TechPulseTechPulse
Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

60% Positive

Analyzed from 2995 words in the discussion.

Trending Topics

#data#app#period#don#privacy#why#apps#flo#meta#medical

Discussion (118 Comments)Read Original on HackerNews

ronbentonabout 3 hours ago
Hey surely Meta wouldn’t send that data to a government interested in regulating women’s reproductive rights
jugginaabout 3 hours ago
I'll bite. Why...?
forgotaccount3about 2 hours ago
People in power want the information to identify a narrower set of people who may have been pregnant and then did not have a child and so may have had an abortion.

And facebook doesn't care about people's rights when those people in power are able to block Facebook from acquiring some new startup they want to buy, so facebook is willing to share the information.

lagniappe22 minutes ago
Are we assuming the lack of a recorded period is the criteria? If yes, what if you just forgot to add it that month, or have hormonal issues, or abnormal BMI?
euroderfabout 1 hour ago
Handmaids, assemble! Gilead is in your device.
freeAgentabout 2 hours ago
If you stop having a period for a few months and then start again, it may be worth buying some location data during that time to see if you were near any medical offices that may have offered illegal abortion services.
jugginaabout 2 hours ago
Could they get a warrant for that data anyway?
2ndorderthoughtabout 2 hours ago
Meta is a defense contractor. They absolutely would do this for money if asked. Just like how a good portion of HN would.
ndisnabout 1 hour ago
“Reproductive rights” is a loaded term.
mghackerladyabout 2 hours ago
I don't have a period, so I'm not the best person to do it, but there really needs to be a solid FOSS alternative to flo. If GNU had more women, it'd probably already exist
TFNAabout 1 hour ago
A comparable FOSS app called Drip has been on F-Droid since forever.
xzjis39 minutes ago
Drip has a paradoxical flaw: by trying to be extremely inclusive and making a "gender-neutral" app (without the colour pink) to include trans people, it discourages some people from using it. At least, my friend told me she thought the design was ugly and was looking for a "cute" app, so she ended up using Flo instead of Drip despite my many warnings.

I think FLOSS apps often forget that not everyone is a developer or a nerd who prioritizes privacy and ethics over design, which is a real problem since people end up using proprietary apps that data-mine them.

embedding-shape29 minutes ago
That sounds not so much as a flaw, as a conscious product decision. And to be honest, doesn't sound like a bad one, not every app needs to work or look the same way, as long as people have choices, they can be responsible for the choices they make. If someone wants a safer but boring app or if someone wants a cute "who gives a fuck about privacy" app, both should be fine.
Hendrikto11 minutes ago
Regardless of your opinion on gender and identity politics, surely people can agree that only biological women have periods.
mghackerlady9 minutes ago
I think this could easily be fixed by allowing themes of some kind
gabeyawabout 1 hour ago
https://www.my28x.com/ I recently heard a talk from this founder. It's free and local, but don't think it's OSS. They have a high ORCHA rating, but waiting to see if they keep their business model this way
embedding-shape31 minutes ago
How does the sharing between partners happen with 28x, or is it literally local-only as in "solely for one person and no way to share with partner"?
xorvoidabout 1 hour ago
I don't know how many more examples people need to see of big tech not respecting privacy... it's just becoming a farce now. Big tech tracking woman's cycles? Of course they are. (sigh) If this doesn't gross people out enough to seriously pursue alternatives, I literally don't know what will.
theptip14 minutes ago
This one seems clear cut as a HIPAA violation. Glad to hear that interpretation was upheld.

However, regardless, we really need to just kill the data broker business model.

Speaking as someone who implemented GDPR for my startup when the law first came into effect, there were certainly rough edges.

But the core premise that you simply cannot sell user data to sub-processors without consent is a powerful one that I believe would fix a lot of broken things in the US system.

(Not least because the USG buys private data that would be unconstitutional for it to directly collect, but also things like the incentives for your cell phone provider to sell your location data to advertisers.)

moffersabout 3 hours ago
I don’t have the right configuration of equipment to use an app like this, but does anyone know why this needs to be a service-driven app? What piece of functionality requires a server to track your health?
embedding-shapeabout 2 hours ago
My partner uses the app this article is about (Flo) and I have an account there too in order for her to share the data with me.

