Period tracking app, Flo, found to be selling user data to Meta

Original Article ↗ Hacker News Discussion ↗

Scope of the Problem & Trust in Apps

  • Flo shared highly sensitive reproductive data (cycles, ovulation, pregnancy mode, even sexual data) with Meta/Google/ad-tech via tracking SDKs.
  • Many see this as part of a broader pattern: consumer apps, especially “wellness” ones, quietly operate as data-harvesting fronts.
  • Several commenters say it’s increasingly impossible to know which apps are trustworthy or will stay that way after acquisitions or business stress.

Law, Regulation, and Enforcement

  • Privacy legislation (GDPR, HIPAA, etc.) is debated:
    • Some argue strong, enforced privacy laws and escalating fines (up to “corporate death penalty,” criminal liability for executives/engineers) are essential.
    • Others note Flo’s behavior was already illegal in some jurisdictions; the problem is weak or slow enforcement and “malicious compliance.”
    • HIPAA is clarified as narrow (only for covered entities). Many wellness apps fall outside it, and HIPAA still allows broad data sharing for “treatment.”
  • Concern that data brokers and ad platforms let governments sidestep constitutional limits by buying data they couldn’t directly collect.

Responsibility: Users vs Companies

  • Some say: if you use a networked, free or cheap app, assume your data will be uploaded and monetized; pen-and-paper is safest.
  • Others call this victim-blaming, especially in contexts where cycle data could be used for criminalization of reproductive health.
  • There’s tension between “be pragmatic and paranoid” and “demand systemic fixes, not just individual workarounds.”

Utility of Period Tracking Apps

  • Many users find cycle tracking genuinely useful for:
    • Predicting onset and ovulation.
    • Monitoring irregularities, fertility, health issues, and sharing data with partners or doctors.
  • Others argue much of this can be done mentally or with simple notes, but concede dedicated apps improve consistency and analysis.

Technical & Product Alternatives

  • Suggestions include:
    • Local-only or E2EE apps; OS-level per-app network controls (GrapheneOS, firewalls).
    • Open-source apps on F-Droid and named FOSS options (drip., Mensinator, Menstrudel, Tyd), plus some privacy-focused but closed-source apps.
    • Standardized data formats and easy export/import to let users switch when trust is lost.
  • A recurring issue: privacy-first, FOSS tools often lose out on design, UX, and marketing to “cute,” data-mining commercial apps.