<i>36C3 preroll music</i>

Herald: It is my honor to introduce you
today to Eva and Chris. Eva, she is a

senior researcher at Privacy
International. She works on gender,

economical and social rights and how they
interplay with the right to privacy,

especially in marginalized communities.
Chris, she is the privacy lead at

technology lead at Privacy International.
And his day-to-day job is to expose

company and how they profit from
individuals and specifically today they

will tell us how these companies can even
profit from your menstruations. Thank you.

Chris: Thank you.

<i>applause</i>

C: Hi, everyone. It's nice to be back at
CCC. I was at CCC last year. If you heard

my talk from last year, this is going to
be like a slightly vague part 2. And if

you're not, I'm just gonna give you a very
brief recap because there is a

relationship between the two. So, I will
give you a little bit of background about

how this project started. Then we get to a
little bit about menstruation apps and

what a menstruation app actually is. Let
me talk a little bit through some of the

data that these these apps are collecting
and talk how we did our research, our

research methodology and then what our
findings are and our conclusions. So last

year, I and a colleague did a project
around how Facebook collects data about

users on Android devices using the Android
Facebook SDK. And this is whether you have

a Facebook account or not. And for that
project, we really looked when you first

opened apps and didn't really have to do
very much interaction with them

particularily, about the automatic sending
of data in a post GDPR context. And so we

looked a load of apps for that project,
including a couple of period trackers. And

that kind of led onto this project because
we were seeing loads of apps, across

different areas of categories. So we
thought we'd like hone in a little bit on

period trackers to see what kind of data,
because they're by far more sensitive than

many of the other apps on there, like you
might consider your music history to be

very sensitive.... <i>laughs</i> So. Yeah. So,
just a quick update on the previous work

from last year. We actually followed up
with all of the companies from that, from

that report. And by the end of like going
through multiple rounds of response, over

60 percent of them a changed practices
either by disabling the Facebook SDK in

their app or by disabling it until you
gave consent or removing it entirely. So I

pass over to Eva Blum-Dumontet. She's
going to talk you through menstruation

apps.
Eva: So I just want to make sure that

we're all on the same page. Although if
you didn't know what a menstruation app is

and you still bothered coming to this
talk, I'm extremely grateful. So how many

of you are are using a menstruation app or
have a partner, who's been using a

menstruation app? Oh my God. Oh, okay. I
didn't expect that. I thought it was going

to be much less. Okay. Well, for the few
of you who still might not know what a

menstruation app is, I'm still going to go
quickly through what a menstruation app

is. It's the idea of a menstruation app.
We also call them period tracker. It's to

have an app that tracks your menstruation
cycle. So that they tell you what days

you're most fertile. And you can
obviously, if you're using them to try and

get pregnant or if you have, for example,
a painful period, you can sort of plan

accordingly. So that's essentially the
main 2 reasons users would be would be

looking into using menstruation apps:
pregnancy, period tracking. Now, how did

this research starts? As Chris said,
obviously there was whole research that

had been done by Privacy International
last year on various apps. And as Chris

also already said what I was particularly
interested in was the kind of data that

menstruation apps are collecting, because
as we'll explain in this talk, it's really

actually not just limited to menstruation
cycle. And so I was interested in seeing

what actually happens to the data when it
is being shared. So I should say we're

really standing on the shoulders of giants
when it comes to this research. There was

previously existing research on
menstruation apps that was done by a

partner organization, Coding Rights in
Brazil. So they had done research on the

kind of data that was collected by
menstruation apps and the granularity of

this data. Yet, a very interesting thing
that we're looking at was the gender

normativity of those apps. Chris and I
have been looking at, you know, dozens of

these apps and, you know, they have
various data showing practices, as we'll

explain in the stock. But they have one
thing that all of them have in common is

that they are all pink. The other thing is
that they talk to their users as woman.