I guess you could do it with some sort of P2P sync with cryptography involved locally instead, and/or E2E for stuff sent via the servers. Kind of surprised me they didn't have E2E already, but I guess I shouldn't be surprised anymore.

JohnFenabout 2 hours ago
Or, you know, she could just track it without any app at all and share it with you in person.
dwedge33 minutes ago
You could also be snarky without internet access
coldpie34 minutes ago
Computers are useful tools that do useful things for people. It is reasonable for people to want to use them to do things they find useful. They don't have to function like spy devices, but we've chosen to highly reward the people who have turned them into spy devices, so they do. We could choose to do something else with them instead. For example we could pass & enforce privacy regulations so they cannot function as spy devices. Or we could wheel out the guillotines so there are appropriate consequences for the creeps and sociopaths who choose to build and work at places like Facebook. Whichever, I'm flexible.
newtwentysixabout 1 hour ago
Like notes apps, reminder apps, etc, data from almost everything we do on phone is saved in cloud. That data is their business fundamental. Same with this app also.
jumpconcabout 3 hours ago
The spying part requires a server.

If you use GrapheneOS, you can enable or disable internet access for each app.

embedding-shapeabout 2 hours ago
> If you use GrapheneOS, you can enable or disable internet access for each app.

Not sure what information you're expecting the app in question to surface if you disable internet access for it.

thephyberabout 2 hours ago
Better revenue model? Pushing some data to the server, serving ads to the app, reselling demographic data, etc all allow for more revenue than just the price of installation.

There are almost certainly other apps in the space that don’t need a server, don’t phone home to Meta, and are lower priced, but they probably aren’t as good at marketing.

From my experience in the startup world, I would wager that this developer probably wanted to track marketing campaign installs (Meta library is required to close the loop on Facebook/Instagram ad conversions after app install) or wanted a feature from some Meta library they integrated but didn’t realize or care about the consequences.

toast0about 2 hours ago
I'm not familiar with this app, but a service lets you do potentially nice things like cross device sync and sharing observations with trusted others.
3formabout 2 hours ago
I'm assuming the question should be further refined to "why does the service need to know the data". The things that you mention could be done with the service only having the encrypted blob.
CGamesPlay41 minutes ago
It doesn’t? You could easily install the tracker on the client app, no need to do it server side. In fact I bet the app in question (Flo) was doing the upload to Meta client-side.
embedding-shape27 minutes ago
> It doesn’t?

I'm guessing P2P technology isn't really sufficiently easy for developers yet, so when you have two users using an app that are supposed to share something between the two, most of us default to building server-side services. That + the "dynamic" list of articles and "help" Flo offer I'm guessing is the main reason for them having servers in the first place.

alistairSHabout 2 hours ago
Not being a women, I've always wondered what insight the app gives regardless of data traveling to a server... does it do anything you can't do with a simple notebook app (like Apple's default Notes)?

If you have an irregular period, does this app help "guess" when it's going to start/end?

If you have a regular period, why do you need an app at all?

natbennettabout 1 hour ago
Like most data entry software there’s nothing that unstructured notes (or paper) can’t handle.

The main useful feature of the apps (or Apple Health’s tracker which is entirely adequate) is that it sends reminders on the estimated period start date, and then a few days afterwards if you haven’t recorded the end date.

Even “regular” periods often aren’t perfectly regular, or can become irregular when they were regular. (Which is often very important health information.)

It also automatically calculates median period length and typical variation/range.

