>>Yeah we’re long time Def Con listeners, first time Def Con talkers


>>Yeah
>>So I like that- that our slides are cut off cause it just says the internet already knows I’m x and you can fill in the blank um in this case it’s pregnant um but that’s historical I’m wasn’t drinking while pregnant, just so you know [laughter] So I’m Kashmir, I’m a journalist, I’ve been writing about privacy and security for about ten years and I’m a new mother which is relevant information at this particular time


>>Uh and I’m Cooper, I’m a technologist and security researcher at EFF uh I’m a privacy activist and I also care about privacy and security issues for people that have wombs despite not having one myself 


>>Woo! Yeah! [applause]
>>Uh so we paired up for this particular project um I I’m an investigative journalist so I’m good at reading documents, and talking to people, and I’m also an immersion journalist, I like doing the things I’m writing about so when I wrote about bitcoin I lived on bitcoin for a week, it was hard um in the past with Def Con speakers help I hacked a smart home um so yeah I like to do the things I’m writing about though I did not get pregnant just to do this talk [laughter] 


>>Uh and I didn’t either. So uh I’m a hacker so my skillset involves apparently seeing dogs and blondes in the matrix um but uh uh so I got interested in this um originally I ha- when I had um advised another journalist on an article about anti-abortion groups using uh geo targeting advertisements to target anti-abortion ads at women inside of Planned Parenthoods. 


>>So you’d be in Planned Parenthood planning to get an abortion, you fire up Facebook, and you get an ad telling you that you’re- you know killing your fetus.


>>Yeah. And so uh I met Kashmir and she uh pitched this idea to me um after uh she had unsuccessfully looked for a real security researcher for many months um and we settled on me so uh 

>>And beyond being pregnant I got interested in this um a few years ago I uh we’re on the wrong slide, next one, oh we are missing the slide, anyways, a few years ago I helped popularize the story of uh the Target story. Um doe- is there anyone in here who doesn’t know the Target data mining pregnancy story? Don’t be afraid to raise your hands. Okay I’ll tell it. Um almost everyone seems to know this story and I hear it come up at every single security conference, privacy security conference I go to so I’ll be the one to raise it this time. But this is a story that came from an article written by Charles Duhigg who is a New York Times journalist um he did this big article on how companies learn your secrets and one of the anecdotes in this story was that Target did really excellent data mining, it would look at uh the shopping behavior of women to figure out who who- early on who is pregnant and it would be like they bought unscented lotion, they bought a blue carpet, they probably bought prenatal vitamins, which is like the big give away uh and so there was this story about how Target sent ads to this woman for all kinds of baby products and it turned out this woman was a teenager and her dad saw the ads and got really mad and went to Target and and was yelling at them saying are you trying to encourage my daughter to get pregnant and supposedly this dad called Target back a couple of weeks later and apologized and said there were things going on in his home uh that he didn’t know about and that his daughter was indeed pregnant.


So some people don’t want uh the internet to know about their pregnancy um in particular there’s a Princeton professor named Janet Vertesi and she wanted while she was pregnant for the internet not to find out about it. So she went to great lengths to hide her baby bump from the world of big data. She looked at baby sites, baby product sites, using Tor uh her husband went to uh the drug store, paid cash for gift cards when they wanted to buy baby products they would do it with these gift cards and have it sent to an Amazon locker so it wasn’t associated with their home address and um she said she successfully hid it as far as she could tell because she never got online ads um uh targeted at her based on her pregnancy. 

I decided to do the opposite. I just told everybody I was pregnant [chuckles] I downloaded while I was trying to get pregnant, downloaded all of these period and fertility tracking apps and then once I got pregnant I entered into the apps I was pregnant and I just used an email address that I- I don’t usually use in order to track what happened cause I wanted to find out who was going to sell me out to retailers who was gonna figure out that uh I was expecting. 

>>So uh this is the list of apps that we looked at uh and we looked at about err a little over 20 different apps um and they have all of these names a lot of them are named similar things like my calendar, my time, um [sighs] and uh 


>>So here’s the first privacy issue


>>Yeah so

>>Once you put this on your phone and somebody is shoulder surfing, do they know what you’re doing with these apps?