They, you know, don't want sort of even
compute the fact that maybe not all their

users are woman. So there is a very sort
of like narrow perspective of pregnancy

and females' bodies and how does female
sexuality function. Now, as I was saying,

when you're using a menstruation app, it's
not just your menstruation cycle that

you're entering. So this is some of the
questions that menstruation apps ask: So

sex; There is a lot about sex that they
want to know? How often, is it protected

or unprotected? Are you smoking? Are you
drinking? Are you partying? How often? We

even had one app that was asking about
masturbation, your sleeping pattern, your

coffee drinking habits. One thing that's
really interesting is that - and we'll

talk a little bit more again about this
later - but there's very strong data

protection laws in Europe called GDPR as
most of you will know. And it says that

only data that's strictly necessary should
be collected. So I'm still unclear what

masturbation has to do with tracking your
menstruation cycle, but... Other thing

that was collected is about your health
and the reason health is so important is

also related to data protection laws
because when you're collecting health

data, you need to show that you're taking
an extra step to collect this data because

it's considered sensitive personal data.
So extra steps in terms of getting

explicit consent from the users but also
through steps on behalf of the data

controller, in terms of showing that
they're making extra steps for the

security of this data. So this is the type
of question that was asked. There is so

much asked about vaginal discharge and
what kind of vaginal discharge you get

with all sorts of weird adjectives for
this: "Tiki, creamy". So yeah, they

clearly thought a lot about this. And it
is a lot about mood as well. Even, yeah, I

didn't know 'romantic' was a mood but
apparently it is. And what's interesting

obviously about mood in the context where,
you know, we've seen stories like

Cambridge Analytica, for example. So we
know how much companies, we know how much

political parties are trying to understand
how we think, how we feel. So that's

actually quite significant that you have
an app that's collecting information about

how we feel on a daily basis. And
obviously, like when people enter all

these data, their expectation at that
point is that the data stays between

between them and the app. And actually,
there is very little in the privacy policy

that could that would normally suggest
that it was. So this is the moment where I

actually should say we're not making this
up; like literally everything in this list

of questions were things, literal terms,
that they were asking. So we set out to

look at the most popular menstruation
apps. Do you want to carry on?

Chris: Yeah. I forgot to introduce myself
as well. Really? That's a terrible

speaking habit.
Eva: Christopher Weatherhead..

Chris: .. Privacy International's
technology lead. So yeah.. What I said

about our previous research, we have
actually looked at most of the very

popular menstruation apps, the ones that
have hundreds of thousands of downloads.

And these apps - like as we're saying that
this kind of work has been done before. A

lot of these apps that come into quite a
lot of criticism, I'd spare you the free

advertising about which ones particularly
but most of them don't do anything

particularly outrageous, at least between
the app and the developers' servers. A lot

of them don't share with third parties at
that stage. So you can't look between the

app and the server to see what they're
sharing. They might be sharing data from

the developers' server to Facebook or to
other places but at least you can't see

in-between. But we're an international
organization and we work around the globe.

And most of the apps that get the most
downloads are particularly Western, U.S.,

European but they're not the most popular
apps necessarily in a context like India

and the Philippines and Latin America. So
we thought we'd have a look and see those

Apps. They're all available in Europe but
they're not necessarily the most popular

in Europe. And this is where things
started getting interesting. So what

exactly did we do? Well, we started off by
triaging through a large number of period

trackers. And as Eva said earlier: every
logo must be pink. And we were just kind

of looking through to see how many
trackers - this is using extras (?)

privacy. We have our own instance in PI
and we just looked through to see how many

trackers and who the trackers were. So,
for example, this is Maya, which is

exceptionally popular in India,
predominantly - it's made by an Indian

company. And as you can see, it's got a
large number of trackers in it: a

CleverTap, Facebook, Flurry, Google and
Inmobi? So we went through this process and

this allowed us to cut down... There's
hundreds of period trackers. Not all of

them are necessarily bad but it's nice to
try to see which ones had the most

trackers, where they were used and try and
just triage them a little bit. From this,

we then run through PI's interception
environment, which is a VM that I've made.

I actually made it last year for the talk
I gave last year. And I said I'd release

it after the talk and took me like three
months to release it but it's now

available. You can go onto PI's website
and download it. It's a man in the middle

proxy with a few settings - mainly for
looking at iOS and Android apps to do data

interception between them. And so we run
through that and we got to have a look at

all the data that's being sent to and from
both the app developer and third parties.

And here's what we found.
Eva: So out of the six apps we looked out,

five shared data with Facebook. Out of
those five, three pinged Facebook to let

them know when their users were
downloading the app and opening the app.

And that's already quite significant
information and we'll get to that later.

