CyFer: Cyber Security, Privacy, Trust and Bias in FemTech

CyFer Project and Team 

CyFer examines the cybersecurity, privacy, bias and trust in female-oriented technologies (FemTech) such as fertility and period trackers focusing on apps and IoT devices. CyFer is funded by EPSRC PETRAS National Centre of Excellence for IoT systems cybersecurity.  Comments from the reviewers and selection panel: "Very highly praised proposal, both by the Peer Reviewers, and the Selection Panel: This is a clear, well-thought-out proposal. It has far-reaching potential benefits to women, and to industry, in particular. The team are entirely appropriate and have evidenced their specialist expertise via their publications. The issues which this proposal address around FemTech and privacy go beyond the 'normal' levels of privacy violation germane to IoT and cybersecurity, to a deeply intimate level of privacy. It is essential that IoT privacy controls can defend such privacy as a standard."

FemTech promise to enable women to take control of their bodies and lives, helping them overcome the many existing challenges in health and medical care and research. There are already over 1300 FemTech companies offering a huge range of products, with a market size of $40.2 billion in 2020 alone. These technologies gain user-entered data and take body measurements via sensors. By collecting a vast amount of data and processing them through advanced algorithms e.g. AI, these technologies assist in managing reproductive and sexual health, and give scientists more insight about people’s bodies. However, there is a lack of clarity in the law (e.g. GDPR) and the industry practice in relation to this extremely sensitive data on different levels i.e. user consent, third-party sharing, and algorithmic bias which may lead to malicious purposes.  There is evidence that the main audience of these products (women) have been historically discriminated by algorithms (e.g. AI). 

The CyFer project looks to build on the research team’s previous work that demonstrated how the majority of FemTech IoT devices and apps start tracking the user right after the app is open and before any user consent, and how new sensors (e.g. on IoT devices) can put users at serious risk, yet the user perception is far less than the actual risks. The CyFer project looks to achieve its aims by (1) evaluating the security and privacy of FemTech, (2) investigating user perception and practice and (3) studying socio-technical bias and trust in data, algorithms and AI systems.

CyFer is a collaboration between multiple researchers, industrial partners, artists, designers, etc. across the world and we welcome more collaborations. The team members include: 

• Dr Maryam Mehrnezhad (Primary Investigator)

• Dr Ehsan Toreini (Co-Investigator, University of Surrey, UK)

• Dr Teresa Almeida (Academic Partner, Umea University, Sweden, and ITI/LARSyS, Portugal) 

• Dr Adrian Bermudez Villalva (Research Associate) 

• Stephen Cook (Research Assistant)

• Dr Laura Shipp (former Research Associate)

• Joe Bourne (Alan Turing, Lancaster, Formerly at PETRAS and UCL) 

• Prof Mike Catt (Academic Partner, Newcastle University, UK)

• Dr Thyla van der Merwe (Academic Partner, formerly at ETH Zurich, Switzerland) 

• Swiss Precision Diagnostics (SPD) (Industrial partner, makers of the Clearblue pregnancy, ovulation, and fertility tests and monitors)

In August 2022, we invited artists, designers and creative technologists and commissioned 5 teams competitively from an open call. These teams include: 

• Vasiliki Tsaknaki (IT University of Copenhagen, Denmark) 

• Lara Reime (IT University of Copenhagen, Denmark)

• Nadia Campo Woytuk (KTH Royal Institute of Technology, Germany) 

• Nicolas Harrand (RISE Research Institute of Sweden)

• Sian Fan (Interdisciplinary artist, working between Essex and London, UK)

• Elena Falomo (Freelance designer, working between London, Berlin, and Italy)

• Althea Rao (University of Washington, USA)

• Anonymous Iranian Artist

Media and News Coverage

This work is featured in the international and national news, with news articles, interviews, in-print, onilne, and TV. These included (selected) worldwide coverage in media online outlets as listed below, withTV interviews with news segments by TV4 and SVT in Sweden. The latter segment interview saw a follow-up segment by SVT (public broadcasting, number one in Sweden) in which commentary by then Sweden’s Minister for Information Technology, Anders Ygeman (2021) further served to show how critical this research on intimate data and technology was in regards to the general public and the institution of law.