>>So there’s one set of logos that are very discreet, like you know, letters, numbers, this could all be pretty generic applications, ridesharing or something, there’s the next tier though that involves a lot pink flowers and silhouettes of women 


>>I’ve never had so much pink on my smartphone [laughter]


>>Uh and then there’s yet a third tier of weird images of fetuses [laughter] 


>>At least the last one doesn’t give away what the- the sex is of the baby


>>And then of course the grand winner is this one [laughter]

>>No I mean you don’t necessarily know what this is, it could be like a porn app


>>No, but it’s called ‘Get Baby’ [laughter] so yeah a little on the nose for this one. Um


>>So I think that there’s probably a few dudes in the audience who maybe haven’t used these apps before and you may wonder why it is that women would want to tell their smart phone uh when they’re having their period uh so these are some of the reasons why women use these apps uh the screenshot on the left you can’t quite see it, but it give you options for for why you’re using the app, it can be that you’re trying to avoid pregnancy. So some women are using this as a contraceptive to avoid uh I guess the sperm getting to the egg during a fertile period. Um using it to get pregnant, or if they’re getting very expensive IVF treatments, they can use these apps to track what’s going on with their body. Uh once you get pregnant you can use these apps to track the human science experiment that’s inside you uh the the main thing that the apps tell you about is what size fruit the fetus is in your body [laughter] which is super weird.


>>Uh one of them told us that the baby was the size of a cheesy mango [laughter] which I’m not clear what a cheesy mango is 


>>[laughs] and it told us, it was not our- it was not our baby [laughter] 


>>No, no, yeah, [laughter] we should clarify 


>>[laughs] and then the other use for these apps is they have these community forums where women um talk about all kinds of things sometimes it’s stuff having to do with pregnancy and fertility uh sometimes it’s completely different, there’s a lot of discussion about people’s sex lives uh in the screenshots I have here it’s about I can’t even remember oh baby bump selfies, those are really big, oh there’s somebody saying why is my period greenish black, which you should probably get out of the forums and go to the doctor [laughter] and then in terms to the kind of information that you give these apps um you might tell them what your vaginal discharge looks like um you’ll because their fertility apps a very important piece of information is how often you’re having sex and when you’re having sex. Once you’re pregnant you might tell them the physical symptoms that you're experiencing from you know headaches to back aches to not sleeping a lot uh and then the apps are helpful in terms of getting you to do things that you’re supposed to do when you’re pregnant like take prenatal envir- uh prenatal vitamins, do kegels , which if you don’t know what that is you can look it up up [laughs] and just track your sleep and your weight like the usual kind of health tracking stuff.


So I downloaded all these apps um who figured out I was pregnant? So one of the first uh one of the companies that figured out I was pregnant um was Twitter so this is from a uh a Twitter account that is associated with the email address that I used with all of these different apps and I don’t know if it’s included in the screenshots but they figured out that um this is from there’s like a an interests page that you can get to in your Twitter settings and it tell you with like what advertisers know about you, how they’re targeting you so I have been uh successfully associated with baby products, childcare products, and very specifically it says, dem- in my demographic information that I have one child. Which is true. 


Also all of these people figured out I was pregnant. Um this is my inbox at six months and um luckily again I was not using my usual email address uh but I had ads from pottery barn kids, uh What to Expect which is one of the apps I signed up for, Huggies and many many more.