Now, what's actually interesting and the
focus of a report was on the two apps that

shared every single piece of information
that their users entered with Facebook and

other third parties. So just to brief you:
the two apps we focused on are both called

Maya. So that's all very helpful. One is
spelled Maya: M-a-y-a. The other ones

spellt Mia M-I-A. So, yeah, just bear with
me because this is actually quite

confusing. But so initially we'll focus on
Maya, which is - as Chris mentioned - an

app that's based in India. There have a
user base of several millions. Their are

based in India. Userbase, mostly in India,
also quite popular in the Philippines. So

what's interesting with Maya is that they
start sharing data with Facebook before

you even get you agree to their privacy
policy. So I should say already about the

privacy policy of a lot of those apps that
we looked at is that they are literally

the definition of small prints. It's very
hard to read. It's legalese language. It

really puts into perspective the whole
question of consent in GDPR because GDPR

says like the consents must be informed.
So you must be able to understand what

you're consenting to. When you're reading
this extremely long, extremely opaque

privacy policies of a lot - literally all
the menstruation apps we've looked at,

excluding one that didn't even bother
putting their privacy policy, actually.

It's opaque. It's very hard to understand
and - absolutely, definitely, do not say

that they're sharing information with
Facebook. As I said, data sharing happened

before you get to agree to their privacy
policy. The other thing that's also worth

remembering is that when to share
information with Facebook - doesn't matter

if you have a Facebook account or not, the
information still being relayed. The other

interesting thing that you'll notice as
well in several of the slides is that the

information that's being shared is tied to
your identity through your unique ID

identifiers, also your email address. But
basically most of the questions we got

when we released the research was like:
oh, if I use a fake email address or if I

use a fake name, is that OK? Well, it's
not because even if you have a Facebook

account through your unique identifier,
they would definitely be able to trace you

backs. There is no way to actually
anonymize this process unless - well at

the end, unless you deliberately trying to
trick it and use a separate phone

basically for regular users. It's quite
difficult. So this is what it looks like

when you enter the data. So as I said, I
didn't lie to you. This is the kind of

questions they're asking you. And this is
what it looks like when it's being shared

with Facebook. So you see the symptomes
changing, for example, like blood

pressure, swelling, acne, that's all being
shipped through craft out Facebook,

through the Facebook SDK. This is what it
looks like when they show you

contraceptive practice, so again, like
we're talking health data. Here we're

talking sensitive data. We're talking
about data that shouldn't normally require

extra steps in terms of collecting it, in
terms of how it's being processed. But

nope, in this case it was shared exactly
like the rest. This's what it looks like.

Well, so, yeah with sex life it was a
little bit different. So that's what it

looks like when they're asking you about,
you know, you just had sex, was it

protected? Was it unprotected? The way it
was shared with Facebook was a little bit

cryptic, so to speak. So if you have
protected sex, it was entered as love "2",

unprotected sex was entered as Love "3". I
managed to figure that out pretty quickly.

So it's not so cryptic. That's also quite
funny. So Maya had a diary section where

they encourage people to enter like their
notes and your personal faults. And I

mean, it's a menstruation app so you can
sort of get the idea of what people are

going to be writing down in there or
expected to write on. It's not going to be

their shopping list, although shopping
lists could also be personal, sensitive,

personal information, but.. So we were
wondering what would happen if you were to

write in this in this diary and how this
data would be processed. So we entered

literally we entered something very
sensitive, entered here. This is what we

wrote. And literally everything we wrote
was shared with Facebook. Maya also shared

your health data, not just with Facebook,
but with a company called CleverTap that's

based in California. So what's CleverTap?
CleverTap is a data broker, basically.

It's a company that - sort of similar to
Facebook with the Facebook SDK. They

expect of developers to hand over the data
and in exchange app developers get

insights about like how people use the
app, what time of day. You know, the age

of their users. They get all sorts of
information and analytics out of the data

they share with this company. It took us
some time to figure it out because it

shared as wicked wizard?
Chris: Wicket Rocket.

Eva: Wicket Rocket, yeah. But that's
exactly the same. Everything that was

shared with Facebook was also shared with
CleverTap again, with the email address

that we were using - everything. Let's
shift. Now, let's look at the other Mia.

