When Privacy Concerns and Deceptive Marketing Issues Intersect
Why TINA.org supports FTC’s proposed changes to COPPA Rule but pushes for more.
I’m a pretty skeptical person by nature. I believe if something seems too good to be true, it usually is. So, when period tracking app Stardust went TikTok viral by changing the emphasis of its marketing strategy from astrology to data security, stating “We don’t sell or share your data. Period,” I had my hesitations, specifically with the word share.
As someone who has worked with NPPI (nonpublic personal information) in the highly regulated and routinely audited financial industry, I know even protected data must still be shared with authorities when required by law. However, I was ultimately swayed when Stardust claimed end-to-end encryption would prevent a user’s login information from being tied to their period tracking data. I became one of the app’s 90,000+ TikTok followers and shared its videos with friends.
Backstory
Stardust is a period tracking app that “integrates science, astronomy and artificial intelligence to connect your hormonal cycle with the cycles of larger celestial bodies: the stars, planets, sun, and moon.” The app did not appear to market itself as a privacy focused company until after reports of Roe v. Wade being overturned began circulating on May 2.
The first appearance of Stardust claiming to not share data appeared on their Instagram account on May 4 and their TikTok account on May 11. This specific TikTok gave Stardust its first viral hit and just two days later, Stardust posted a follow-up showing it was third in the Top Charts for Apple downloads.
The timing of Stardust’s shift in marketing strategies seemed to suggest it was capitalizing on the fears that many were experiencing concerning healthcare access and reproductive rights. A suggestion that is reinforced by this TikTok, where the app proclaims “when your period tracker finishes encrypting your data just in time for the Roe v. Wade reversal.”
Then on June 24, when Roe v. Wade was officially overturned, Stardust launched its most viral TikTok yet, saying “if we get subpoenaed by the government we will not be able to hand over any of your period tracking data. It is completely anonymized from your login data. We can’t view it. You are the only person that can see this.” Again, two days after going viral, Stardust celebrated its success in the Apple App Store, but this time it was first.
Claims Get Scrutinized
At this point, critics and tech experts started to weigh in on Stardust’s encryption claims and its ability to protect customer data if subpoenaed. Multiple TikTok users also started to review the Privacy Policy and became concerned by language stating “We may disclose your information to third parties in order to protect the legal rights, safety, and security of [Company Name].”
TechCrunch ran an analysis on Stardust and found that users who logged into the app with phone numbers periodically had their information shared with third-party analytics service Mixpanel, which is used by many app startups to analyze user data to optimize experience. It’s important to note that Mixpanel, like any other company, is obligated to share collected data with authorities if required by law, and any company that agrees to their Terms of Use is agreeing that “Mixpanel will share Customer Content … To the extent needed to comply with laws or to respond to lawful requests and legal processes.”
Stardust responded to pushback and users’ repeated requests for clarification by releasing a statement on its website and updating its Privacy Policy to include language stating login information “cannot be linked” to users. However, again, this claim came under scrutiny.
A security editor at TechCrunch ran another analysis of the app and found that the encryption process that Stardust claimed would prevent login information from being “linked” to period tracking data created an “encryption key” that was sent back to Stardust. If the key — which links login information and period tracking data — is stored, it can theoretically be subpoenaed and used to connect the two.
What This Teaches Us
When faced with the unique ability to market itself to a growing number of individuals worried about menstrual health data privacy in a post-Roe world, Stardust appeared to rush forward without confirming it could backup its marketing claims. This oversight might simply be because it may have fallen prey to the same issue I did: not fully understanding the encryption technology.
Companies asking users to trust them need to ensure they are advertising themselves honestly and accurately. Hopefully Stardust, and anyone that shared the viral TikToks or downloaded the app under the belief their data would be protected from governmental authorities, has learned to be a bit more skeptical when something seems too good to be true. I know I have.
You Might Be Interested In
When TINA.org Investigations Collide
These brand collabs are far from fab.
What Happens When Human Marketers Are Replaced, But Human Viewers Are Not
And why the problem is even worse when those human viewers are kids.