Expecting (Targeted Ads)? Network Analysis of User Health Data Leakage in Fertility Tracking Apps
Pith reviewed 2026-06-29 04:36 UTC · model grok-4.3
The pith
Five fertility tracking apps send users' menstrual and pregnancy data to advertising services.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
After systematizing features across the 20 apps, the study records TLS-stripped network traffic during controlled user interactions and identifies explicit leakage of user health data together with implicit leakage via highly targeted contextual advertising URLs in a subset of five apps.
What carries the argument
Network traffic recording of TLS-stripped requests generated by standardized user interactions across the fertility apps.
If this is right
- Some apps achieve ad-based revenue without transmitting identifiable health data.
- Privacy differences between apps are observable through network analysis rather than self-reported policies.
- Users can avoid certain data flows by selecting apps that show minimal ad-network contact.
- Technical measurements can confirm or refute user worries about fertility-app data handling.
Where Pith is reading between the lines
- Similar network checks could reveal whether leakage patterns appear in other categories of health or period-tracking software.
- App stores might surface data-sharing summaries derived from traffic analysis to help users compare options.
- Developers of ad-supported health apps could adopt the minimal-interaction patterns observed in the non-leaking examples.
Load-bearing premise
The lab setup with fixed user actions and stripped network captures fully represents the data sharing that occurs in everyday use.
What would settle it
Real-user sessions on the same apps in which no menstrual or pregnancy details appear in requests sent to known ad domains.
Figures
read the original abstract
While human factors in the privacy of fertility tracking apps -- health trackers that record users' menstrual or pregnancy data -- has been the subject of extensive study, little attention has been paid to the technical aspects of apps' data handling practices. We conduct a network-based measurement study of a corpus of 20 Android fertility tracking apps from the Google Play Store, focusing on how user data is shared with third party advertising services. After systematizing app features, we conduct a series of standardized user interactions across all apps in an environment that records TLS-stripped network traffic. In a subset of apps (n=5) we identify explicit leakage of user health data as well implicit leakage through highly targeted contextual advertising URL's. Equally importantly, we observe additional apps that use an ad-based monetization model without apparent leakage of user data, as well as several apps the interact only minimally with ad services. These findings provide technical grounding for widespread user concerns, but also underscore the importance of consumer choice in the privacy implications of app-based fertility tracking.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The manuscript reports a network measurement study of 20 Android fertility tracking apps from the Google Play Store. After systematizing features, the authors perform standardized user interactions in a controlled TLS-stripped traffic environment and identify explicit leakage of user health data plus implicit leakage via targeted contextual advertising URLs in a subset of 5 apps. They also report additional apps that monetize via ads without apparent leakage and several with minimal ad-service interaction, providing technical grounding for privacy concerns while emphasizing consumer choice.
Significance. If the measurements hold, the work supplies direct empirical observations of data flows to third-party ad services in a sensitive health domain. It credits the direct network recording approach and the balanced finding that ad-based monetization does not uniformly imply leakage. The study adds concrete technical evidence to the literature on mobile privacy, though its impact depends on the completeness and reproducibility of the interaction model.
major comments (2)
- [Abstract / Methodology] Abstract and Methodology section: the headline claim of explicit leakage in n=5 apps (and absence in others) rests on traffic observed during standardized interactions, yet the manuscript supplies no details on app selection criteria, exact interaction scripts, traffic classification rules, or verification steps. Without these elements the support for the central claim cannot be evaluated.
- [Results] Results section: the observations of both leakage and 'no apparent leakage' are sensitive to the coverage of the interaction model. The manuscript does not enumerate or justify how the fixed set of standardized interactions addresses potential conditional paths (cumulative usage history, specific health-event sequences, device state, or ad-network callbacks after prolonged sessions), which directly affects the reliability of the positive and negative findings.
minor comments (1)
- [Abstract] Abstract: 'the interact only minimally' appears to be a typographical error and should read 'that interact only minimally'.
Simulated Author's Rebuttal
We thank the referee for their constructive comments, which identify key areas where additional detail and discussion will strengthen the manuscript. We address each major comment below.
read point-by-point responses
-
Referee: [Abstract / Methodology] Abstract and Methodology section: the headline claim of explicit leakage in n=5 apps (and absence in others) rests on traffic observed during standardized interactions, yet the manuscript supplies no details on app selection criteria, exact interaction scripts, traffic classification rules, or verification steps. Without these elements the support for the central claim cannot be evaluated.
Authors: We agree that the manuscript currently lacks these methodological details, which are essential for evaluating and reproducing the central claims. In the revised version we will expand the Methodology section to specify the app selection criteria (top apps by downloads and ratings with feature diversity), provide the exact standardized interaction scripts, detail the traffic classification rules used to identify explicit health data leakage versus targeted ad URLs, and describe the verification steps performed. This will directly support the claims with transparent evidence. revision: yes
-
Referee: [Results] Results section: the observations of both leakage and 'no apparent leakage' are sensitive to the coverage of the interaction model. The manuscript does not enumerate or justify how the fixed set of standardized interactions addresses potential conditional paths (cumulative usage history, specific health-event sequences, device state, or ad-network callbacks after prolonged sessions), which directly affects the reliability of the positive and negative findings.
Authors: We acknowledge that the reliability of both positive and negative findings is sensitive to interaction coverage and that the manuscript does not explicitly address conditional paths. We will revise the Results section to enumerate the performed interactions, justify their basis in the systematized feature analysis for typical first-use scenarios, and add a limitations discussion that notes the absence of prolonged-session or history-dependent testing while outlining implications for the reported leakage and non-leakage observations. revision: partial
Circularity Check
No circularity: direct empirical network measurement with no derivations or self-referential fits
full rationale
The paper is a measurement study that records TLS-stripped network traffic from standardized user interactions in 20 fertility apps and reports observed data flows to third-party services. No equations, parameters, or derivations are present. Claims rest on direct observation of external network behavior rather than any reduction to fitted inputs or self-citation chains. The method's coverage limitations (raised by the skeptic) concern experimental completeness, not circularity in a derivation chain.
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.