So this is where we get into my specialty um of reading documents so I wanted to figure out you know how these people had gotten this information, uh there was a technical way to fi- find that out and then there was just a read the privacy policy way so one of the uh- and I- I’m only going to be give you a few of the privacy policies but the first one was What to Expect. This privacy policy is 4 thousand words long which is 8 pages if you print it out, and 2600 words in it very explicitly says you know we when you sign up we give your registration information to select partners and there’s a little link there that you can click and then it gives you a list of the partners um when I first did this it was like 8 different companies but when I went back to the screenshots for our talk it had expanded to I think 14 um it includes pottery barn kids, huggies, uh, some of the people that you saw spamming my inbox, and the privacy policy said, if you don’t want us to tell these companies about your- your pregnancy status uh don’t use the app. Uh you know this can be worse than just getting spam in your inbox uh sometimes they send real mail uh similac is a baby formula maker and they’re one of What to Expect’s select partners and uh so they get information from What to Expect and other um companies that they wouldn’t disclose to me uh and they will send a woman baby formula a couple of weeks before her due date so that she helpfully has baby formula around to feed to her child uh this can go very wrong because not everyone who gets pregnant stays pregnant so in one particular example a woman named Amy Pitman from Washington got pregnant, was excited about it, put it into the apps, um she didn’t like the What to Expect app so she deleted it, and then she had a miscarriage, and uh a few months later, or I guess like 8 months later, she did get baby formula in the mail. So there is serious privacy harms here when you miss identify or correctly identify a woman’s condition but then don’t know what happens later.


>>And it seems like a lot of these apps are not keeping in mind people who might be outside of the majority use case the average users story or the average threat model so to speak which is a theme that’ll come up again


>>Okay, so privacy policy number 2, this was The Bump uh this privacy policy was 4700 words which is 10 pages printed out 


>>Yeah and so for reference, this is the same length as the entire report that I wrote about this problem


>>[laughs] And so I was reading this privacy policy and I was really surprised to get about halfway through it and I discovered baby’s first wiretap. Which [laughs] which I use facetiously I don’t know if a lawyer would approve of calling this explicitly a wiretap but [laughs] it had a feature um it re- it told you that if you made a call from within the app like you um identified a vendor that you wanted to do your baby registry on. If you made a call from the app it would record the call um it would record any message that you left, it would um collect the phone number, the location where you were when you made the call, etcetera, which I just thought was insane, like I’ve never seen anything like that before with an app. And so I called up, I- I reached out the The Bump and I said you know, WTF. And they informed me oh you know we’re not recording phone calls, that’s legacy language for a contemplated future, for the Knot which is an app that they do uh for planning weddings and uh the press person was like I’ll send that to our legal team right away eh so this proves that no one reads privacy policies, not even a company’s own lawyers [laughter


>>And the line

>>They removed it from the privacy policy a couple days after I reached out to them


>>The line of uh this bad thing you found was was uh just a just a test, how common was that


>>Yeah I mean I’m sure of many people out here who have reached out to companies about privacy or security issues often gets a response of it was just a test or we were just temporarily doing it. I don’t know I hear that all the time.

>>That was response from about half of the companies we contacted I think. 


>>Okay this is the last one. Um so this was Ovia which is an app uh a company that makes a fertility app, a pregnancy tracking app, and even a child tracking app, their terms of use um uh are 6100 words which is 14 pages printed out. Um I don’t know if you can see it in the screenshot but this is an app that gives you like a really helpful fertility score like your score is high, do it, your score is low, nothing’s gonna come of it [laughter] and [laughs] when I went through their terms of use they uh you know a lot of these apps they sound like they’re they’re kind of like giving you the kind of advice that a doctor might give you um but many of the apps warn that they’re not really giving you medical advice and this  one explicitly said you know this app might be- might have errors, may be inaccurate just so you know we’re not responsible for that.


So I went back to look at their website and um oh yeah you can see it good. So in the advertisement for their pregnancy app they said they’ll give you real time alerts when your symptoms are dangerous and right above that is like the little medical symbol. So I don’t know it sounds like medical advice to me.

>>Sure seem to be trying to imply that it’s medical advice.


>>Right., So these are some of the issues that we ran into um when it comes to inaccuracy the warning that they gave uh is warranted I found out that a year ago th- uh three doctors looked at a bunch of apps, 33 of the most popular ones on Android and iphone uh and they looked at their predictions for the fertile window and of those 33 apps, only 3 apps correctly predicted the fertile window um and we’ve got their results there. No one was completely off but they would just be off by like a few days and um interestingly the month that I got pregnant uh most of the apps told me I’d missed my fertile window so uh my husband and I were excited when we found out that in fact it had worked.


