Data Breach In Health Apps: Don't We Deserve Better?

Menstruation tracking apps are in news for leaking information regarding women’s menstrual cycle and sexual activity to Facebook. You can read all about it here. But this isn't just a headline. It's a break of trust. And not for the first time. For apps use 'terms and conditions' to pass the buck on their side of the story or find ways to shore up numbers, and then there are those that are just inform of fixing errors when caught. Consumers,  repeatedly find their digital privacy at risk of being breached and their information played around with. However, as women, it is even more unnerving to realise that your data regarding something as private as menstruation and sexual activity is being shared without your consent. Where does this leave us as consumers?

Menstruation and sexual well-being are perhaps the most intimate information that women share with an app, although it isn’t uncommon. A lot of women use apps to track fitness, menstrual cycle these days. Not all of us have punctual periods. In fact when women are trying to get pregnant or struggling with hormonal irregularities which affect their period cycle, such apps come in handy but they also contain all info that women consider vulnerable.

However, as a customer I do not want Facebook or any brand to know about my sex life, or have details about my periods be added to a database I don’t approve of.

Data Breach or Privacy Violation?

And without my consent. In any case it's not like apps have ever taken our consent about sharing our data outside of their own system, have they? A data breach is a violation of a customer’s digital privacy and consent. It leaves them exposed and feeling violated. It raises trust issues and rightly so. It’s like sharing a photograph of your child with a friend you trust, and them sharing it on social media without your consent.

Data Privacy - All Issues Covered

Says Ritu Soni Srivastava, RoundGlass Obino Founder, "Today, more than ever, consumer businesses need to be sensitive to safeguarding the personally identifiable information of their consumers." She opines that the recent controversy with the Maya app "only demonstrates how product and developer teams sometimes inadvertently fail to safeguard the personal information of consumers, and while there is definitely no malicious intent on the part of the businesses, various analytics software’s and login platforms do extract information in return for the conveniences they offer and that is a double edged sword."

With the increasing focus on user privacy and consent highlighted by the increasingly stringent regulations as exemplified byHealth Insurance Portability and Accountability Act (HIPAA) and General Data Protection Rights (GDPR) Europe's norms on data privacy, we are entering an era where the consumer is definitely not ok with being the product!" she adds.

This also makes one wonder, why does the consumer always get the raw deal when it comes to transparency in privacy policy and legal terms and conditions.

Take Mutual Funds for instance. It was almost two decades before a disclaimer regarding the investment being subject to market risks, came into our line of sight. Before that, investors were expected to go by the word of agents and companies and put their hard earned money in their trust, not fully understanding what they were getting into. Have we gained from the transparency? I think so. That bold line 'mutual funds are subject to market risk' is now etched in my head.

How Little We Care

Apart from data privacy breach being so uncommon, just how little people care about it is yet another matter of concern. How many of us can confidently say that we read the terms and conditions of every app that we download carefully? As someone put it well, opposite of privacy is convenience.

There is this analysis which says that if you are really supposed to read the terms and conditions before you accept, then you will spend half your life just doing that. You’ll only have the remaining half of your life to use the app. Is that even feasible?

Period Apps vs Political Breach

Another relevant aspect which no one is talking about is how little this recent leak of data of numerous women is in the spotlight. While data privacy has become a major conversation recently, this specific breach associated to menstrual and sexual well-being of women needs to make far reaching noise. When we spoke of elections and politics, data breach was a headline for months. Now, why don't we have a similar approach? Is there a kind gender politics at play here? Is the issue any less relevant to the conversation starters simply because it concerns women singularly?

There are many reasons, why users hastily click on “I agree” when it comes to privacy policies and terms and conditions. They are lengthy and difficult to understand for a layman, who has no legal background. In June this year, The New York Times reviewed some 150 privacy policies of popular websites and apps and found that Facebook’s privacy policy takes around 18 minutes to read in its entirety, which was slightly above average for the policies they tested. Who in the world has 18 minutes to spend on reading a privacy policy, that too just for one app or website, and which is also subjective to change every now and then, mind you?

Why Do We Agree?

Lastly, clicking on “I agree” is the only way you get to use the app in most cases. When you have already made up your mind to use an app, the conditions laid out in front of you don’t matter more. The bottom line here is that we are handing over privacy on a silver platter to apps. We do not begin to care about their stance on sharing our data with the third party until that happens in actuality. So do we even deserve to make a din over the loss of digital privacy? Should we feel exposed in the first place, when could care enough for who was watching? This isn’t just about one health app’s violation of women’s privacy, it is also about gross neglect on our part, that encourages apps to flout the rules.