All unnecessary for some people but very useful for others.

ozlikethewizardabout 2 hours ago
I have actually been playing around with scoping a privacy first version of these tracking apps that store all the data locally with optional sync. It's technically possible, but there's very little in the way of revenue generation there. So it's same issue as always, capitalism corrupts.
childofhedgehogabout 3 hours ago
Why would anyone think that a non-HIPPA compliant app would keep medical information private to the level of security needed for medical data? Flo has definitely breached user trust, but that trust seems misplaced from the get-go.
gizmo686about 3 hours ago
People are used to living in highly regulated markets. When they go to a grocery store to buy lettuce, people don't stop to ask "what regulatory regime is this lettuce being sold under?". They just trust that food being sold in a food store will meet our societal standards for food. I can go to Amazon and order a raw steak for delivery, and still trust it will meet standards.

The situation with wellness apps is that they are a product that are designed specifically to exist outside of the regulatory regime that people associate with them.

john_strinlaiabout 3 hours ago
>Why would anyone think that a non-HIPPA compliant app would keep medical information private to the level of security needed for medical data?

because lots of people dont know what HIPPA is, and (naively to us more familiar with tech) assume that a medical-related app on a curated app store would be safe for medical-related stuff.

ceejayozabout 3 hours ago
> lots of people dont know what HIPPA is

Ironically, it's HIPAA.

You're right, though; it's much more limited than people think. During COVID people claimed everything violated HIPAA (masks, vaccine requirements, testing), but it only applies in a very narrow subset of patient/provider relationships.

xbar34 minutes ago
"Because Apple and Google said my data was safe, so it must be safe in the apps. What's hippa?," said more than 50% of the population.
elAhmoabout 3 hours ago
People just wanna track stuff, they don't really look into is something HIPPA compliant or read the ToS. App store push, recommendation, word of mouth are what makes the app like this spread, not really details HIPPA compliance.
arkwinabout 2 hours ago
Now is a good time to bring up.

https://bloodyhealth.gitlab.io

A secure open source period tracking app.

2OEH8eoCRo0about 3 hours ago
It's really sad that we have all this technology but we can't trust any of it.
jumpconcabout 3 hours ago
I'll make a period tracker for you for 5 bucks a month. You won't buy it, because it costs 5 bucks a month. So I'll have to find alternative monetisation strategies.
deltoidmaximusabout 2 hours ago
Why would me giving you 5 bucks a month assure you didn't also sell all of the data from the period tracker app? That's money you'd just be leaving on the table.
nemomarxabout 2 hours ago
Doesn't flo charge ten dollars a month?

https://help.flo.health/hc/en-us/articles/4411278780564-What...

mghackerladyabout 1 hour ago
why does it have to be 5 bucks a month and not a one time purchase?
postalratabout 2 hours ago
Nobody is going to trust your $5 a month service.
Schiendelmanabout 2 hours ago
I think that kind of thinking is similar to the "both sides" stuff in politics. There's a meaningful difference in trustworthiness between different options.

For instance, if you need to track your period, the built in iOS apps are secure, especially if you're using advanced icloud encryption.

JohnFenabout 2 hours ago
The trouble is that it's literally impossible to tell what applications are trustworthy and what applications are not, or whether they'll remain trustworthy over time. So you have to treat them all as untrustworthy. It's a fair rule of thumb because the majority of them can't be trusted.
philipallstarabout 3 hours ago
> It seems like we can’t just necessarily leave it up to companies – or their ragtag teams of crackpot lawyers rewriting privacy policies every few months – to keep our private data private.

It's not a medical requirement from a doctor, so just keep a diary if you want to. Not everything needs to be an app. All the money spent on regulations and regulators to cover increasingly niche opt-in services that are entirely unnecessary is a waste.

ksenzeeabout 2 hours ago
I've never used Flo specifically, so I don't know what kind of data analysis it has available, but period data is the #1 most useful health data to have an app crunch for you, and "your period starts tomorrow" is a pretty darn useful notification to get.
JohnFenabout 2 hours ago
Most of the women I know well enough to know this about them track and predict the onset of their next period without needing an application. It isn't exactly rocket science.
newtwentysixabout 1 hour ago
Well, until some years ago we remembered dozens of phone numbers, birthdays, routes, physical addresses, due dates, etc.

