The privacy promises made by period tracking apps are not always kept. New research from Mozilla has revealed that Stardust, a popular menstrual cycle app, shared sensitive health data from users with analytics company RudderStack. The data included birthdate, birth control type, reproductive goals, and specific symptoms, all linked to a unique identifier. The FTC has long warned that this practice does not anonymize the data and does not prevent it from being tied back to an individual.
Network traffic analysis uncovers hidden data sharing
Mozilla security researcher Shoshana Wodinsky analyzed the network traffic of six period tracking apps. Using techniques similar to those employed by TechCrunch in 2022, Wodinsky found that Stardust was the only app sharing sensitive health data with a third party. The other tested apps, including Euki recommended as "squeaky clean," showed no such behavior. This type of sharing often happens in the background, invisible to the user, and carries risks such as data breaches or law enforcement requests.
Sponsored Protocol
Stardust previously made unfulfilled privacy promises
After the Dobbs decision in the United States in 2022, Stardust saw a surge in downloads, advertising itself as end-to-end encrypted. However, TechCrunch had already disproven this claim by analyzing network traffic. Today, Mozilla confirms that data continues to be shared. A Stardust spokesperson told the BBC that RudderStack is "contractually prohibited from selling or using the data for its own purposes." But both Stardust and RudderStack, being US-based companies, can still receive law enforcement requests for stored health data.
In an era where personal data security is paramount, such incidents raise questions about the true protection offered by health apps. Mozilla emphasizes that sharing with third parties introduces vulnerabilities even when contracts exist. To explore the broader topic of data privacy in apps, read our article on Cohere and enterprise AI sovereignty. This case also fits into the larger debate about data collection by big tech, as highlighted by the EU ordering Google to share search data with competitors.
Sponsored Protocol
For an independent overview, check Mozilla's original research on Privacy Not Included. The lesson is clear: when health data is involved, trust must be verified with tools like network traffic analysis, not taken for granted.