Period tracker Stardust rolls back encryption claims amid scrutiny

28 Jun 2022

Images of the Stardust app. Image: Apple's App Store page

In the wake of the Roe v Wade decision, period tracking app Stardust surged in popularity after promising end-to-end encryption. But questions are now being raised about its privacy claims.

Period tracking app Stardust has seen a surge in popularity in recent day after it claimed to implement end-to-end encryption.

This followed the US Supreme Court’s decision to overturn Roe v Wade last week, eliminating the constitutional right to an abortion in the country.

As a result, many consumers began to remove their period tracking apps due to privacy and security concerns, with suggestions that law enforcement could use personal data from these apps against people who have sought abortions illegally.

Stardust promised to encrypt the private data of its users and keep it out of the hands of the government, which caused the app to surge to the top of Apple’s App store.

In a TikTok video posted over the weekend, Stardust founder and CEO Rachel Moranis said the company had spent the past month “racing” to develop end-to-end encryption.

“What this means is if we get subpoenaed by the government, we will not be able to hand over any of your period tracking data,” Moranis said. “It is completely anonymised from your login data, we can’t view it, you are the only person that can see this.”

However, the app’s privacy-focused claims appear to be at odds with its current practices and its privacy policy.

TechCrunch reported yesterday (27 June) that the current version of the app was sharing user phone numbers with a third-party analytics company, which could be used to identify users. Stardust’s privacy policy, which says it is effective from 26 June, states that the app collects a variety of personal data such as the user’s full name, email address, phone number and date of birth.

After TechCrunch reached out to Stardust for more information about how the app is implementing end-to-end encryption, the publication found that reference to end-to-end encryption was removed from its privacy policy.

This privacy policy also stated that it would comply, whether legally required to or not, if law enforcement asked for user data, Vice’s Motherboard reported.

Since Motherboard’s request for comment on the matter, Stardust made amendments to its privacy policy by removing the phrase about cooperating with law enforcement “whether or not legally required”.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic