PETRAS Research Exposes Security, Privacy and Safety Issues in FemTech

Experts connected with PETRAS are calling for regulatory action after their research found security and privacy concerns in female-oriented technologies (FemTech) such as period –tracker mobile apps, and fertility and menopause smart devices are being used beyond health and medical clinics. Their findings have exposed a lack of research and guidelines for developing cyber-secure, privacy-preserving and safe products.

The research revealed that privacy and security risks can range from enabling of domestic and intimate partner abuse to sale of personal data attached to contacts, camera, microphone and location to third parties.

Publishing the findings in the journal Frontiers in the Internet of Things, the authors from Royal Holloway University of London, Newcastle University, and ETH Zurich reviewed the existing regulations related to FemTech in the UK, EU, and Switzerland to identify gaps in regulations, compliance practices of the industry and enforcements by running experiments on a range of FemTech devices, apps, and websites.

Their analysis indicated that FemTech related regulations are inadequate in addressing the risks associated with these technologies. The EU and UK medical devices regulations don’t have any references to FemTech data and user protection. The GDPR and Swiss FADP have references to sensitive and special category data which overlap with FemTech data. However, the industry practices include many non-complaint practices in data collection and sharing.

The study also focussed on industry non-compliance. The team identified a range of inappropriate security and privacy practices in a subset of FemTech systems. The research shows that these systems do not present valid consent, do not give extra protection to sensitive data, and track users without consent. The authors show that not only is intimate data collected by FemTech systems, but it is also processed and sold to third parties.

Newcastle University’s Professor Mike Catt, who is one of the study authors, said:

“There is evidence that domestic and intimate partner abuse can be enabled by FemTech. Many of the apps surveyed access mobile and device resources too, which potentially exposes contacts, camera, microphone, location and other personal data. Some specific permissions, such as access to system Settings and other Accounts on the device, also impose security and privacy risks. Access to sensors on the mobile phone can also be used to break user privacy. Users deserve better protection, especially where this relates to sensitive personal health and gender data.”

Study author, Dr Maryam Mehrnezhad, Senior Lecturer in Information Security at Royal Holloway University of London, added:

“We have been conducting security and privacy research on this topic since 2019. Apart from our system studies, our user studies also highlight that end-users are indeed concerned about their intimate and sensitive data handled by FemTech products. We constantly share our research results with the industry and related regulatory bodies such as the Information Commissioner’s Office (ICO). We hope to see better collaborative efforts across the stakeholders to enable the citizens to use FemTech solutions to improve the quality of their lives without any risk and fear.”

FemTech is a term applied to the collection of digital technologies focused on women’s health and wellbeing. FemTech includes applications, software and wearable devices, and could range from mobile period apps and fertility-tracking wearables to IVF services on the blockchain. According to data from Statista, the FemTech market is worth almost $65 billion and is projected to grow to over $100 billion in 2030.

This work is supported by the UKRI, EPSRC, PETRAS, CyFer and AGENCY projects. These multi-disciplinary research teams are working with other stakeholders on the complex risks and harms of modern technologies such as FemTech to mitigate these risks and to design privacy-preserving, cyber-secure, and safe products which are inclusive.

Reference

[1] Mehrnezhad, van der Merwe, Catt, Mind the FemTech Gap: Regulation Failings and Exploitative Systems, Journal of Frontiers in IoT, 2024, earlier version at: Privacy Engineering in Practice (PEP), Symposium on Usable Privacy and Security Workshop, USA, 2023

[2] Mehrnezhad, and Almeida. “” My sex-related data is more sensitive than my financial data and I want the same level of security and privacy”: User Risk Perceptions and Protective Actions in Female-oriented Technologies.” The European Symposium on Usable Security, ACM, Denmark, 2023