State AGs urge Apple to better protect reproductive health data
Editor’s note: This article has been updated with a comment from Apple.
Ten state attorneys general are urging Apple to add new protections for reproductive health data contained in third-party apps hosted on the App Store.
In a letter sent to CEO Tim Cook, attorneys general of California, Connecticut, the District of Columbia, Massachusetts, North Carolina, New Jersey, Oregon, Vermont and Washington said lax rules for safeguarding reproductive health data could harm patients or providers in the wake of the Supreme Court decision that overturned Roe v. Wade.
The group said location history, search history and adjacent health data — information related to past, present or future reproductive health of the user — could pose a risk to people looking for or providing abortions, birth control or other reproductive care.
The attorneys general argue Apple should require app developers to delete location, search and health data that isn’t required for the app to function. Apps should also provide clear notices that detail how their data is being used, retained and shared as well as only provide that data to third parties with a subpoena, search warrant or court order.
The letter notes that Apple frequently touts high standards regarding data security and privacy, and it should hold third-party apps to its own rules.
“At minimum, Apple should require apps on the App Store to meet certain threshold security requirements, such as encryption of biometric and other sensitive health data stored on applications, use of end-to-end encryption when transmitting said data and compliance with Apple’s user opt-out controls,” the attorneys general wrote. “To ensure long-term compliance, Apple should conduct periodic audits and remove or refuse to list third-party apps in violation of these standards.”
When asked for comment, Apple noted health and fitness data stored in its Health app is encrypted when the phone is locked with a passcode, Touch ID or Face ID. Apple itself also won’t be able to read health and activity data when using an updated version of watchOS or iOS with the default two-factor authentication and a passcode.
Users can share Health data with third-party apps, and Apple requires those apps to ask for permission, explain why it’s requesting access and have a policy that discusses how the data will be used. Users can also control the Health app information that can be shared, for example allowing a third-party app to read step count but not blood glucose data.
THE LARGER TREND
After the Dobbs decision came down over the summer, some security experts raised concerns data collected in reproductive health and period tracking apps could be used as evidence in states where abortion is now restricted. Others note there’s a variety of digital information that could be risky, like text messages or search history.
The letter from state attorneys general noted a recent report from the Mozilla Foundation that found a number of period tracking, pregnancy, and health and fitness apps have poor standards for data privacy. Other research has found many women’s health apps share data with third parties or don’t clearly display privacy policies.
ON THE RECORD
“Protecting reproductive privacy in the wake of the Dobbs decision is paramount. Despite promoting privacy as one of its ‘core values’ Apple simply has not done enough to ensure that private reproductive health data collected and stored by apps will not be used to track, harass or criminalize those seeking to exercise their reproductive freedoms,” New Jersey Attorney General Matthew J. Platkin said in a statement.