CyFer: Cyber Security, Privacy, Trust and Bias in FemTech
CyFer Project and Team
CyFer examines the cybersecurity, privacy, bias and trust in female-oriented technologies (FemTech) such as fertility and period trackers focusing on apps and IoT devices. CyFer is funded by EPSRC PETRAS National Centre of Excellence for IoT systems cybersecurity. Comments from the reviewers and selection panel: "Very highly praised proposal, both by the Peer Reviewers, and the Selection Panel: This is a clear, well-thought-out proposal. It has far-reaching potential benefits to women, and to industry, in particular. The team are entirely appropriate and have evidenced their specialist expertise via their publications. The issues which this proposal address around FemTech and privacy go beyond the 'normal' levels of privacy violation germane to IoT and cybersecurity, to a deeply intimate level of privacy. It is essential that IoT privacy controls can defend such privacy as a standard."
FemTech promise to enable women to take control of their bodies and lives, helping them overcome the many existing challenges in health and medical care and research. There are already over 1300 FemTech companies offering a huge range of products, with a market size of $40.2 billion in 2020 alone. These technologies gain user-entered data and take body measurements via sensors. By collecting a vast amount of data and processing them through advanced algorithms e.g. AI, these technologies assist in managing reproductive and sexual health, and give scientists more insight about people’s bodies. However, there is a lack of clarity in the law (e.g. GDPR) and the industry practice in relation to this extremely sensitive data on different levels i.e. user consent, third-party sharing, and algorithmic bias which may lead to malicious purposes. There is evidence that the main audience of these products (women) have been historically discriminated by algorithms (e.g. AI).
The CyFer project looks to build on the research team’s previous work that demonstrated how the majority of FemTech IoT devices and apps start tracking the user right after the app is open and before any user consent, and how new sensors (e.g. on IoT devices) can put users at serious risk, yet the user perception is far less than the actual risks. The CyFer project looks to achieve its aims by (1) evaluating the security and privacy of FemTech, (2) investigating user perception and practice and (3) studying socio-technical bias and trust in data, algorithms and AI systems.
CyFer is a collaboration between multiple researchers, industrial partners, artists, designers, etc. across the world and we welcome more collaborations. The team members include:
Media and News Coverage
Nov 2023: Paper: The Importance of Collective Privacy in Digital Sexual and Reproductive Health, UK Fertility
Authors: Teresa Almeida, Maryam Mehrnezhad, Stephen Cook
Accepted in the 17th Annual UK Fertility Conference 2024
Abstract: There is an abundance of digital sexual and reproductive health technologies that presents a concern regarding their potential sensitive data breaches. We analyzed 15 Internet of Things (IoT) devices with sexual and reproductive tracking services and found this ever-extending collection of data implicates many beyond the individual including partner, child, and family. Results suggest that digital sexual and reproductive health data privacy is both an individual and collective endeavor.
Nov 2023: Interview: Women of Wearables (WoW)
Dr Maryam Mehrnezhad has done an extensive interview about the CyFer project and its findings with Women of Wearables (WoW), a leading global organisation and ecosystem that brings together like-minded women and allies in health tech, digital health and women’s health from more than 50 countries worldwide. WoW's members are startup founders, designers, technologists, industry experts, researchers, bloggers, journalists, investors, and many more. Read the interview here.
How users (102 UK participants) protect their privacy and security in general vs. FemTech
Examples of user drawings of the FemTech ecosystem
Sep 2023: Blog Post: Challenges of Extracting Data from Social Media: The Case of Women's Health Misinformation
Facebook: Restricted API and Crawler Roadblocks
Twitter: Limited API Access for Researchers
Reddit: Ephemeral Nature of Intimate Health and Misinformation
Conclusion: The Uphill Battle for Researchers
Error when requesting data due to the restricted access to the Twitter API
Aug 2023: CyFer-RISCS Research Day
Examples of Femtech products (IoT, Apps) and their categories. These categories are based on FemTech Analytics, a strategic analytics agency focused on the FemTech sector (femtech.health).