>>So if you’re using these to not get pregnant uh it might not be the best method 


>>Yeah, please don’t use these apps as a contraceptive. Um so so far I’ve talked a lot about a one person that’s involved in this in terms of privacy um there’s- there’s two people involved and so that was definitely on my mind as I was doing this project is that um well basically I’ve- I was tracking my now uh my now in the world daughter, online, since she was negative 8 months old uh [laughs] so I’m just wanted to say a public apology to Ellev.


>>uh


>>So so that’s like a lot of what I was able to [laughter] [inaudible] [laughs]
So this is uh- this is what I was able to learn just from um basically tapping into skills that I have as a journalist in terms of reviewing privacy policies, reaching out to companies, I also used an a-um an um an an app I guess called Recon from Northeastern University uh that monitored the kind of connections that my phone was trying to make and that these apps in particular were trying to make and so it told me essentially that there were a lot of advertisers that were getting information from the apps um but I felt like I needed more help in terms of really digging into the the the technical side of this and that’s where Cooper came in.






>>Yeah so I wanted to give sort of a hackers side of this and see what we could find out about uh the network traffic what was what sort of API calls were being made, whether encryption was being used, um, whether the APIs were written securely and what- what other companies were getting the data and what sort of data exactly they were getting. So uh


>>Also Cooper is really good at finding memes [laughs] So you’ll appreciate the next few slides


>>So um the- one of the first fun things that I discovered about these apps is that uh they- they give you some pretty specific advice this one told me that I had a 2 point 6 percent risk for pregnancy, which is large considering I again, don’t have a womb [laughter]


>>So there is no option in these apps to say I’m- I’m a dude


>>Yeah [laughs] um no so I used uh pretty typical reverse engineering methods, uh static analysis, dynamic analysis, uh and some other tools um so for static analysis I used a tool called JADX which is a decompiler for APK files uh produces something close to the original java source code it also uh extracts the resource files uh and then I loaded that up in android studio where I was able to do some similar things like what you can do in Ida I was able to um rename function calls that were obscured, track flows of functions, see where permissions were called, why they were called um so this gave me a lot of good insights into apps that I wasn’t able to get just from network traffic um and this is how I got network traffic so for dynamic analysis I used a tool called man in the middle proxy or MITM proxy um and what MITM proxy does is it intercepts SSL traffic you uh install a special root certificate on your device and then you connect to the proxy and you can see um content, headers, and everything else, for HTTPS traffic and it also allows you to replay requests, edit requests and replay them so it was really good for uh looking at the APIs figuring out who was being contacted and what they were being sent.

Uh and then the other tool I used is a proprietary tool called Kryptowire uh which they donated their services to us for this project uh so Kryptowire it does a combination of static and dynamic analysis uh and it allowed me to quickly um w- to- do sort of a quick triaging of about 40 different apps uh in a couple of hours to see uh sort of a high level overview of which ones might be worth looking into further. Um and you can see here this is kind of the like high level analysis screen of one of the apps uh where it told me that it was leaking uh personal information um so yeah so one of the main things that I found in most of these apps was uh just lack of HTTPS um so meaning that content- important personal content was sent over plain text html

>>And so you might wonder like okay we’re talking about the privacy and security of fertility apps, who's gonna attack these things like who wants to hack these, so let’s think about um what kind of information is going into these apps, women talking about their sex lives, um, or the kinds of things that they’re writing on the community forums where they're talking about issues that they’re having with their pregnancy, medical information, um, again a lo- a lot of them talking about their sex lives, strangely a lot of women talking about um their experiences being sexually assaulted that was like a very common um topic of conversation so this is all being sent in the clear um and you might it might be intercepted by somebody who shares uh a network with you


>>Yeah


>>which could be your partner, uh could be your restrictive father, uh thanks to congress deciding not to move forward with privacy rules for ISPs this means your internet service provider could get this information and this would be more uh more information used to target you with ads.