It's not just the name that's similar,
it's also the data showing practices. Mia

is based in Cypress, so in European Union.
I should say, in all cases, regardless of

where the company is based, the moment
that they market the product in European

Union, so like literally every app we
looked at, they need to - well they should

respect GDPR. Our European data protection
law. Now, the first thing that Mia asked

when you started the app and again - I'll
get to that later about the significance

of this - is why you're using the app or
you using it to try and get pregnant or

are you just using it to try to track your
periods? Now, it's interesting because it

doesn't change at all the way you interact
with the app eventually. The apps stays

exactly the same. But this is actually the
most important kind of data. This is

literally called the germ of data
collection. It's trying to know when a

woman is trying to get pregnant or not. So
the reason this is the first question they

ask is, well my guess on this is - they
want to make sure that like even if you

don't actually use the app that's at least
that much information they can collect

about you. And so this information was
shared immediately with Facebook and with

AppsFlyer. AppsFlyer is very similar to
CleverTap in the way it works. It's also a

company that collects data from these apps
and that as services in terms of analytics

and insights into user behavior. It's
based in Israel. So this is what it looks

like when you enter the information. Yeah,
masturbation, pill. What kind of pill

you're taking, your lifestyle habits. Now
where it's slightly different is that the

information doesn't immediately get shared
with Facebook but based on the information

you enter, you get articles that are
tailored for you. So, for example, like

when you select masturbation, you will
get, you know, masturbation: what you want

to know but are ashamed to ask. Now,
what's eventually shared with Facebook is

actually the kind of article that's being
offered to you. So basically, yes, the

information is shared indirectly because
then you know you have Facebook and...

You've just entered masturbation because
you're getting an article about

masturbation. So this is what happened
when you enter alcohol. So expected

effects of alcohol on a woman's body.
That's what happened when you enter

"unprotected sex". So effectively, all the
information is still shared just

indirectly through the articles you're
getting. Yeah. Last thing also, I should

say on this, in terms of the articles that
you're getting, is that sometimes there

was sort of also kind of like crossing the
data.. was like.. so the articles will be

about like: oh, you have cramps outside of
your periods, for example, like during

your fertile phase. And so you will get
the article specifically for this and the

information that's shared with Facebook
and with AppsFlyer is that this person is

in their fertile period in this phase of
their cycles and having cramps. Now, why

are menstruation apps so obsessed with
finding out if you're trying to get

pregnant? And so, this goes back to a lot
of the things I mentioned before that, you

know, about wanting to know in the very
first place if you're trying to get

pregnant or not. And also, this is
probably why a lot of those apps are

trying to really nail down in their
language and discourse how you're using

the apps for. When a person is pregnant,
they're purchasing habit, their consumer

habits change. Obviously, you know, you
buy not only for yourself but you start

buying for others as well. But also you're
buying new things you've never purchased

before. So what a regular person will be
quite difficult to change her purchasing

habit was a person that's pregnant.
They'll be advertisers will be really keen

to target them because this is a point of
their life where their habits change and

where they can be more easily influenced
one way or another. So in other words,

it's pink advertising time. In other more
words and pictures, there's research done

in 2014 in the US that was trying to sort
of evaluate the value of data for a

person. So an average American person
that's not pregnant was 10 cents. A person

who's pregnant would be one dollar fifty.
So you may have noticed we using the past

tense when we talked about - well I hope I
did when I was speaking definitely into

the lights at least - we used the past
tense when we talk about data sharing of

these apps. That's because both Maya and
MIA, which were the two apps we were

really targeting with this report, stop
using the Facebook SDK when we wrote to

them about our research
before we published it.

<i>applause</i>
So it was quite nice because he didn't

even like rely on actually us publishing
the report. It was merely at a stage of

like, hey, this is all right of response.
We're gonna be publishing this. Do you

have anything to say about this? And
essentially what they had to say is like:

"Yep, sorry, apologies. We are stopping
this." I think, you know.. What's really

interesting as well to me about like the
how quick the response was is.. it really

shows how this is not a vital service for
them. This is a plus. This is something

that's a useful tool. But the fact that
they immediately could just stop using it,

I think really shows that, you know, it
was.. I wouldn't see a lazy practice, but

it's a case of light. As long as no one's
complaining, then you are going to carry

on using it. And I think that was also the
discourse with your research. There was

also a lot that changed
their behaviors after.

Chris: A lot of the developers sometimes
don't even realize necessarily what data

they're up to sharing with people like
Facebook, with people like CleverTap. They

just integrate the SDK and
hope for the best.