Jul 2023: Blog Post: Women's Health-related Misinformation on Social Media
Apr 2023: White Paper: Towards a research agenda: Tackling violence against women and girls online
Authors: Michalec O, Barker K, Coopamootoo K, Coventry L, Duppresoir F, Edwards M, Johnson S, Johnstone E, Jurasz O, Mehrnezhad M, Moncur W
Summary: This report introduces the topic, presents a review on the recent related work, and provides a set of recommendations based on the literature provided by the REPHRAIN researchers. They include: Defining and measuring online harms, Understanding perpetrators, Developing public services, policies and standards, Co-designing safer technologies, and Improving the police practice and the justice system. As the future research questions and priority areas it provides the following: Defining and measuring online harms, Understanding perpetrators, Developing public services, policies and standards, Co-designing safer technologies, Improving the police practice and the justice system, and Revictimisation. The report concludes with a section on Policy Recommendations.
CyFer exhibition core team and the artists and designers presenting at MozFest 2023!
Jan 2022: Blog Post: The Story behind the CyFer Project
In 2021, I was awarded the CyFer grant by EPSRC PETRAS National Centre of Excellence for IoT Systems Cybersecurity. I have been working with a fantastic team exploring cybersecurity, privacy, bias and trust in female-oriented technologies (FemTech). This proposal was highly praised by the PETRAS peer reviewers and the selection panel, and I am delighted that we went above and beyond via various high-profile activities and outcomes.
CyFer is an international collaboration between academic researchers, industrial partners, artists, designers, etc. The team includes Dr Maryam Mehrnezhad (PI, RHUL), Dr Ehsan Toreini (Co-I, University of Surrey), Dr Teresa Almeida (academic partner, Umea University, Sweden, and ITI/LARSyS, Portugal), Dr Adriano Villalva (RA), Stephen Cook (RA), Dr Laura Shipp (former RA), Joe Bourne (PETRAS Synthesis Fellow, UCL, and Lancaster), Prof Mike Catt (academic partner, Newcastle University), and Swiss Precision Diagnostics (SPD) (industrial partner, makers of the Clearblue pregnancy tests).
CyFer is a result of a collaboration with Teresa Almeida which initially led to a 2021 ACM CHI paper: Caring for Intimate Data in Fertility Technologies. This long-distance collaboration happened thanks to the Covid-19 restrictions, when working with colleagues (and in this case, a dear friend from our PhD time at Newcastle University) across the globe entered a new phase!
We are delightedly completing CyFer by organising two exciting events this summer: CyberMi2 2023 (Cybersecurity and Online Privacy for Minority and Minoritized People, 20 June 2023), and an art exhibition (June- August 2023), both at RHUL. Make sure you visit our exhibition by coming to our beautiful Egham campus. For more information, visit https://sites.google.com/view/maryammjd/cyfer-project. For now, enjoy a glimpse of Elena’s work on privacy notions in FemTech in Figure 1.
People often ask how did I come to work on this topic? I have a background in System Security and have been performing attacks on systems. I have also designed trustworthy systems and contributed to standardisation and industrial practices to prevent such attacks. However, human dimensions have consistently been a part of my work. Currently, a major strand of my research is dedicated to minority and minoritized users in cybersecurity and privacy. I have always dreamt of doing something for women’s rights. But I am not an activist, a lawyer, or a social scientist. I am a cybersecurity expert, and I decided to use my expertise to fulfil this ambition of mine. I did it in CyFer, and I continue to do so in my future projects. If you share the same passion, please get in touch!