The trick is to "give a tool for 1-2 generations of customers" , and then they'll be fully dependent on the tool.

embedding-shapeabout 2 hours ago
We're using Flo specifically, mostly for sharing stuff like "her period starts tomorrow" to the both of us, she doesn't really need a notification for that :)
justonceokayabout 2 hours ago
Even if it was a requirement, doctors do not generally have legal authority to compel action. Hell, the average doctor would probably agree that the average patient hardly ever does what they’re told…
johnny22about 3 hours ago
privacy legislation would just solve the problem by itself though.
Zakabout 3 hours ago
Privacy legislation by itself does not solve the problem; what Flo did was already illegal. Effective enforcement is also necessary.
kortexabout 3 hours ago
They need to make an example out of these companies. If your whole business model is built around handling sensitive data, and you are caught shipping off that data to brokers, you should be liquidated or at least fined to within an inch of bankruptcy, as basically all of your profits are a sham.
ceejayozabout 3 hours ago
They've been thumbing their noses at EU privacy legislation and fines for quite some time already.
arijunabout 3 hours ago
What does thumbing their noses mean? They have been paying while continuing their behavior, or not paying at all?

The first seems like it could be resolved with an escalating fine schedule, and the second could be mitigated by requiring Apple/Google to remove it from the app store (one of the rare cases walled gardens are on consumers' side).

ceejayozabout 2 hours ago
> privacy legislation would just solve the problem by itself though

Just like banning drugs and murder did!

krystalgamerabout 3 hours ago
"would just solve", lol.
SlinkyOnStairsabout 2 hours ago
> All the money spent on regulations and regulators to cover increasingly niche opt-in services that are entirely unnecessary is a waste.

That isn't what's happening. The regulations don't get little niche cases added to them, they're writen to be generally applicable to all niches.

> It's not a medical requirement from a doctor, so just keep a diary if you want to.

"Just don't use the computer if you don't want companies to rat you out to the fascist government that'll imprison or kill you for having a miscarriage" is a ridiculous victim-blaming position.

It's the practical reality of a fascist government that they won't enact privacy laws. And yes, women really shouldn't be using period tracking apps in the US, or made by the US. But that doesn't mean privacy laws are some "silly waste of my tax money".

It's not a "medical requirement" except for the many many many cases where it is. Similarly, this position extends to literally everything. Nothing "needs to be an app". But unless we want to pack up and discard the entire software industry, it really ought to be better about privacy like this.

sdoeringabout 3 hours ago
Why is it a waste? If you want to provide an app, one should follow the law and the regulations. It isn't the wild west (and even that had regulations).

Also: Why blame the victims, not the perp?

kakacikabout 3 hours ago
Nobody is blaming victims, please stop these wild fabulations. OP meant that you can't trust app owners especially long term, as you write its worse than wild west, literally nobody.gives.a.fuck. till they are dragged to the court, then they fight, dissolve company, still sell the data, start a new one and rinse and repeat. People are simply way more greedy than moral on average if there is any lesson in current times.

Look at say zuckenberg - a typical sociopath lying again and again through his nose with big grin just to get what he wants (ie scandals how FB employees go to DB to spy on their exes or enemies is popping up for 10 years at least and there is no stop, every time there is another assurance how it can't be done now blablabla... and thats just specific meta employees).

Nobody likes that, but just sitting and waiting for almighty regulators while blindly trusting apps in good faith to do their jobs is... not working much, is it. Be smart, adapt to real environment out there, not some wishful thinking. In parallel push for change as much as you can, vote with wallet and your time. Once sought-for paradise comes then feel free to use anything anyhow. At least that seems like smarter approach to me.

ndriscollabout 3 hours ago
> still sell the data

So add liability for the buyers of the data or any services derived from the data (e.g. targeted ads). Make it so large advertisers demand audits showing privacy laws are being followed. Also have personal criminal liability for people building and maintaining systems that collect, store, or process data for illegal purposes. Executives, PMs, engineers, the whole lot. Put them in prison if they continue.