Other examples include: 

Update from March 2024 and BLE attacks

• Women of Wearables (WoW, 2023): Interview with Dr Maryam Mehrnezhad about CyFer

• BBC (related to misinformation, 2023): TikTok: Why do countries think Chinese tech firms are a security risk?

• The British Medical Journal (by Manna Mostaghim, 2023): The Bogus Privacy in FemTech: circumventing consent when collecting sensitive sexual and reproductive health data

• Newcastle University 10 top research & news of 2022 (UK, 2022): Fertility apps and cybersecurity: who can access your data?

• ChronicleLive (UK Local news, 2021): Majority of top-rated fertility apps collect and share 'excessive information'

• Expoknews (Latin American company, Spanish, 2021): Apps de seguimiento menstrual recopilan datos médicos sin control

• Ny Teknik (Swedish technology magazine, 2021): Fertilitetsappar delar känsliga uppgifter: "Mycket osäkert”

• MedTech Magazine (Swedish medical tech magazine, 2021): Fertility apps illegally share sensitive information

• Tekdeeps (International news, 2021): “Before you even open the app, you will be monitored”

• Mashable (Media platform, Italian, 2021): Le app per il ciclo condividono ancora i dati delle donne senza dichiararlo

• Forskning (Norwegian research council, 2021): Fertilitetsappar delar intim data utan tillåtelse

• Fastcompany.com (American business magazine, 2021): Women beware: Free fertility apps are stealing your sex data

• Corriere della Sera (Italian daily newspaper, 2021): App sulla fertilità, che cosa c'è da sapere e funzionano

• Information Security Buzz (Information security news, 2021): University Research Finds that Fertility Apps Collecting and Sharing Sensitive Data Without Users’ Permission

• EurekAlert (International scientific research news platform, 2021): Fertility apps with hundreds of millions of users collect and share excessive information

• Healthcare in Europe (Medical technology forum, 2021): Many fertility apps not exactly fussy about data privacy, study shows

Other Related Papers 

Apart from the papers that we have published in CyFer, we have contributed to other projects and published other papers. Please visit my Google Scholar page for the full list of such papers. 

2024 Outputs

Oct 2024: RH2020s Strategy and CyFer

Respectful, Innovative, Daring, and Open: our RH2030s strategy at Royal Holloway, University of London, outlining what we aspire to achieve in the next decade as a values-led organisation.

This week, many colleagues have been discovering what we do at RHUL in a series of talks, showcases, and other knowledge exchange activities.

We had the pleasure of showcasing our Usable Security and Privacy work via our PETRAS National Centre of Excellence for IoT Systems Cybersecurity CyFer project and REPHRAIN National Research Centre on Privacy, Harm Reduction and Adversarial Influence Online AGENCY Research project.

https://lnkd.in/ex5mnGyP

Stephen Cook and Adrian Bermudez Villalva from the Information Security Department, joined me in a research showcasing event discussing their work on the security and privacy of medical IoT Bluetooth and apps in FemTech and Assistive tech, and online hate detection.

Our work is certainly:

- Respectful: via its inherited inclusive lens focusing on at-risk groups,

- Innovative: due to its interdisciplinary nature across engineering, CS, social and health sciences,

- Daring: challenging the traditional approaches and proposing participatory methods, and

- Open: via reproducibility opportunities that we offer in the outcomes.

