The Supreme Court’s recent decision to overturn Roe v. Wade and end nearly half a century of constitutional abortion rights in America has already begun to bear ugly results. In a bevy of states, draconian “trigger” laws have materialized, effectively criminalizing the medical procedure—and more laws are expected in the coming weeks. In this brave new world, civil liberties advocates have expressed concern for the ways in which women’s data could be used by law enforcement to monitor for digital evidence of pregnancies. Critics have worried about the data on period tracking apps in particular, which they say could hypothetically be used to prosecute women who have sought abortions.
But one such company proclaimed last week that it was dedicated to protecting women’s data rather than sharing it with cops. Stardust, a woman-owned period-tracking app, announced that it would be the first company of its kind to roll out end-to-end encryption. E2E limits data’s visibility to the user, keeping personal information safe—and is widely considered one of the best privacy protections on the web. Stardust founder and CEO, Rachel Moranis, announced the plans in a video on the app’s TikTok account on Friday, claiming the plans had already been in the works prior to Roe’s overturning. “What this means is that if we get subpoenaed by the government, we will not be able to hand over any of your period tracking data,” she said.
Stardust didn’t stop there. In a series of tweets, the company went on to state that it hopes to implement a host of new privacy-protections, including a way for users to “completely opt out of providing any personal identifiable information (no account generation) and use the app fully anonymously, as well as full local data storage.” Following the announcements, the app saw a huge surge in interest—becoming the second most downloaded app in the U.S., as of Saturday.
Yet, as with anything that sounds potentially too good to be true, critics were quick to point out some problematic elements of Stardust’s plans. Questions have swirled about whether the company’s new privacy measures will be as effective as they sound. Other critics have wondered whether, in this day and age, it even makes sense to use a period tracking app at all.
End to End Encryption?
Probably the most problematic thing about Stardust’s claims is that they seem to have changed over time. TechCrunch reported Monday that what the company was offering didn’t really sound like “true” end-to-end encryption. The outlet wrote:
Stardust founder [Rachel] Moranis told TechCrunch that “all traffic to our servers is through standard SSL (hosted on AWS) and subsequent data storage on AWS RDS utilizing their built-in AES-256 encryption implementation.” Although this describes the use of encryption to protect data while in transit and while it’s stored on Amazon’s servers, it’s not clear if this implementation would be considered true end-to-end encryption.
Following the interview with TechCrunch, Stardust apparently scrubbed its website of any mentioning of “end-to-end encryption,” essentially watering down what it had originally offered to users.
Even more problematically, further analysis of the company’s platform appeared to reveal that the firm was occasionally sharing individual users’ phone numbers with a third-party analytics firm called MixPanel. This kind of information sharing could quite easily lead to the identification of individual users—which is something the company has promised not to allow. After being confronted with the issue, Moranis told TechCrunch that the “current (old) version of Stardust leverages several data collection mechanisms of Mixpanel that we have disabled/removed in the new version. In addition to not sending [personally identifiable information] to Mixpanel, we have also disabled IP tracking for our users to protect from that metadata being used to identify our users.”
Meanwhile, Vice News was quick to point out that Stardust’s privacy policy left something to be desired. In a story published Monday, the news outlet pointed out that the app’s policy acknowledged that it would share information with police “whether or not legally required.” The policy clarifies that Stardust may...
...share aggregated, anonymized or de-identified, encrypted information, which cannot reasonably be used to identify you, including with our partners or research institutions.
When reached for comment by Gizmodo, a company spokesperson said that Vice’s story was based on an “outdated” privacy policy (a visit to Stardust’s website on Monday revealed that the language in its privacy policy had been updated). The spokesperson also provided us with a statement from Moranis, Stardust’s Founder and CEO, who again reiterated that the new feature was designed to avoid a digital subpoena.
“With the update set to go live...Wednesday, June 29th on all iOS devices and Android, user’s login information will not be associated with their cycle tracking data, and therefore their data will not be a subpoena risk,” said Moranis in a statement.
We also asked for better information about the app’s plans for encryption, but have not heard back yet. We will update this story if we get a response.
It’s no surprise that companies like Stardust are now seeking to implement new privacy protections. In fact, such protections might be something of an industry imperative for period trackers, given the full-blown panic about digital health data that now exists in the post-Roe world. For companies to be offering such services isn’t a bad thing, though companies shouldn’t overpromise what they can deliver in terms of security and privacy.
In a Post-Roe World, Encryption is Always a Good Idea
Riana Pfefferkorn, a scholar at the Stanford Internet Observatory, said that, when properly applied, encryption could be used to protect against the draconian laws currently being passed across the country.
“The Dobbs decision [which overturned Roe] underscores the importance of adding strong encryption, by default, wherever it doesn’t currently exist already,” Pfefferkorn told Gizmodo. She added that companies like Stardust are “suddenly under a lot of scrutiny” and that their business model is under threat from the public panic spurred by the recent Supreme Court decision. “If they want to survive, all of these period tracker apps out there need to really get their house in order and be building up user trust,” she said. That means being more transparent about the kinds of data that the apps collect and instituting better protections to prevent the data from falling into the wrong hands.
Pfefferkorn also recommended that women invest in existing privacy applications. One of the simplest ways to protect your online communications is to use an encrypted chat platform. For that, one of the best options is to download Signal, a chat app that offers true end-to-end encryption. It’s free, easy to use, and should ensure that your conversations stay private. That might be the best place to start.