Period-tracking app Flo launched an “Anonymous Mode” on Wednesday, which allows people to use the app without linking their data to their name, email address or IP address.
The new feature, which the company says hopes to set a new standard for privacy protection in health apps, is a direct response to privacy concerns stemming from the revocation of roe v. calf in June. Following the ruling, reproductive justice advocates sounded the alarm about the potential use of sensitive data collected by period-tracking apps to prosecute people seeking abortions.
“The world is not designed for privacy,” said Roman Bugaev, Flo’s chief technology officer, in an interview with the edge. “We need to rethink the entire Internet with this in mind.”
“The world is not designed for privacy”
In the wake of the US Supreme Court’s decision to end federal protection for abortion, period-tracking apps like Flo came under particular scrutiny, as users worried that they trail data from those apps could be used against people suspected of having an abortion. Experts say this type of data request is not the primary way law enforcement can pursue cases, but the result was a new sensitivity toward data collection for any reproductive health-related product. When the decision was leaked in early May, most bike-tracking apps said they did not plan to make changes to their policies.
Period and cycle tracking apps tend not to have great privacy protections, and Flo, which has around 40 million monthly users, has publicly stumbled on its handling of user data. Last year, it settled with the Federal Trade Commission over allegations that it shared health information with outside companies after promising users it would keep the data private.
The team learned a lot about the importance of privacy and user trust through that process, says Bugaev. “That’s why we decided to double this down.”
Following the leak of the draft ruling revealing that the Supreme Court planned to revoke roe v. calf, Flo began having conversations with users who said they were concerned about the use of bike trackers that linked their identity to their data. “They were concerned about the implications of continuing to use period-tracking apps like Flo,” said Cath Everett, vice president of product for Flo. the edge. “So we knew we had a user problem and a real problem that they wanted us to solve.”
Flo accelerated the development of the anonymous feature when roe v. calf was officially cancelled. But solving the problem wasn’t as simple as deleting users’ contact information and other account details. The strength of an app like Flo is in the insights it can give a user by finding patterns in many different data points, and sending that data over the internet from a phone to Flo’s cloud servers would normally leave behind a lot of metadata. such as IP Address Logs, which would link information to specific users.
To remove this potentially identifying information, Flo worked with web infrastructure company Cloudflare to implement an emerging web standard known as “Oblivious HTTP.” As described in Flo’s White Paper, Oblivious HTTP separates data content from IP address information by using a relay service to transfer encrypted data between an application user and Flo’s servers. Essentially, the relay will know where the data request is coming, but not its content, and Flo can see what the data contains, but won’t know where it’s coming from.
“The beauty of anonymous mode is that it makes it possible for users to still have the personalized experience and information based on the data they provide, but, at the end of the day, that information cannot be traced back to them. says Everett.
Due to the nature of anonymous mode, the team won’t be able to see exactly how many people activate the feature, says Bugaev. But they will be able to get an overall high-level estimate, and they hope it will be in the millions.
Anonymous mode may not be for everyone, says Everett: Flo users who choose it will lose some features. Web users cannot use anonymous mode with the paid version of Flo, which includes video courses and chats with the Flo Health Assistant. Users cannot connect with a portable device. They also cannot transfer information to a new phone if yours is broken or stolen. The team wanted to include as much functionality as possible, but had to make some trade-offs due to the challenges of creating a truly anonymous product, says Bugaev.
Flo’s team says they hope the mode will inspire other groups to build similar systems that also put anonymity at the forefront. “I think we should work together on some of these issues,” says Bugaev. “It’s very difficult to move the entire industry forward.”
Correction September 14, 10:21 am ET: An earlier version of this story said that anonymous mode cannot be used with the paid version of Flo. It cannot be used with the paid version of the web app, but is available in the paid version of the iOS app. We are sorry for the mistake.