We had fantastic conversations with colleagues across disciplines and projects, highlighting the importance of collaborative work to be a forward-thinking university of social purpose: https://lnkd.in/ejM69pvB

Sep 2024: Paper: Bluetooth Security Analysis of General and Intimate IoT devices and Apps: The Case of FemTceh, Int J of Info Security

Authors: Stephen Cook, Maryam Mehrnezhad, Ehsan Toreini

Abstract: Digital health products are increasing faster than ever. These technologies (e.g., apps and connected devices) collect massive data about the users including health, medical, sex life, and other intimate data. In this paper, we study a set of Internet of Thing (IoT) devices which are advertised for general and/or intimate health purposes of female bodies (also known as female-oriented technologies or FemTech). We particularly focus on the security and privacy of the Blue-tooth connection between the IoT device and the mobile app. 

Our results highlight the serious vulnerabilities present in the current off-the-shelf FemTech devices. These vulnerabilities include unencrypted Bluetooth traffic, insecure Bluetooth authentication and undocumented Bluetooth services. We implement Bluetooth attacks to intercept and manipulate the communication between these devices and apps resulting in the malfunctioning of their corresponding Android app. We discuss our results and provide a set of recommendations for different stakeholders to improve the security and privacy practices of Bluetooth-enabled IoT devices in such a sensitive and intimate domain.

July 2024: CyFer and AGENCY at Vagina Mueseum 

On Saturday, 13 July 2024, some members of the CyFer and AGENCY Research team presented some of our work on gender and cybersecurity, online privacy, safety and trust in AI/ML and digital health and medical technologies.

This event (Tech Back Your Bits!) was organised by bleepDigital, hosted by Vagina Museum in London. Thanks to Isabel Straw for inviting me to be a panel member and our team to have a station to engage with the public. Shout out to the other panelists for all the thought-provoking conversations: Nikolaos Koukopoulos (KCL), Shakir Mohamed (Google DeepMind), and Xiao Liu (NHS).

From the AGENCY team, Adrian Bermudez Villalva (Research Fellow at Royal Holloway, University of London) discussed his recent work on the measurement of online hate. We will publish the results of this study soon (stay tuned!) Ehsan Toreini (University of Surrey) and Zoya Pourmirza (University of Birmingham) had conversations with the people who visited our station on how the complex risks and harms of modern technologies need to be identified and addressed now. Taylor Leigh Robinson and I focused on FemTech (e.g., menopause tech) and the differential risks of such technologies on people. More: https://lnkd.in/ex5mnGyP

During my conversations with the attendees and later with the other panelists, I realised how we all need to continue these important conversations around the usability, and indeed, the "abusability" of emerging technologies to make sure that ALL people are entitled to use emerging tech to improve the quality of their lives without RISK and FEAR. At some point, I compared AI with nuclear tech or genetic sciences! That is how much I am concerned about the abusability of AI on issues such as bias and discrimination, misinformation, deepfake and image-based sexual abuse and at-risks groups such as children. Please share your thoughts with us!

Thanks to my friends and colleagues who came to the event to support us. A few people indicated that they know us from Linkedin and X (kudos to these platforms)! If you have not had a chance to discuss your ideas and thoughts with us, please email us.

AGENCY Research is funded by EPSRC (via REPHRAIN National Research Centre on Privacy, Harm Reduction and Adversarial Influence Online) and is a large multi-disciplinary project working on "Assuring Citizen Agency in a World with Complex Online Harms". See the project page here: https://lnkd.in/enwxs3wW

May 2024: CyberMi2 Research Day

On 24 May 2024, we had a successful second CyberMi2 Research Day, which was dedicated to Inclusive Cybersecurity and Privacy for marginalised users. Please visit here: https://lnkd.in/et2H5K8U

It was a pleasure to partner with Research Institute for Sociotechnical Cyber Security (RISCS) and AGENCY Research. CyberMi2'24 included a series of talks on topics such as smart home, digital health, image-based sexual abuse, animal tech, assistive technologies, online hate, misinformation, gender tech abuse, and beyond.

