Image: Geoff Livingston

On Friday, the House Oversight Committee announced it is investigating the privacy of reproductive health data, and has specifically sent letters demanding more information from data brokers and companies that manage period tracking apps.

The investigation comes directly in response to Motherboard’s recent findings that multiple location data firms were offering information related to visitors of Planned Parenthood abortion clinics. In one of those cases, Motherboard was able to buy a week's worth of data for $160 from a company called SafeGraph. The company stopped the sale of this data after Motherboard’s report.

“The collection of sensitive data could pose serious threats to those seeking reproductive care as well as to providers of such care, not only by facilitating intrusive government surveillance, but also by putting people at risk of harassment, intimidation, and even violence,” members of the Committee on Oversight and Reform wrote in its letters. “Geographic data collected by mobile phones may be used to locate people seeking care at clinics, and search and chat history referring to clinics or medication create digital bread crumbs revealing interest in an abortion.”

Do you have documents about the location data industry? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email [email protected].

The committee sent letters to five data brokers and give app companies. Beyond SafeGraph the brokers include Placer.ai, which Motherboard previously reported provided heat maps of where abortion clinic visitors approximately lived; Gravy Analytics which provides the location data that powers Venntel, a surveillance product sold to government agencies including Immigration and Customs Enforcement; Babel Street which sells a similar product to government agenices, and which Motherboard reported includes state prisons; and Digital Envoy, a company that acquired a location broker called X-Mode (X-Mode changed its name to Outlogic following Motherboard’s revelations that it gathered location data from, among other sources, a Muslim prayer app and had customers that included U.S. defense contractors).

The committee asked these companies for their policies on geofencing, how they anonymize data, the number of people it collects or purchases data from; a list of all apps that provide such data; a list of the companies partners that have provided location data; their profits related to the sale of location data since 2017; a list of all purchasers of information related to family planning or abortion clinics; and all documents and communications related to the collection or selling of location data concerning abortion clinics.

The five app companies the committee sent letters to are Flo Health, Inc., which makes the hugely popular “Flo Ovulation & Period Tracker” app; Glow, Inc., which makes the “Glow Period, Fertility Tracker” app; BioWink GmbH, which is behind the app Clue; GP International LLC which makes an app called “Period Tracker by GP Apps”; and Digitalalchemy Ventures, Inc.

A screenshot of one of the letters to a location data broker. Image: Motherboard.

The committee asked these app companies for documents and communications about their collection and retention of sexual health information; communications with state or local governments concerning this collection; policies around user data privacy; a list of all entities that have access to user data; and the companies profits from selling user data since 2017.

In its release, the committee pointed to a study that found that 87 percent of the 23 most popular women’s health apps shared user data with third parties, but only around 50 percent of those sought user consent. Rep. Carolyn B. Maloney, Chairwoman of the Committee on Oversight and Reform, Rep. Raja Krishnamoorthi, Chairman of the Subcommittee on Economic and Consumer Policy, and Rep. Sara Jacobs signed the letters. 

Motherboard recently asked 10 popular period tracking apps how they handle users' data, and how they plan to protect their privacy post-Roe. Three of these apps received letters from the committee. At the time Glow didn't respond to specific questions from Motherboard, but sent a short statement about how it will "always do our very best to get things right and serve our users well." Clue, which is owned by Biowink, said that “no data point can be traced back to any individual person.” Period Tracker's parent company GP International said it would rather shut the whole company down than "be accomplice to this type of government overreach and privacy violation.”

Motherboard previously reported on a data marketplace called Narrative that was selling information about what devices had the app Clue installed. Earlier this month Google said it was closing the loophole that allowed this sort of data collection with a deadline of July 12. Google previously planned to close it last March.

Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.