Eva: We also got this interesting response
from AppsFlyer is that it's very

hypocritical. Essentially, what they're
saying is like oh, like we specifically

ask our customers or oh, yeah, do not
share health data with us specifically for

the reason I mentioned earlier, which is
what? Because of GDPR, you're normally

expected to take extra step when you
process sensitive health data. So their

response is that they as their customer to
not share health data or sensitive

personal data so they don't become liable
in terms of the law. So they were like,

oh, we're sorry, like this is a breach of
contract. Now, the reason is very

hypocritical is that obviously when you
have contracts with menstruation apps and

actually Maya was not the only
menstruation apps that we're working with.

I mean, you know, what can you generally
expect in terms of the kind of data you're

gonna receive? So here's a conclusion for
us that research works. It's fun, it's

easy to do. You know, Chris has not
published the environment. It doesn't

actually - once the environment is sort of
set up it doesn't actually require

technical background, as you saw from the
slides it's pretty straightforward to

actually understand how the data is being
shared. So you should do it, too. But more

broadly, we think it's really important to
do more research, not just at this stage

of the process, but generally about the
security and the data and the data showing

practices of apps, because, you know, it's
hard law and more and more people are

using or interacting with technology and
using the Internet. So we need to do think

much more carefully about the security
implication of the apps we use and

obviously it works. Thank you.

<i>applause</i>

Herald: Thank you. So, yeah, please line
up in front of the microphones. We can

start with microphone two.
Mic 2: Hi. Thank you. So you mentioned

that now we can check whether our data is
being shared with third parties on the

path between the user and the developer.
But we cannot know for all the other apps

and for these, what if it's not being
shared later from the developer, from the

company to other companies. Have you
conceptualize some ways of testing that?

Is it possible?
Chris: Yes. So you could do it, data

separate access request and the GDPR that
would... like the problem is it's quite

hard to necessarily know. How the process
- how the system outside of the app to

serve relationship is quite hard to know
the processes of that data and so it is

quite opaque. They might apply a different
identifier too, they might do other

manipulations to that data so trying to
track down and prove this bit of data

belong to you. It's quite challenging.
Eva: This is something we're going to try.

We're going to be doing in 2020, actually.
We're going to be doing data subject

access request of those apps that we've
been looking up to see if we find anything

both under GDPR but also under different
data protection laws in different

countries. To see basically what we get,
how much we can obtain from that.

Herald: So I'd go with the signal angle.
Signal: So what advice can you give us on

how we can make people understand that
from a privacy perspective, it's better to

use pen and paper instead of entering
sensitive data into any of these apps?

Eva: I definitely wouldn't advise that. I
wouldn't advise pen and paper. I think for

us like really the key... The work we are
doing is not actually targeting users.

It's targeting companies. We think it's
companies that really need to do better.

We're often ask about, you know, advice to
customers or advice to users and

consumers. But what I think and what we've
been telling companies as well is that,

you know, their users trust you and they
have the right to trust you. They also

have the right to expect that you're
respecting the law. The European Union has

a very ambitious legislation when it comes
to privacy with GDPR. And so the least

they can expect is that you're respecting
the law. And so, no, I would ... and this

is the thing, I think people have the
right to use those apps, they have the

right to say, well, this is a useful
service for me. It's really companies that

need you. They need to up their game. They
need to live up to the expectations of

their consumers. Not the other way around.
Herald: Microphone 1.

Mic 1: Hi. So from the talk, it seems and
I think that's what you get, you mostly

focused on Android based apps. Can you
maybe comment on what the situation is

with iOS? Is there any technical
difficulty or is it anything completely

different with respect to these apps and
apps in general?

Chris: There's not really a technical
difficulty like the setup a little bit

different, but functionally you can look
at the same kind of data. The focus here,

though, is also.. So it's two-fold in some
respects. Most of the places that these

apps are used are heavily dominated
Android territories, places like India,

the Philippines. iOS penetration there,
uh, Apple device penetration there is very

low. There's no technical reason not to
look at Apple devices. But like in this

particular context, it's not necessarily
hugely relevant. So does that answer your

question?
Mic 1: And technically with youre set-up,

you could also do the same
analysis with an iOS device?

Chris: Yeah. As I said it's a little bit
of a change to how you... You have to

register the device as an MDM dev.. like a
mobile profile device. Otherwise you can

do the exact same level of interception.
Mic: Uh, hi. My question is actually

related to the last question
is a little bit technical.