>>Yeah um and then the other thing about this is of course that somebody with man in the middle position could inject uh an execute javascript on a lot of these apps which used the uh web kit framework to render pages um related to that uh we found a number of issues with uh account hijacking ala uh firesheep so four of these apps would have been fire sheepable um so they were- which is to say that they were sending authentication cookies over plain text so Pink Pad, Webmd Baby, My Calendar, and The Bump um all were found to send authentication cookies over plain text 


>>So
>>The top three have not fixed this
>>So if you’re using these apps and you’re using Def Con wifi don’t do those things at the same time
>>yeah [laughter] probably just don’t use the wifi [laughter] even if you’re not using these apps. Uh we also found a lot of personal information leaks. So uh for Pink Pad and another- uh so Pink Pad is made by a company called Alt12 we tested two of their apps uh and both of them send your exact GPS coordinates to the Alt12 server every time you start the app um and why the hell does a period tracking app need to know your location? [laughs]


>>And it’s in their privacy policy it’s so they can provide you with location based information, and ads. Location based ads.


>>Yeah. uh so they- we also found a number of other things like email, name, gender, pregnancy status all being sent and I don’t think that Pink Pad was the only one that was sending location uh a bunch of these apps requested the location permission but what we found w- uh through static analysis was that a lot of them were encrypting the data that was being sent uh to advertisers and to other people, Pink Pad was just the most obvious about it. And if we had more time maybe we would have found others.


>>And so again thinking about the threat model here, I actually want you to put on your William Gibson hats um and think about the possibility for um what what could be done with information about women planning to be pregnant um or thinking about pregnancy um who are giving up their location details all the time um so I think at the beginning of this talk we made the point that advertisers um aren’t just creepy because they get a lot of information about you and they’re trying to get you to buy something um in the case of knowing a woman's pregnancy uh status it can be very malicious where we had an anti-abortion group targeting women that are in a Planned Parenthood waiting room so just think about some kind of a policy group who wants to target a bunch of women who live in a certain neighborhood um and tell them that they shouldn’t get pregnant, like all everything that’s bad about it or try to encourage them to get pregnant. 


>>And uh I don’t know if Cory Doctorow is in here but if you write this story, we want royalties. [laughter] Um so uh and there were other information leaks too like uh this text file that was dropped on the SD card by one of the apps so this contains a log of the entries into the app every day uh and uh j- January 18th was a uh


>>Like a really good day [laughter]


>>But um this this this file being on the SD card means that any other app could read this file and furthermore it means that anybody who gets ahold of your SD card or the data partition on your phone is going to be able to read this file as well. So it’s a pretty big privacy leak um and then of course third party tracking is a super common problem with all of these apps I think all but one of the apps that we tested contacted several different advertising servers um and it's mostly the same stuff that you see online uh the majority of it is Google, Facebook, um, Amazon, and um A- Adobe’s various publishing networks and then there’s like a long tail of uh just random advertisers and data brokers uh that are you know on one or two of them.


>>So I think it’s safe to say that Google, Facebook, Amazon, and Adobe know more about who in the- who in the country is pregnant than Target


>>So one feature that all these- or that a lot of these apps have in common is this pin lock screen um and it’s kind of interesting presumably to keep somebody from just picking up your phone and looking at it uh but they’re not implemented very well uh they almost all have a for- 4 digit limit um and at the time that we looked at this none of them had any sort of protections against brute forcing so you could guess as many times as you wanted without any sort of slow down uh when we notified the companies one of the companies P Tracker did actually uh decide to fix that issue and implemented a uh back off for the number of times that you could enter the pin code uh but the other thing about these is that they don’t have any sort of- they’re not any sort of protection for the data at rest so they don’t encrypt the data in any way, they don’t do anything to actually protect it on the drive, they’re just a uh intent that you have- that triggers before the app starts so all you have to do is get around that somehow and one way to get around that is to click this link that says I forgot my code so for at least one app uh The Bump when you click this link it sends you an email with a code- with a temporary pin code that will unlock the app 


>>And and where do those- you know where does email tend to go?

