Clue, a German time-tracking app, said its US users’ data is protected by GDPR. An assertion that hides nuances and does not guarantee the security of this data.
” Your health data, particularly the data you hold in reference to your pregnancy, miscarriage or abortion, will be kept private and secure.. This is what was published On Instagram On June 24, 2022, Clu, one of the most popular period-tracking apps, announced shortly after the U.S. Supreme Court would not protect abortion rights at the federal level.
Since this terrible news, more than a dozen states have outlawed abortion rights altogether, and others may soon follow.
Clue’s report is not ordinary. In some states, such as Texas, the law encourages the prosecution of women who allegedly performed illegal abortions and “accomplices” who allegedly assisted them. The law could soon lead to bans on sites that talk about abortion, but it already threatens users of apps that collect health data, such as period tracking. The data could be used against them by authorities to prove they had an abortion.
The protection of this highly sensitive data is a more important issue for American women than ever. Stardust, a US app rival to Klu, was quick to say it uses encryption to protect user data – a claim that has since been called into question. Clue, which swore to protect American women’s data, may not be as safe as it claims.
Clue complies with GDPR, but that is not a sufficient guarantee
In its statement to Instagram, Clue explained that as a European company based in Germany, it must follow the provisions of the GDPR – which regulates the use of data that companies collect and requires companies to put in place. Number of safeguards.
It’s true: the GDPR applies to European companies, European citizens and nationals of non-EU countries who find themselves in the Union territory. However, this is not enough to guarantee the security of the data collected by Klu. There are also questions about the region and nationality of companies working with Klu.
In 2018, the United States passed the Cloud Act – a law that requires all US companies to hand over data stored on their servers, regardless of where they are installed, to US judicial authorities upon request. So this law applies to most tech companies. In fact, Klu is a German company – so it doesn’t have to submit to the Cloud Act. But this may not be true for Klu’s servers.
Clue does not specify who manages its servers
” So access to data depends on the company providing the app’s cloud services “, explains Numerama Suzanne Vergnolle, a legal practitioner specializing in the protection of personal data in Europe and the United States. If Klu uses the services of companies such as AWS or Google (American companies), having servers installed in Europe will not be a big deal. ” If the clue says ‘we’re European, we use GDPR’, if the app goes through AWS, even in Europe, users aren’t really protected. “Yosra Jarrayah specializes in data privacy and GDPR compliance.
Questioned by Numerama, Clue App confirmed that its servers are indeed located in Europe. However, the company did not respond to our queries regarding the identity of the company hosting the servers and providing the cloud service. Without this information, it is difficult to ensure that Klu users’ data is well protected.
” Because our servers are located in Europe, we are committed to protecting the sensitive health data of everyone who uses Clue. We strongly believe that this includes the protection of data against the US government if they try to obtain this data. Clue said in his reply.
But wanting to protect data doesn’t mean Glu can override the obligations of servers managed by US companies. ” Glu may find itself in a situation where it doesn’t want to release data, but doesn’t necessarily have the legal tools to deny access requests from US authorities. Suzanne Verknoll in brief.
Glue may eventually challenge the court ruling based on the Cloud Act in US courts, but there’s no telling if it will win. The same holds true if the company hosting the clue data in Europe is also a US company. However, appeals may be tried in higher courts.
Data is not encrypted
That’s not the only flaw: As Clue admits, she uses “ Data processors are companies that analyze data for us, such as data processors, some of which are based in the United States “. However, the latter will not have access to health data,” Only for marketing data related to the use of the application “. ” We carefully select companies and evaluate them on data protection.Klu says, these companies “ Checked again As soon as the first concerns about abortion rights emerged. of” Standard Contractual Clauses » Signed with sub-contractors as well. Ensure an adequate level of data protection », As Clue points out on his site.
However, as Clew acknowledges, these clauses “ We cannot bind the government authorities of a country that is not a member of the European Economic Area (EEA) in which our subcontractor operates. In some cases, governments may have surveillance powers against European data protection rules. As a result, the legal environment of some non-EEA countries, particularly the United States, creates the risk that a subcontractor may be compelled by law to act contrary to obligations. […] and provide personal information to local politicians “.
Added to this is the uncertainty of the legal framework that oversees the transfer of personal data between the two sides of the Atlantic. Previous devices, whether safe harbor or privacy shield, have been overturned by European justice. Another structure has been promised, but its future is not guaranteed – Cnil thus expressed their confusion.
As Cnil reminds us following the invalidation of the Privacy Shield, the continuation of personal data transfers to the United States based on these standard contractual provisions also depends on the additional steps a company takes. ” A case-by-case analysis of the circumstances surrounding the transfer must ensure that US law does not compromise an adequate level of protection. “, to the public, warns the authority.
In short, although the contracts exist, it does not guarantee the hermetic nature of the data. Although this data is simply marketing information, US authorities may be aware that some women have downloaded Clue. “ Information maintained by us and our contractors is not subject to investigation by any public authority in the United States. », refers to the clue, also « However, the risk of such exposure cannot be eliminated “, the application ends.
Another issue is that the data is not end-to-end encrypted. As the Clue site explains,” Your data is transmitted between your device and Klu’s servers using encrypted HTTPS (sic). “. This is indeed a first level of security, but it’s not enough: if the servers send data to the authorities, these will be clear. Clue doesn’t specify whether it implements “at-rest” encryption of the data it hosts.
End-to-end encryption (on the condition that neither the glue nor the servers manage users’ private keys) provides additional security.
Clu does not sell data
However, it must be recognized that Klu makes a significant and commendable effort to explain how user data is used and stored. In a lengthy post, Ida Dinh, founder of Klu, Explains in detail that the app does not sell information She has access.
” Our business model is not based on selling personal data”, the clue was confirmed to us by email. ” We do not share the data we collect with advertising networks, and we do not sell this data to third parties. “.
However, Clue users in the US have this problem. How to ensure the security of their data? Suzanne Verknoll recommends using encrypted apps, which provide some security. This is specifically the “Health” app integrated into the iPhone and the “ Data related to menstrual cycles can be entered in it “. As for Yosra Jarrayah, he was categorical: ” I’ll go back to the notebook and pencil method. »