Chris: Sure.
Mic: I'm also doing some research on apps

and I've noticed with the newest versions
of Android that they're making more

difficult to install custom certificates
to have this pass- through and check what

the apps are actually communicating to
their home servers. Have you find a way to

make this easier?
Chris: Yes. So we actually hit the same

issue as you in some respects. So the
installing of custom certificates was not

really an obstacle because you can add to
the user if it's a rich device, you can

add them to the system store and they are
trusted by all the apps on the device. The

problem we're now hitting is the Android 9
and 10 have TLS 1.3 and TLS 1.3

to text as a man in the middle or at
least it tries to might terminate the

connection. Uh, this is a bit of a
problem. So currently all our research is

still running on Android 8.1 devices. This
isn't going to be sustainable long term.

Herald: Um, 4.
Mic 4: Hey, thank you for the great talk.

Your research is obviously targeted in a
constructive, critical way towards

companies that are making apps surrounding
menstrual research. Did you learn anything

from this context that you would want to
pass on to people who research this area

more generally? I'm thinking, for example,
of Paramount Corp in the US, who've done

micro dosing research on LSD and are
starting a breakout study on menstrual

issues.
Eva: Well, I think this is why I was

concluded on it. I think there is a
there's still a lot of research that needs

to be done in terms of the sharing. And
obviously, I think anything that touches

on people's health is a key priority
because it's something people relate very

strongly to. The consequences, especially
in the US, for example, of sharing health

data like this, of having - you know -
data, even like your blood pressure and so

on. Like what are the consequences if
those informations are gonna be shared,

for example, with like insurance companies
and so on. This is what I think is

absolutely essential to have a better
understanding of the data collection and

sharing practices of the services. The
moments when you have health data that's

being involved.
Chris: .. yeah because we often focus

about this being an advertising issue. But
in that sense as well, insurance and even

credit referencing of all sorts of other
things become problematic, especially when

it comes to pregnancy related.
Eva: Yeah, even employers could be after

this kind of information.
Herald: Six.

Mic 6: Hi. I'm wondering if there is an
easy way or a tool which we can use to

detect if apps are using our data or are
reporting them to Facebook or whatever. Or

if we can even use those apps but block
this data from being reported to Facebook.

Chris: Yes. So, you can file all of faith
graft on Facebook.com and stop sending

data to that. There's a few issues here.
Firstly, it doesn't really like.. This

audience can do this. Most users don't
have the technical nuance to know what

needs to be blocked, what doesn't
necessarily need to be blocked. It's on

the companies to be careful with users
data. It's not up to the users to try and

defend against.. It shouldn't be on the
use to defend against malicious data

sharing or...
Eva: You know... also one interesting

thing is that if Facebook had put this in
place of light where you could opt out

from data sharing with the apps you're
using, but that only works if you're a

Facebook user. And as I said, like this
data has been collected whether you are a

user or not. So in a sense, for people who
aren't Facebook users, they couldn't opt

out of this.
Chris: The Facebook SDK the developers are

integrating the default state for sharing
of data is on, the flag is true. And

although they have a long legal text on
the help pages for the developer tools,

it's like unless you have a decent
understanding of local data protection

practice or local protection law. It's
like it's not it's not something that most

developers are gonna be able to understand
why this flag should be something

different from on. You know there's loads
of flags in the SDK, which flags should be

on and off, depending on which
jurisdiction you're selling to, or users

going to be in.
Herald: Signal Angel, again.

Singal: Do you know any good apps which
don't share data and are privacy friendly?

Probably even one that is open source.
Eva: So, I mean, as in the problem which

is why I wouldn't want to vouch for any
app is that even in the apps that, you

know, where in terms of like the traffic
analysis we've done, we didn't see any any

data sharing. As Chris was explaining, the
data can be shared at a later stage and

it'd be impossible for us to really find
out. So.. no, I can't be vouching for any

app. I don't know if you can...
Chris: The problem is we can't ever look

like one specific moment in time to see
whether data is being shared, unlike what

was good today might bad tomorrow. What
was bad yesterday might be good today.