>>And so email tends to go to your phone so if

>>So if you’re on the phone trying to get into the app and you can’t because there’s a pin on it 


>>Just send the reset code and uh check the email because you already have the phone and there you go so


>>And when I- when I was using these apps I was not using pin codes I wasn’t particularly concerned about um uh somebody getting into the apps uh but if- but if somebody does feel a need to use the pin they may have a very legitimate reason like they’re


>>You may be in an abusive relationship, you may be in a restrictive you know or a religious household, or a religious society.


>>They’re with somebody that they don’t want somebody who has access to their phone to have access to their sex lives and so these pins should be stronger.

>>Yeah and if you’re relying on this pin code for security uh I don’t recommend it uh you- you should um take better- other steps. Uh the other issue- another issue we found was files not actually being deleted uh and so again we only found this in The Bump but this is also largely because we ran out of time to do this research and this is probably an issue in other apps. So what happened this case is that um The Bump encourages you to upload poto- photos of your pregnanc- of your pregnancy progress. So a photo of your belly, a photo of um your- uh ultrasound


>>And so what happens on a lot of these apps there’s actually some apps that explicitly discourage this and say no posting any personal information in the community forums um but I guess The Bump didn't’ have that prohibition so a lot of women like to post the ultrasound and share it so you can see the development of the baby but ultrasound pictures usually have uh the mother’s full name, the hospital where the ultrasound was taken, the date, so a lot um of sensitive information so a woman might post that to a community forum and then realize all that she shared and delete it


>>But when you delete it it turns out that it simply unlinks the photo from your account but doesn’t actually delete it from the CDN server that the photo was uploaded to. So if you have that original URL that URL still works to see the photo for the rest of time um and we thought this might be a caching issue at first but the photo was still up for a week after I had deleted it from my account so definitely not a caching issue, just not even considered that a user might want to actually delete things when they say delete.


Uh and then uh the other thing we found was just a crazy amount of permissions being requested uh it seems like the Android development philosophy is it’s better to ask for all the permissions than for any forgiveness.


Um no that was bad alright um so locat- so ten different apps, half of the apps we tested requested the location permission and again 


>>Everybody wants to know where you are when you’re pregnant


>>So again, for advertising right? But this harkens back to the story that I was working on earlier about uh women being targeted in Planned Parenthoods through location based advertising. This is incredibly personal information and there’s no reason that any of these apps should have this. Um also a quarter of the apps we tested requested your contact list


>>Just in case they wanna like inform people about the pregnancy


>>Yeah they might want to text everybody you know that you’re period is coming up. [laughter] um also five or six of the apps requested your device ID which is like a uh cookie for your phone it lets advertisers uh link your uh profile between different apps um and then the phone permission let’s them do the same thing but using your IMEI which is like a hardware serial number for your phone. Um and then Pregnancy Plus requested the SMS permission and I have no idea why but it also has the contact permission so maybe that thing I said earlier about it texting everyone [laughter] anyway the other interesting uh so we found one interesting security feature was that four of these apps, Glow, Nurture, and Eve were all made by the same company and Clue all implement certificate pinning uh so this is where you hardcode the hash of the SSL certificate that you want to use for your uh HTTPS connection into the application um and it’s pretty cool this- so this prevents somebody from doing a man in the middle attack on HTTPS like what I did with MITM proxy um and I mean it’s a nice feature to have my bank doesn’t even do this which would be great um but it’s kind of extra like I don’t


>>We’re not- We’re not security shaming
>>I’m not security shaming, I’m glad they did it, but uh TLS man in the middle seems like to not really be in the threat model for uh the use of these apps and it seems like maybe a better use of their time would be to implement something like two factor authentication uh which none of these apps did or securing that pin code thing.


