State AGs urge Apple to better protect reproductive health data

Editor’s note: This article has been updated with a comment from Apple.

Ten state attorneys general urge Apple to add new protections for reproductive health data contained in third-party apps hosted on the App Store.

In a letter sent to CEO Tim Cook, the attorneys general of California, Connecticut, the District of Columbia, Massachusetts, North Carolina, New Jersey, Oregon, Vermont and Washington said lax rules for protection of reproductive health data could harm patients or providers following Supreme Court court ruling that overturned Roe v. Wade.

The group said location history, search history and adjacent health data – information relating to the user’s past, present or future reproductive health – could pose a risk to people seeking or providing health information. abortions, contraceptives or other reproductive care.

The attorneys general argue that Apple should require app developers to delete location, search and health data that isn’t necessary for the app to work. Apps must also provide clear notices detailing how their data is used, stored, and shared, and only provide that data to third parties with a subpoena, search warrant, or court order.

The letter notes that Apple frequently boasts high standards regarding data security and privacy, and it should keep third-party apps under its own rules.

“At a minimum, Apple should require apps on the App Store to meet certain minimum security requirements, such as encryption of biometrics and other sensitive health data stored on apps, use of end-to-end encryption when transmission of said data and compliance with Apple’s user opt-out controls,” the attorneys general wrote. “To ensure long-term compliance, Apple should periodically audit and remove or refuse to list third-party apps that violate these standards.”

When asked to comment, Apple noted that the health and fitness data stored in its Health app is crypt when the phone is locked with a password, Touch ID or Face ID. Apple itself also won’t be able to read health and activity data when using an updated version of watchOS or iOS with the default two-factor authentication and password. .

Users can share health data with third-party apps, and Apple requires these apps to ask for permission, explain why they’re asking for access, and have a policy that explains how the data will be used. Users can also control what information from the Health app can be shared, such as allowing a third-party app to read step count but not blood sugar data.

THE GREAT TREND

After the Dobbs decision over the summer, some security experts raised concerns data collected in reproductive health and period tracking apps could be used as evidence in states where abortion is now restricted. Others note that there is a variety of digital information that could be risky, like text messages or search history.

The letter from the state attorneys general referred to a recent report from the Mozilla Foundation which found that a number of period tracking, pregnancy, health and fitness apps have poor data privacy standards. Other research has found many applications for women’s health share data with third parties or not clearly view privacy policies.

REGISTRATION

“Protecting reproductive privacy in the wake of the Dobbs decision is paramount. Despite promoting privacy as one of its ‘core values,’ Apple simply hasn’t done enough to ensure that private reproductive health data collected and stored by the apps will not be used to track, harass or criminalize those who seek to exercise their reproductive freedoms,” New Jersey Attorney General Matthew J. Platkin said in a statement. communicated.