Although, I was in Argentina recently
speaking to a group of feminist activists,

and they have been developing a
menstruation tracking app. And the app was

removed from the Google Play store because
it had illustrations that were deemed

pornographic. But they were illustrations
around medical related stuff. So even

people, who were trying to do the right
thing, going through the open source

channels are still fighting a completely
different issue when it comes to

menstruation tracking.
It's a very fine line.

Herald: Um, three.
<i>inaudible</i>

Eva: Sorry, can't hear -the Mic's not
working.

Herald: Microphone three.
Mic 3: Test.

Eva: Yeah, it's great - perfect.
Mic 3: I was wondering if the graph API

endpoint was actually in place to trick
menstruation data or is it more like a

general purpose advertisement
tracking thing or. Yeah.

Chris: So my understanding is that there's
two broad kinds of data that Facebook gets

as automated app events that Facebook were
aware of. So app open, app close, app

install, relinking. Relinking is quite an
important one for Facebook. That way they

check to see whether you already have a
Facebook account logged in to log the app

to your Facebook account when standing.
There's also a load of custom events that

the app developers can put in. There is
then collated back to a data set - I would

imagine on the other side. So when it
comes to things like whether it's nausea

or some of the other health issues, it is
actually being cross-referenced by the

developer. Does that answer your question?
Mic 3: Yes, thank you.

Herald: Five, microphone five.
Mic 5: Can you repeat what you said in the

beginning about the menstruation apps used
in Europe, especially Clue and the Period

Tracker? Yeah. So those are the most
popular apps actually across the world,

not just in Europe and the US. A lot of
them in terms of like the traffic analysis

stage, a lot of them have not clean up
their app. So we can't see any any data

sharing happening at that stage. But as I
said, I can't be vouching for them and

saying, oh, yeah, those are safe and fine
to use because we don't know what's

actually happening to the data once it's
been collected by the app. All we can say

is that as far as the research we've done
goes, we didn't see any data being shed

Chris: Those apps you mentioned have been
investigated by The Wall Street Journal

and The New York Times relatively
recently. So they've been.. had quite like

a spotlight on them. So they've had to
really up their game and a lot of ways

which we would like everyone to do. But as
Eva says, we don't know what else they

might be doing with that data on their
side, not necessarily between the phone

and the server but from their server to
another server.

Herald: Microphone one.
Mic 1: Hi. Thank you for the insightful

talk. I have a question that goes in a
similar direction. Do you know whether or

not these apps, even if they adhere to
GDPR rules collect the data to then at a

later point at least sell it to the
highest bidder? Because a lot of them are

free to use. And I wonder what is their
main goal besides that?

Eva: I mean, the advertisement his how
they make profit. And so, I mean, the

whole question about them trying to know
if you're pregnant or not is that this

information can eventually be - you know -
be monetized through, you know, through

how they target the advertisement at you.
Actually when you're using those apps, you

can see in some of the slides, like you're
constantly like being flushed with like

all sorts of advertisement on the app, you
know, whether they are selling it

externally or not - I can't tell. But what
I can tell is, yeah, your business model

is advertisement and so they are deriving
profit from the data they collect.

Absolutely.
Herald: Again, on microphone one.

Mic 1: Thank you. I was wondering if there
was more of a big data kind of aspect to

it as well, because these are really
interesting medical information on women’s

cycles in general.
Eva: Yeah, and the answer is, like, I call

it—this is a bit of a black box and
especially in the way, for example, that

Facebook is using this data like we don't
know. We can assume that this is like part

of the … we could assume this is part of
the profiling that Facebook does of both

their users and their non-users. But the
way the way this data is actually

processed also by those apps through data
brokers and so on, it’s a bit of a black

box.
Herald: Microphone 1.

Mic 1: Yeah. Thank you a lot for your talk
and I have two completely different

questions. The first one is: you've been
focusing a lot on advertising and how this

data is used to sell to advertisers. But I
mean, like you aim to be pregnant or not.

It's like it has to be the best kept
secret, at least in Switzerland for any

female person, because like if you also
want to get employed, your employer must

not know whether or not you want to get
pregnant. And so I would like to ask,

like, how likely is it that this kind of
data is also potentially sold to employers

who may want to poke into your health and
reproductive situation? And then my other

question is entirely different, because we
also know that female health is one of the

least researched topics around, and that's
actually a huge problem. Like so little is

actually known about female health and the
kind of data that these apps collect is

actually a gold mine to advance research
on health issues that are specific for

certain bodies like female bodies. And so
I would also like to know like how would

it be possible to still gather this kind
of data and still to collect it, but use

it for like a beneficial purpose, like it
to improve knowledge on these issues?

