Stardust App Shares Sensitive User Health Data With Analytics Firm

Stardust App Found Sharing Sensitive Health Data with Analytics Firm

The period-tracking app Stardust is sharing sensitive user health information with the third-party analytics company RudderStack, according to recent research conducted by the Mozilla Foundation. Despite claims on its website stating, “Your data is private. Period,” the app was found to be transmitting specific health details including users’ birthdates, birth control types, reproductive goals, and personal symptoms.

Mozilla security researcher Shoshana Wodinsky utilized network traffic analysis to evaluate six popular period-tracking apps. Out of the group tested, Stardust was the only app identified as sharing sensitive health data with another company. This data sharing often occurs as background activity within the app, remaining invisible to the user. While the information is tied to a unique identifier rather than a name, the Federal Trade Commission (FTC) has long warned that such methods do not effectively anonymize data or prevent it from being linked back to an individual.

Discrepancies in Privacy and Security Claims

This is not the first time Stardust’s privacy practices have faced scrutiny. In 2022, following the overturning of the constitutional right to seek an abortion in the United States, the app experienced a surge in downloads. While the company claimed at the time to be end-to-end encrypted—suggesting that not even the company could access user data—TechCrunch discovered through network traffic analysis that this claim was false.

Regarding the current findings, a Stardust spokesperson stated that RudderStack is “contractually prohibited from selling or using it for its own purposes.” However, the Mozilla report notes that RudderStack was not explicitly mentioned in the app’s privacy policy. Furthermore, because both Stardust and RudderStack are U.S.-based companies, they remain subject to legal demands for stored user information from law enforcement.

Stardust founder Rachel Moranis did not respond to requests for comment regarding whether the company has received such demands. A spokesperson acknowledged receipt of an inquiry but declined to provide further comment.

Discrepancies in Privacy and Security Claims
Photo: The News International

Broader Industry Risks and Surveillance Concerns

The Mozilla findings highlight significant privacy and security risks inherent in health apps that share information with third parties, including potential data breaches, security lapses, and the possibility of data being sought by law enforcement. Beyond RudderStack, Stardust and other apps like Period Calendar were found sending device ID numbers and usage data to advertising and analytics platforms such as Google, Meta, Microsoft, TikTok, and InMobi. This practice enables these companies to track users across the internet.

Sara Geoghegan, director of the Consumer Privacy Program at the Electronic Privacy Information Center, described the implications of such data collection, noting that information gathered from these apps can be woven into a larger “tapestry” of surveillance. Experts warn that data points like menstrual cycles, pregnancy status, and physical symptoms could potentially be utilized in criminal cases.

“Period App” Breach Shares Sensitive Data | The View

Recommendations for User Privacy

Mozilla evaluated several apps to determine their privacy standards. While some, such as Clue and Flo, have shown improvement due to regulatory pressure and now offer users the ability to opt out of advertising data sharing, they still store health data on their own servers.

For users seeking to minimize exposure, Mozilla recommended Euki as a “squeaky clean” alternative. Euki does not share data with third parties, requires no account, and stores all health information locally on the user’s device rather than on external servers.

To protect personal privacy, Mozilla suggests that users evaluate health apps based on four key criteria:

Recommendations for User Privacy
Photo: BBC
  • Who has access to the health data?
  • Who can see that you are using the app?
  • Where is the data stored (locally on the device versus on company servers)?
  • What is the app’s history regarding past privacy scandals?

Find more reporting in our News section.

Leave a Comment