We all enjoyed the activities designed for early career researchers for expanding their networks including presenting their work, round-table discussions, and social dinners.

While it might look easy, so much work goes behind the scenes to organise such events. From the AGENCY Research project, Aad van Moorsel, Sheena Robertson, Helen Orpin, and Zoya Pourmirza helped us deliver this day at University of Birmingham. Ehsan Toreini, Adrian Bermudez Villalva, Stephen Cook, and Christian Weinert from Royal Holloway, University of London and University of Surrey contributed to organising the event. It is almost impossible to detect that some of these people have been photoshopped in the group photo 😎

I would like to sincerely thank all the speakers and attendees who contributed to all the fantastic conversations. We continue to work on such important topics to enable citizens to use modern technologies and improve the quality of their lives without risk and fear. Please visit here: https://lnkd.in/et2H5K8U

May 2024: CyFer Mini Conference and Visit to SPD (Clearblue)

Today, we had the pleasure to have a mini research conference with our industry partner SPD Swiss Precision Diagnostics, visiting them at their office in Bedford.

Rebecca Jones, Taylor Leigh Robinson, and I (Royal Holloway, University of London) presented our work on FemTech Security and Privacy, more specifically on Menopause tech.

Thank you Stephen Carlisle and Lawrence Lilley for hosting us, and all the other wonderful people from SPD who presented and contributed to our discussions.

We have worked with SPD since 2020 in our PETRAS National Centre of Excellence for IoT Systems Cybersecurity CyFer project, and continue to work with them as partners in EPSRC AGENCY Research.

For knowing about our collaborative work on Digital health and Cybersecurity and Privacy visit:

https://lnkd.in/ex5mnGyP

Mar 2024: Blog: Research exposes security, privacy, and safety issues in FemTech

We have published an extensive blog post summarising our findings in our recent publication at Frontiers Journal in IoT

Research exposes security, privacy and safety issues in female technology apps used to track fertility, menopause and monthly cycle

Academics are calling for regulatory action after their research highlighted security and privacy risks and concerns in female-oriented technologies (FemTech) used in devices for period-tracker mobile apps and fertility and menopause smart and connected devices.

Experts at Royal Holloway, Newcastle University, and University of London and ETH Zurich, have identified significant security, privacy, and safety issues surrounding FemTech, which can pose a potential threat to users.

These threats include the apps accessing users contacts, camera, microphone, location and other personal data (e.g., medical scans) and also system Settings and other Accounts, imposing security and privacy risks. These apps and IoT devices collect a wide range of data about users, their relatives (children, partner, family) and their bodies and environments via embedded sensors. It has been shown that such practices can reveal very sensitive and intimate information about users (e.g., sex, fertility, and medical data) and eventually be associated to risks such as pregnancy redundancy and tech abuse cases such as tracking one’s cycle without their permission.  

Some FemTech solutions share user data without third parties including employers. The authors challenge how and if this data can benefit health care in situations that a pregnancy can impact one’s career. For example, pregnancy redundancy in the workplace is an issue for women, including in the UK where pregnancy-related discrimination still fails to guarantee effective job-protections i.e. not being terminated or demoted due to taking parental/maternity leave.

Publishing the findings in the journal Frontiers in the Internet of Things and Symposium on Usable Privacy and Security Workshop, the authors are calling on policymakers to explicitly acknowledge and accommodate the risks of these technologies in the relevant regulations.

FemTech is a term applied to the collection of digital technologies focused on women’s health and wellbeing. FemTech includes applications, software and wearable devices, and could range from mobile period apps and fertility-tracking wearables to IVF services on the blockchain. The market is estimated to reach more than $75b by 2025. The devices and apps reviewed in this study include a breast smart pump, cycle and fertility trackers (e.g., bracelets and rings), a smart bottle, Kegel trainers, sex toys, menopause management solutions, a pill organiser, and general health trackers.