S- um so after finding all this uh we reached out to the- so we reached out to the vendors separately 


>>We reached out separately
>>Yeah, so Kashmir reached out to them about the uh privacy issues and about the things in the um terms of service. I reached out to them about the security issues um this is how I felt about their response [laughter] um and this- this this dog will always be relevant forever [laughter] uh so I contacted uh nine different vendors um and uh all these guys and also The Bump um and we received a response back from P Tracker, Glow, and The Bump which isn’t  up there because we got a response back from them uh just- just after we finished these slides. Um who- so P Tracker and Glow fixed the issues that we found uh The Bump promised that they would fix the issues um and everyone else just completely ignored us once company sent us a form letter saying they- they appreciate that we like their application [laughter]


>>I had a different experience and this is where it’s just is different being uh a security uh technologist versus being a journalist. I heard back from everybody that I reached out to um except for Everyday Health um which makes the What to Expect app and Alt12 uh and people you know acknowledged the problems with uh the privacy policy and changed it um I just- I got responses and uh companies definitely seem to pay attention to journalists I think that it helps that they like press people set up particularly to receive our um our inquiries and also I think they better understand what journalists are asking them and sometimes they just have no idea um what a security technologist is sending their way.


>>So maybe the lesson here is that if you want companies to take your security issues seriously either work with a journalist or tell them that you’re a journalist


>>Yeah, I definitely endorse this pair up you should definitely pair up with journalists if you’re a technologist and vice versa.


>>Um yeah so and on that line uh what can hackers do, what can you all do uh to improve this situation and one of the best things to do um is uh to pair up with a journalist and I might do these in kind of a reverse order- is to pair up with a journalist uh the combination of a hacker and an investigative journalist is a really powerful combination um you can- we can find these problems and then we can tell the world um and we can through shaming these companies, and through getting this publicity out there, convince them to take these security and privacy issues more seriously. Um and we’re also- hackers are really good at threat modeling and we can think about uh threat models outside of sort of one’s standard deviation from the average user so we can think about threat models for people that are in abusive household or people that have a stalker, right? These uh should be pretty common threat models for somebody writing one of these apps but they’re apparently not


>>I think one thing that was obvious to us at the end of this is that people that these companies hadn’t necessarily thought about um kind of the abusive edge cases um and actually a year ago Glow had a really big security issue that consumer reports discovered where Glow had this feature there where you could invite your partner um to kind of monitor your fertility or pregnancy with you and the way they had set it up was such that the woman um would would uh make the invitation to somebody but um after she did that anybody who knew her email address could then monitor um what she was doing within the apps and so it was just this kind of huge security hole and only discovered because consumer reports decided to look really closely at the- at the app.


>>But Glow did take that issue seriously and did fix the issue and had- I think is why they were so responsive to the security issues that we found because they do seem to after that shaming er after that publicity


>>publicity [laughs] not shame


>>Not shaming um but after that publicity they decided to take these issues seriously so this is a great illustration of how publicizing these problems um is a effective tactic for change.


>>Um
>>So Kashmir what was your takeaway from all of this? 


>>Yeah I mean my firsthand um opinion on all this like I hate to admit it but I really enjoyed using these apps um while while I was pregnant um it’s super weird being pregnant uh it’s like unlike anything that’s ever happened to your body before and you- just- you feel like a science experiment for 9 months and so I appreciate the information I was getting from the apps uh but if I decide to have more children I don’t think I would use the apps again cause now I kinda like know my way around it um so any any future children I would have the only priv- privacy invasion they’d be subjected to in utero would be the ultrasound which I like to call baby’s first privacy invasion.


>>It’s always hardest on the first child isn’t it Kashmir? 


>>Always hard- we’re both first children, it’s the hardest.

>>Anyway um and so that’s all we have. We wanna say some thanks to- uh thanks to Kryptowire for donating their analysis services to us uh we really appreciated that and it helped us out.

>>Thanks to J- Dave and Jingjing at Northeastern for their help with Recon


>>and uh thanks to Gizmodo and EFF for continuing to sign paychecks to us

>>[laughs] Thanks to Def Con and then thanks to Ellev for inspiring our research [applause]