KEY TAKEAWAYS:

• Menstruation tracking apps are leaking information regarding women’s menstrual cycle and sexual activity to Facebook.
• Consumers repeatedly find their digital privacy at risk of being breached and their information played around with.
• But as we sign away our own privacy with little care, can we solely blame app developers for this breach of trust?
• Do app developers put out their product in a hurry and then deal with the aftermath with a damage control attitude?
• Stricter policies need to be put in place to respect user privacy, which are user-centric, and not industry or government-centric.

So basically when it comes to data breach a part of the blame lies with us as much as with apps and websites which violate our trust. As a digital society, we must put strong and consistent pressure on apps and website makers to respect user consent, not just on paper.

However, one cannot simply absolve apps and website developers of the blame here, even if customer information has been syphoned out of their database without their knowledge. If you are collecting certain information from the users, you must have a valid reason as to why you need it, and how you are going to protect it. The bigger question is, does the customer even know that the data they provide is being accumulated?

Onus On App Developer?

ElsaMarie DSilva of SafeCity says that as a developer you have to be very conscious about why you are doing what you are doing and how you are going to impact the lives of your customers. Says she, "If you truly keep their interests at the core of what you do, you will try to do the right thing. For example, you will be very conscious about who you are partnering with and the added features. You’ll deliberate on the impact it may have on your customers and the risks that are involved."

These are principles she abides by at her organisation."I believe in transparency so we (SafeCity) are as transparent as possible about what we are doing with the data, how are you not only acquiring it, but also what are you doing with it, and how are you making money out of it. So when you are transparent about it, even the user has the choice, whether to participate in the applications on your platform or not."

Elsa adds, "Facebook grants I can understand, but the customer taps which is the retention platform, you are definitely mining people’s data. Have you told them that? If you haven’t told them that, then you aren’t being transparent about it.”

The Law

We spoke to Supreme Court advocate NS Nappinai to understand why data breach is a two-way street, where the consumer equally bears to onus of breach by signing away their privacy. She notes that developers are first supposed to test and then see what are problems and then plug it and then release the app. "But today the perspective seems to have changed where everyone seems to think that first will release and then we will worry about it. So that’ the first level of vulnerability is that present in any app."

The second problem, Nappinai says, is that as consumers we do not really pay attention to what we are signing away. When it comes to apps which are dealing with something that is beyond just sensitive personal information, something that is about privacy of the highest order, like apps related to health issues, personal issues, likes and dislikes or for instance apps for LGBT community, "our choices and actions should have the highest level of privacy. So this is not really a breach, this is a violation of privacy."

If the app is sharing something with Facebook, and Facebook therefore knows more than it should, then how much did the consumer really know about what was going to happen? "Any triangulation or any cross referencing or linking of multiple data sets will always expose more about you than you believe you are exposing. Not one of us ought to think what are we submitting or what are we surrendering to an app."

So the whole concept of the Data Protection Act, that was supposed to come out for India as well, is all about technology creating these exposures, which otherwise wouldn’t have happened, were it not for technology. The new norm is to share. To go out there and experiment, to use new technology. "Thus the norm also has to be of higher standards of security, higher standards of privacy, and most importantly, higher standards of enforcement," says Nappinai.

Those Long Terms And Conditions

In 2017, A Deloitte survey of 2,000 consumers in the U.S found that 91 percent people consent to legal terms and services conditions without reading them. The number is even worse for the age group of 18 to 34, which stands at a staggering 97 percent. Why does this blind clicking of “I agree” matter? Because it puts out in all capital that we don’t care much, or that we trust easily, assuming that privacy is an obligation for every app since we chose this specific one from many others in its category.

"So the issues, when I say stronger laws or better enforcement, I am not talking about a half an hour read, I am not talking about convoluted agreements where we are anyways signing off what we would not want to sign off. I am taking about social media or technology developers or the people hosting them, being lot more responsible," Nappinai says.

Today it is all a blame game. We are down to question who the onus lies on. Many will say if consumers agreed to the terms it's their problem. But how easy did developers or platforms make it for users?

"So we as individuals we shouldn’t get caught up larger and loftier discussions. For us, it is very simple. What do we want and what are we will to trade-off for that? You see, we have traded off our private space at airports and malls etc, where we allow somebody to frisk us in the name of security and that is a trade-off again. Similarly, even in the usage of technology, you must know where are you willing to bend the boundaries. And that decision should be yours, it should not be someone else’s. You shouldn’t be misled into accepting it," adds Nappinai.

Indeed, the decision on sharing of private data and the boundaries a user is willing to bend need to lie with the users. The data leaks thus are a timely reminder on why we need regulations which keep apps and websites in check, that too urgently. There is a need for a much more extensive debate on this subject than what is underway currently. The future of our digital privacy and the respect given to our digital consent depends on how seriously are we as consumers taking these data privacy breaches.

Yamini Pustake Bhalerao is a writer with the SheThePeople team, in the Opinions section. The views expressed are author’s own.