Scholars are urging regulatory measures following their investigation, which underscored security and privacy concerns in women-centric technologies (FemTech), including period-tracking apps and smart devices for fertility and menopause.
Researchers from prestigious institutions such as Royal Holloway, University of London, Newcastle University, University of London, and ETH Zurich have pinpointed severe security, privacy, and safety vulnerabilities in FemTech. These vulnerabilities could endanger users.
The dangers identified include unauthorized access by the applications to users’ personal contacts, cameras, microphones, locations, and other sensitive data (for instance, medical scans), along with system settings and accounts, thereby heightening security and privacy risks.
These applications and Internet of Things (IoT) devices amass extensive data about users, their families (children, partners, and other relatives), and their physical and surrounding environments through integrated sensors.
The studies reveal that such data collection methods could disclose highly personal and intimate information about users (like gender, fertility, and health data) to external parties.
FemTech refers to a range of digital solutions aimed at improving women’s health and well-being, encompassing apps, software, and wearable technology, from menstrual cycle trackers and fertility monitoring devices to IVF services.
The findings, published in the journals Frontiers in the Internet of Things and Symposium on Usable Privacy and Security Workshop, have prompted the authors to call on policymakers to recognize and address the risks associated with these technologies in relevant legislation.
The sector is projected to surpass $75 billion in value by 2025. The technologies reviewed in this study range from breast pumps and cycle trackers to Kegel exercisers, sexual wellness products, menopause solutions, digital pill organizers, and overall health monitors.
The research team evaluated current UK, EU, and Swiss regulations on FemTech to pinpoint regulatory shortfalls, industry compliance issues, and enforcement issues by experimenting with various FemTech smart devices, applications, and websites.
Their analysis indicates that existing regulations need to be revised to mitigate the risks linked to these technologies. Neither the EU nor the UK medical device regulations currently refer to FemTech data and user protection specifically. Although the GDPR and Swiss FADP mention sensitive and unique category data overlapping with FemTech data, industry practices often involve non-compliant data collection and sharing methods.
The study also highlighted industry non-compliance, identifying several FemTech systems with questionable security and privacy practices. These systems often do not classify as medical devices, fail to obtain valid consent, provide inadequate protection for sensitive data, and track users without permission.
Moreover, the research revealed that not only is such intimate data collected by FemTech systems, but it is also processed and sold to third parties.
These findings underscore a significant gap in research and guidelines for the development of cyber-secure, privacy-focused, and safe products.
Dr Maryam Mehrnezhad, the study’s lead author and Senior Lecturer at Royal Holloway, emphasized the varied threats to users’ data in FemTech, particularly concerning fertility and sexual health.
Since 2019, the team has been exploring security and privacy in this field, finding that users are indeed worried about how FemTech products manage their sensitive data. The team actively shares its findings with the industry and regulatory bodies, like the Information Commissioner’s Office, advocating for collaborative efforts to enable the safe and risk-free use of FemTech solutions to enhance users’ lives.
Professor Mike Catt, a co-author from Newcastle University, stressed the need for regulatory bodies to update and strengthen guidelines for the development and use of secure, private, and safe FemTech products.
He highlighted that many apps gain access to mobile and device resources, some of which are categorized as high-risk according to Google’s protection levels. This access could compromise contacts, cameras, microphones, locations, and other personal information. Specific permissions pose security and privacy risks, such as access to system settings and other accounts on the device. Users, especially those sharing sensitive health and gender-related data, deserve enhanced protection.
More information: Maryam Mehrnezhad et al, Mind the FemTech gap: regulation failings and exploitative systems, Frontiers in the Internet of Things. DOI: 10.3389/friot.2024.1296599
Journal information: Frontiers in the Internet of Things Provided by Newcastle University