HumblyTossedabout 2 hours ago
Forest for the trees, dude.
frankdenbowabout 3 hours ago
its crazy to me that Flo is used so widely, as its started by Russian men and their treatment of data has bee public for a while, it just hasnt spread fast enough. I know theres at least one other option called Calessa (http://Calessa.app)
sevenseacat26 minutes ago
There's a whole heap of different period tracking apps these days. I've been using Clue for probably a decade.
jeffbeeabout 2 hours ago
Does anyone happen to know if Meta and Google have ever recovered these judgements from the app developers? All of the industry terms of service specifically forbid SDK licensees from sending sensitive personal data to the platforms, and they require the licensee to indemnify the platform against any judgement that arises from violating those terms. See Meta's statement on this verdict, which seems pretty reasonable to me. This 100% looks like the fault of the app developer:

“User privacy is important to Meta, which is why we do not want health or other sensitive information and why our terms prohibit developers from sending any.” Meta maintains that any transmission of sensitive health data is due to a failure to comply with its terms of use.

ozlikethewizardabout 2 hours ago
I mean this seems like an attempt at a get out of jail free card. If meta didnt want this info, why are they accepting and processing it?
jeffbeeabout 2 hours ago
It's just a generic key-value API.
ndriscollabout 2 hours ago
That doesn't answer the question. It just restates the problem. Why aren't they doing diligence on what they're accepting from their business partners, or what types of partners they're working with? There's no reason they couldn't know the company deals with health data and place it under additional scrutiny.
aboringusernameabout 3 hours ago
I don't actually see this as a problem, and instead it's a PSA everyone needs to internalize:

If you put data onto a networked device it may be sent to some place else.

If you don't want your data being shared:

Use a device that does not have any networking capability (both hardware and software wise)

Use a pen and paper, you can shred and destroy as you see fit.

If you're using an application on a mobile device with mobile data/wifi, the chances are, your data is being uploaded.

elsjaakoabout 3 hours ago
There are four open source period tracking apps on F-droid. I didn't do a full investigation of the source code, but unless your data is being uploaded outside the app (e.g. for backups), I feel safe assuming it will stay local only.
reorder9695about 3 hours ago
It sounds like the real solution to this is to be able to control permissions at an OS level for network per app, as you would be able to do if you had root access. I have no idea why regular Android distros don't allow you to do this, it seems like a really sensible thing to expose in app settings given the permissions model of Android.
tsukikageabout 2 hours ago
Also: if you are not paying the service provider for the service, you are not their customer - you are their product.
nemomarxabout 2 hours ago
If you do pay for a subscription, how can you be sure you're still not the product? What stops them from double dipping here?
loudmaxabout 2 hours ago
If you're paying for a subscription, the company might sell your data. If you're using a commercial service for free, they are certainly selling your data.

Having said that, you're right to be suspicious of commercial services, even that you pay for. Someone can found a startup with a strong commitment to customer privacy and the best of intentions, but a few acquisitions or near bankruptcies later, those commitments will go out the window.

nozzlegearabout 2 hours ago
Flo isn't free though, you have to pay a weekly/yearly subscription to use it.
vachinaabout 2 hours ago
You can use a networked device, but make sure the data is stored somewhere you control (and own).
boesboesabout 3 hours ago
that is a really fucked up view
defrostabout 3 hours ago
Less a f-u-view, more a f-u-world, the above is pragmatic advice about the actual IRL challenges of keeping data secure.

Further, a view that ignores many real world digital data risks faced by those considered to be useful targets; eg: compromised supply chains delivering "pre hacked" hardware with discreet wifi chips or hidden out of band comms, etc.

dspillettabout 1 hour ago
Nah. A healthy view when dealing with the fucked up situation that is modern life.
Advertisement
WarcrimeActualabout 2 hours ago
I won't read this because it has the ridiculous word yapping in it. I wish people were better about not adopting the dumbest slang and spreading it so far and wide.
dspillettabout 1 hour ago
That ridiculous bit of “modern” slang… that has been in use for a few hundred years?

Not a word I use much myself except when referring to “yappy little dogs”, but it is definitely common among those the generation above me and that above them.

rocketpastsixabout 1 hour ago
seriously? a single word is going to prevent you from reading an article that is well informed and well articulated?