Clue, a German period-tracking app, said its US users’ data was protected by the GDPR. An assertion that hides subtleties, and which does not guarantee the security of this data.
” Your health data, especially the data you keep in Clue about your pregnancy, miscarriage, or abortion, is kept private and secure. This was posted on Instagram Clue, one of the most popular period tracking apps, on June 24, 2022, shortly after learning that the US Supreme Court was no longer protecting the right abortion at the federal level.
Since this terrible news, a dozen states have completely banned the right to abortion, and others could soon follow.
Clue’s statement is not trivial. In some states, such as Texas, the law encourages the denunciation of women who allegedly aborted illegally, as well as that of “accomplices” who allegedly helped them. This law could soon lead to the banning of sites talking about abortion, but it is already threatening users of apps that collect health data, such as period tracking. The data could be used against them by the authorities, in order to prove that they had had an abortion.
The protection of this ultra-sensitive data is more than ever an issue of extreme importance for American women. Stardust, an American app competitor to Clue, was quick to claim that it would encrypt user data to protect it — a claim that has since been questioned. And Clue, who also swore she was protecting American women’s data, might not be as secure as she claims.
Clue follows the GDPR, but it is not a sufficient guarantee
In its statement on Instagram, Clue explains that as a European company, based in Germany, it must follow the provisions of the GDPR – a text which regulates the use that companies can make of the data collected and which requires companies to put in place a number of safeguards.
It’s true: the GDPR applies to European companies, European citizens, and even nationals of non-EU countries who find themselves on the territory of the Union. However, this is not enough to guarantee the security of the data collected by Clue. There are also questions of territoriality and the nationality of the companies working with Clue.
In 2018, the United States passed the Cloud Act — a law that requires all American companies to provide the data they store on their servers, wherever they are installed, to American judicial authorities if they so request. . This law therefore concerns a majority of tech companies. In fact, Clue is a German company – so it does not have to submit to the Cloud Act. But the same may not be true for Clue’s servers.
Clue does not specify who manages its servers
” Access to data therefore also depends on the company that provides the cloud services of the app “, explains to Numerama Suzanne Vergnolle, doctor of law specializing in the protection of personal data in Europe and the United States. If Clue uses the services of companies like AWS or Google (American companies), the fact that the servers are installed in Europe would not mean much. ” If Clue says ‘We are European, we apply the GDPR’, but the app goes through AWS, even in Europe, then the users are not really protected “Abounds Yosra Jarraya, specialist in data privacy and GDPR compliance.
Questioned by Numerama, the Clue app confirmed to us that its servers were indeed located in Europe. However, the company did not answer our questions regarding the identity of the company hosting the servers and providing the cloud service. Without this information, it is therefore difficult to affirm that the data of Clue users are well secured.
” Because our servers are located in Europe, we are obligated to protect the sensitive health data of everyone who uses Clue. We are absolutely convinced that this includes the protection of data against the United States government if they tried to obtain this data. Clue told us in his response.
But wanting to protect the data does not mean that Clue will be able to override the obligations of the servers, if the latter are managed by American companies. ” Clue could find itself in a situation where it would not want to release the data, but where it would not necessarily have the legal instruments to deny access requests by US authorities. sums up Suzanne Vergnolle.
Clue could eventually challenge in US courts a court decision based on the Cloud Act, but nothing says that it would win. It would be the same for the company that hosts the Clue data in Europe, if it is American. Appeals could nevertheless be attempted in higher courts.
Data is not encrypted
This is not the only downside: as Clue admits, she uses “ data processors, companies that analyze data for us, such as data processors, some of which are based in the United States “. However, the latter would not have access to health data, ” only to marketing data related to the use of the app “. ” We carefully choose the companies, evaluating them on data security”says Clue, adding that these companies have been “ checked again as soon as the first concerns about the right to abortion appeared. Of the ” standard contractual clauses » have also been signed with the subcontractors, who « ensure an adequate level of data protection “, as Clue points out on his site.
However, as Clue acknowledges, these clauses ” cannot bind the government authorities of the country that is not a member of the European Economic Area (EEA) in which our subcontractor operates. In some cases, governments may have surveillance powers that go against European data protection rules. Consequently, the legal environment of certain non-EEA countries, notably the United States, creates the risk that a subcontractor will be compelled by law to act against the obligations […] and provide personal information to local politicians “.
Added to this is a relative uncertainty as to the legal framework supervising the transfer of personal data between the two shores of the Atlantic. The previous devices, whether the Safe Harbor or the Privacy Shield, have been canceled by European justice. Another framework is promised, but whose future is not guaranteed – the Cnil thus expressed their perplexity.
As the Cnil reminds us following the invalidation of the Privacy Shield, the continuation of transfers of personal data to the United States on the basis of these standard contractual clauses also depends on the additional measures that a company puts in place. ” A case-by-case analysis of the circumstances surrounding the transfer should ensure that US law does not compromise the adequate level of protection “, for people, warns the authority.
In short, although there are contracts in place, this does not guarantee the hermetic nature of the data. Even if this data is simply marketing information, the mere fact that US authorities may know that some women have downloaded Clue can be tricky. “ The information we and our contractors maintain is unlikely to be investigated by any public authority in the United States. », specifies Clue, even if « however, the risk of such disclosure cannot be eliminated “, concludes the app.
Another problem is that the data is not end-to-end encrypted. As Clue’s website explains, ” your data is transmitted between your device and Clue’s servers using HTTPS for encryption (sic) “. This is indeed a first level of protection, but it turns out to be insufficient: in the event that the servers transmit the data to the authorities, these would be in the clear. Clue does not specify whether it performs “at rest” encryption of the data it hosts.
End-to-end encryption (on the condition that neither Clue nor the servers manage users’ private keys) would provide additional protection.
Clue does not sell data
However, it must be recognized that Clue makes a remarkable and appreciable effort to explain how user data is used and stored. In a long publication, Ida Tin, the founder of Clue, explains in detail that the app does not sell the information to which she has access.
” Our business model is not based on the sale of personal data”, Clue confirmed to us by email. ” We do not share the data we collect with advertising networks, and we absolutely do not sell this data to third parties. “.
However, the problem remains for Clue users in the United States. How to ensure the security of their data? Suzanne Vergnolle recommends the use of encrypted apps, which offer some protection. This is particularly the case with the “Health” app, integrated into the iPhone, and “ in which it is possible to enter data relating to menstrual cycles “. As for Yosra Jarraya, she is categorical: “ I would rather go back to the notebook and pencil method. »