Authors: Teresa Almeida, Laura Shipp, Maryam Mehrnezhad, Ehsan Toreini
Abstract: The digitalisation of the reproductive body has seen a myriad of cutting-edge technologies to prioritise neglected intimate health and care topics, such as fertility and contraception. The impact of these intimate data on livelihood and society is pervasive including that privacy is critical to safeguarding security as this increasing digitalisation also produces increasingly large datasets. In this paper, we enquire the collective nature of privacy in female-oriented technologies (FemTech) to show how this ever-extending collection of data implicates many beyond the individual. We introduce a pilot study on the data collection practices of a subset of FemTech devices with fertility tracking service. We demonstrate that data is collected about the user and others, such as their immediate relationships and user groups as a whole. We suggest that it is critical we ask who is vulnerable and discuss approaches to mitigate collective harm.
Sep 2022: CyFer Art Expression of Interest Call
Description: Researchers from the CyFer project, funded by PETRAS, UK, are examining cybersecurity, privacy, ethics and trust in FemTech. Female-oriented technologies (FemTech) promise to enable people to take control of their bodies and lives, helping them overcome the many existing challenges in medical care and research. There is a lack of data about women and other minority and minoritised groups in medical sciences. There is also bias and discrimination in health studies, data sets, and algorithms. FemTech solutions promise to centre these groups in the design and development of their systems. However, the FemTech industry remains largely unregulated. There is a lack of clarity in the law (e.g. GDPR and HIPAA), and in industry and user practice in relation to this extremely sensitive data on different levels i.e. user consent, third-party sharing, and algorithmic bias which may lead to malicious purposes.
Objects find new meanings in a revolution! These are sanitary pads used for preventing bleeding, but not menstrual bleeding! They cover security cameras in metro stations in Iran to stop the Iranian regime from identifying, tracking, arresting, torturing, and killing the protestors! The very same taboo period pads which were once carried in black bags are now means of fighting surveillance! This is the power of a female-led revolution! #Iranrevolution2022 #mahsaamini #womanlifefreedom
Authors: Maryam Mehrnezhad, Laura Shipp, Teresa Almeida, Ehsan Toreini
Abstract: Female-oriented technologies (FemTech) promise to enable women to take control of their bodies and lives, helping them overcome the many existing challenges in medical care and research. From lack of data about women in general, to bias and discrimination in health studies, data sets, and algorithms, FemTech has come a long way to centre women in the design and development of such systems. Yet, the FemTech industry remains largely unregulated, particularly when it comes to security, privacy, and safety. These issues can lead to catastrophe given the highly sensitive nature of the data FemTech technologies handle. In this paper, we show how such threats are already putting women at risk; where in some cases, the lack of proper security and privacy safeguards can put human life at risk. We also present the results of some of our ongoing research on the massive data collection of FemTech about end-users and others (baby, partner, family, etc.). We set an agenda for research on the security and privacy of FemTech and call for a better legal framework to regulate FemTech.
Published by: Newcastle University
Fertility apps house the sensitive data of millions of users globally. Read our blog from Dr Maryam Mehrnezhad on the risks surrounding fertility app users’ privacy.
Authors: Maryam Mehrnezhad, Teresa Almeida
Abstract: Fertility tracking applications are technologies that collect sensitive information about their users i.e. reproductive potential. For many, these apps are an affordable solution when trying to conceive or managing their pregnancy. However, intimate data are not only collected but also shared beyond users knowledge or consent. In this paper, we explore the privacy risks that can originate from the mismanagement, misuse, and misappropriation of intimate data, which are entwined in individual life events and in public health issues such as abortion and (in)fertility. We look at differential vulnerabilities to enquire data’s vulnerability and that of ‘data subjects’. We introduce the General Data Protection Regulation (GDPR) and how it addresses fertility data. We evaluate the privacy of 30 top ‘fertility apps’ through their privacy notices and tracking practices. Lastly, we discuss the regulations and fertility data as critical to the future design of tracking technologies and privacy rights.
This work was also invited to be presented in Fertility Conference 2022, the 15th joint fertility meeting organised by the Association of Reproductive and Clinical Scientists (ARCS), the British Fertility Society (BFS) and the Society for Reproduction and Fertility (SRF), and the 2nd online Fertility meeting.