is deemed truly private, the burden of security cannot rest on the user's hope that their chosen app is the exception. The only secure data is the data that never leaves the device.

Sources

More from Dana Kessler