“Your information is confidential. Period,” states the period tracking application Stardust on its website. However, new research from Mozilla indicates that some users may consider this assertion to be questionable.
According to Mozilla’s recent research that analyzed the privacy measures of period-tracking applications, Stardust was discovered to be sharing sensitive health information of users with the analytics firm RudderStack. This information encompassed the user’s birthdate, type of birth control, reproductive aims, and particular symptoms being experienced by the user, all linked to a unique identifier instead of the user’s name. (The FTC has previously cautioned that this does not render the data anonymous or safeguard it from being traced back to an individual.)
Mozilla’s investigation highlights the privacy and security hazards associated with period tracking and other health applications that distribute data to third parties. Frequently, this occurs as background processes within the application and remains unnoticed by the user. It is not unusual for applications to send data to other services for purposes such as storage, analysis, and payments, but sharing individuals’ information with external entities inherently introduces risks such as possible security failures, data breaches, or having the data pursued by law enforcement.
TechCrunch had previously reported on Stardust in 2022, when the app experienced a spike in downloads following the reversal of the constitutional right to seek an abortion within the United States. Stardust asserted that it utilized end-to-end encryption — signifying that even the company could not access the data of its users — but TechCrunch determined through network traffic analysis that this claim was inaccurate.
Mozilla security researcher Shoshana Wodinsky employed a similar method of analyzing network traffic for several period trackers, including Stardust, to investigate how the applications gathered and shared data (if at all) with third parties. Wodinsky discovered that Stardust was the only application among the six examined that transmitted users’ sensitive health data to another organization.
As reported by BBC News, a spokesperson from Stardust remarked that RudderStack is “legally forbidden from selling or utilizing it for its own ends.” As companies based in the U.S., both Stardust and RudderStack remain subject to requests for users’ information from law enforcement regarding health information stored on their servers.
Rachel Moranis, the founder of Stardust, did not reply to TechCrunch’s inquiry for comments on Thursday, nor to questions about whether the company had faced requests for its users’ data. A representative acknowledged the receipt of an email but did not furnish any comments.
Out of the six applications evaluated by Wodinsky, Mozilla identified Euki as “squeaky clean,” as the app was not found to be sharing any data with third parties concerning its main features, and the user’s health data remained on their device.
When you buy through links in our articles, we might earn a modest commission. This doesn’t influence our editorial autonomy.