Eva: Sure. So to answer your first
question, the answer will be similar to

the previous answer I gave, which is, you
know, it's black box problem. It's like

it's very difficult to know exactly, you
know, what's actually happening to this

data. Obviously, GDPR is there to prevent
something from happening. But as we've

seen from these apps, like they were, you
know, towing a very blurry line. And so

the risk, obviously, of … this is
something that can’t be relia…. I can't be

saying, oh, this is happening because I
have no evidence that this is happening.

But obviously, the risk of multiple, the
risk of like employers, as you say, the

insurance companies that could get it,
that political parties could get it and

target their messages based on information
they have about your mood, about, you

know, even the fact that you're trying to
start a family. So, yeah, there is a very

broad range of risk. The advertisement we
know for sure is happening because this is

like the basis of their business model.
The risk, the range of risk is very, very

broad.
Chris: To just expand on that: Again, as

Eva said, we can't point out a specific
example of any of this. But if you look at

some of the other data brokers, her
experience as a data broker, they collect.

They have a statutory response. In the UK
is a statutory job of being a credit

reference agency, but they also run what
is believed to be armed data enrichment.

One of the things her employers could do
is by experience data to when hiring

staff. Like I can't say that if this data
ever ends up there. But, you know, as they

all collect, there is people collecting
data and using it for some level of

auditing.
Eva: And to transfer your second question.

I think this is a very important problem
you point out is the question of data

inequality and whose data gets collected
for what purpose. There is I do quite a

lot of work on delivery of state services.
For example, when there are populations

that are isolated, not using technology
and so on. You might just be missing out

on people, for example, who should be in
need of health care or state

support and so on. Just because you like
data about about them. And so, female

health is obviously a very key issue. We
just, we literally lack sufficient health

data about about woman on women's health
specifically. Now, in terms of how data is

processed in medical research, then
there's actually protocol a in place

normally to ensure, to ensure consent, to
ensure explicit consent, to ensure that

the data is properly collected. And so I
think I wouldn't want you means that you,

just because the way does apps. I've been
collecting data. If you know, if there's

one thing to take out of this of this dog
is that, it's been nothing short of

horrifying, really. That data is being
collected before and shared before you

even get your consent to anything. I
wouldn't trust any of these private

companies to really be the ones carrying
well taking part in in in medical research

or on those. So I agree with you that
there is a need for better and more data

on women's health. But I don't think. I
don't think any of these actors so far

have proved to be trusted on this issue.
Herald: Microphone 2.

Mic 2: Yeah. Thank you for this great
talk. Um. Short question. What do you

think is the rationale of, uh, this
menstruation apps to integrate the

Facebook SDK if they don't get money from
Facebook? OK, uh. Being able to

commercialize and this data.
Chris: Good question. Um, it could be a

mix of things. So sometimes it's literally
the the the developers literally just have

this as part of their tool chain their
workflow when they're developing apps. I

don't necessarily know about these two
peer trackers where other apps are

developed by these companies. But, uh, in
our in our previous work, which I

presented last year, we find that some
companies just produce a load of apps and

they just use the same tool chain every
time. That includes by default. The

Facebook SDK is part of a tool chain. Uh,
some of them are like included for what I

would regard as genuine purposes. Like
they want their users to share something

or they want their users to be able to log
in with Facebook and those cases, they

included, for what would be regarded a
legitimate reason below them. Just don't

ever actually they haven't integrated it
does appearance and they don't ever really

use anything of it other than that. Mean
that there are a lot of developers simply

quite unaware of the default state is
verbose and how it sends data to Facebook.

Herald: Yeah. Maybe we be close with one
last question from me. Um, it doesn't it's

usually a bunch of ups. How many of them
do certificate pinning? Uh, we see this as a

widespread policy or...
Chris: Are they just not really. Yet. I

would have a problem doing an analysis
where stuff could've been pinned. You say

TLS 1.3 is proven to be
more problematic than pinning. Uh, yeah.

Herald: Ok, well, thank you so much. And,
uh. Yeah.

<i>Applause</i>

<i>36C3 Postroll music</i>

Subtitles created by c3subtitles.de
in the year 2020. Join, and help us!