Researchers are calling for regulatory action after research has highlighted security and privacy concerns in female-oriented technologies (FemTech) such as period-tracker mobile apps and fertility and menopause smart and connected devices used beyond health and medical clinics.
Experts at Royal Holloway University of London, Newcastle University, and ETH Zurich have identified significant security, privacy, and safety issues surrounding FemTech, which can pose a potential threat to users.
Publishing the findings in the journal Frontiers in the Internet of Things, the authors are calling on policymakers to explicitly acknowledge and accommodate the risks of these technologies in the relevant regulations.
FemTech is a term applied to the collection of digital technologies focused on women’s health and wellbeing. FemTech includes applications, software and wearable devices, and could range from mobile period apps and fertility-tracking wearables to IVF services on the blockchain. The market is estimated to reach over $75b in 2025.
The team reviewed the existing regulations related to FemTech in the UK, EU, and Switzerland to identify gaps in regulations, compliance practices of the industry and enforcements by running experiments on a range of FemTech devices, apps, and websites.
Their analysis of FemTech-related regulations shows that they are inadequate in addressing the risks associated with these technologies. The EU and UK medical devices regulations don’t have any references to FemTech data and user protection. The GDPR and Swiss FADP have references to sensitive and special category data which overlap with FemTech data. However, the industry practices include many non-complaint practices in data collection and sharing.
The study also focussed on industry non-compliance. The team identified a range of inappropriate security and privacy practices in a subset of FemTech systems. The researchers show that these systems do not present valid consent they do not give extra protection to sensitive data, and track users without consent. The authors show that not only is such intimate data collected by FemTech systems, but also this data is processed and sold to third parties.
The findings have exposed a lack of research and guidelines for developing cyber-secure, privacy-preserving and safe products.
Professor Mike Catt of Newcastle University is one of the study authors. He said: “We urge regulatory bodies to update and strengthen guidelines to ensure the development and use of secure, private, and safe FemTech products.
“There is evidence that domestic and intimate partner abuse can be enabled by FemTech. Many of the apps surveyed access mobile and device resources too. Some of these permissions are marked as dangerous according to Google’s protection levels. Such access potentially exposes contacts, camera, microphone, location and other personal data. Some specific permissions, such as access to system Settings and other Accounts on the device, also impose security and privacy risks. Access to sensors on the mobile phone can also be used to break user privacy. Users deserve better protection, especially where this relates to sensitive personal health and gender data.”
Study author, Dr Maryam Mehrnezhad, Senior Lecturer at Information security Department, Information Security, Royal Holloway University of London, added: “We have been conducting security and privacy research on this topic since 2019. Apart from our system studies, our user studies also highlight that end-users are indeed concerned about their intimate and sensitive data handled by FemTech products. We constantly share our research results with the industry and related regulatory bodies such as the Information Commissioner’s Office (ICO). We hope to see better collaborative efforts across the stakeholders to enable the citizens to use FemTech solutions to improve the quality of their lives without any risk and fear.”
According to data from Statista, the FemTech market is worth almost $65 billion and is projected to grow to over $100 billion in 2030.
This work is supported by the UKRI EPSRC PETRAS CyFer and AGENCY projects. These multi-disciplinary research teams are working with other stakeholders on the complex risks and harms of modern technologies such as FemTech to mitigate these risks and to design privacy-preserving, cyber-secure, and safe products which are inclusive.
Reference
[1] Mehrnezhad, van der Merwe, Catt, Mind the FemTech Gap: Regulation Failings and Exploitative Systems, Journal of Frontiers in IoT, 2024, earlier version at: Privacy Engineering in Practice (PEP), Symposium on Usable Privacy and Security Workshop, USA, 2023
[2] Mehrnezhad, and Almeida. “” My sex-related data is more sensitive than my financial data and I want the same level of security and privacy”: User Risk Perceptions and Protective Actions in Female-oriented Technologies.” The European Symposium on Usable Security, ACM, Denmark, 2023