The data collected by such technologies can be related to regulations around general data protection, work discrimination, software, apps, IoT, medical and health, and human rights. The team reviewed the existing regulations related to FemTech in the UK, EU, and Switzerland to identify gaps in regulations, compliance practices of the industry and enforcements by running experiments on a range of FemTech smart devices, apps, and websites.

Their analysis of FemTech-related regulations shows they are inadequate in addressing the risks associated with these technologies. The EU and UK medical devices regulations don’t have any references to FemTech data and user protection. The GDPR and Swiss FADP have references to sensitive and special category data which overlap with FemTech data. However, the industry practices include many non-complaint practices in data collection and sharing.

The study also focussed on industry non-compliance. The team identified a range of inappropriate security and privacy practices in a subset of FemTech systems. The research shows that these systems do not brand as medical devices, do not present valid consent and do not give extra protection to sensitive data, and track users without consent. The authors show that, not only is such intimate data collected by FemTech systems, but also this data is processed and sold to third parties.

The findings have exposed a lack of research and guidelines for developing cyber-secure, privacy-preserving and safe products.

Study author, Dr Maryam Mehrnezhad, Senior Lecturer at Royal Holloway said: “We have identified multiple threat actors interested in FemTech data such as fertility and sex information. They include partner(s) or ex-partner(s), family members, employers, cyber-criminals, insurance companies, ad companies, research companies, religious and political entities, and even the governments.”

She adds: “Take the case of partner and ex-partner as an example. Many of the FemTech solutions e.g., sex toys and fertility apps provide an option for partners to participate in the experience and track their partner’s sexual and reproductive health input to the system. In some cases, access to partner’s intimate data forcefully or without consent is a way of maintaining control, enabling tech abuse such as gender-based violence and domestic violence. Cyberstalking is another serious issue, which could be enabled by the

extra tracking functionality of FemTech. Not safeguarding such data in these products would put users at differential risks.”

Professor Mike Catt of Newcastle University is one of the study authors. He said: “We urge regulatory bodies to update and strengthen guidelines to ensure the development and use of secure, private, and safe FemTech products. Many of the apps surveyed access mobile and device resources too. Some of these permissions are marked as dangerous, according to Google’s protection levels. Such access potentially exposes contacts, camera, microphone, location and other personal data. Some specific permissions, such as access to system Settings and other Accounts on the device, also impose security and privacy risks. Access to sensors on the mobile phone can also be used to break user privacy. Users deserve better protection, especially where this relates to sensitive personal health and gender data.”

Dr Maryam Mehrnezhad added: “We have been conducting security and privacy research on this topic since 2019. Apart from our system studies, our user studies also highlight that end-users are indeed concerned about their intimate and sensitive data being handled by FemTech products. We constantly share our research results with the industry and related regulatory bodies, such as the Information Commissioner's Office. We hope to see better collaborative efforts across the stakeholders to enable the citizens to use FemTech solutions to improve the quality of their lives without any risk and fear.”

According to data from the German online platform, Statista, which specialises in data gathering, the FemTech market is worth almost $65 billion and is projected to grow to more than$100 billion in 2030. 

This research was supported by the UKRI EPSRC PETRAS CyFer and AGENCY projects. These multi-disciplinary research teams are working with other stakeholders on the complex risks and harms of modern technologies such as FemTech to mitigate these risks and to design privacy-preserving, cyber-secure, and safe products which are inclusive.

Reference

[1] Mehrnezhad, van der Merwe, Catt, Mind the FemTech Gap: Regulation Failings and Exploitative Systems, Journal of Frontiers in IoT, 2024, earlier version at: Privacy Engineering in Practice (PEP), Symposium on Usable Privacy and Security Workshop, USA, 2023

Open access link: https://pep23.com/assets/pdf/pep23-paper6.pdf

[2] Mehrnezhad, and Almeida. "" My sex-related data is more sensitive than my financial data and I want the same level of security and privacy": User Risk Perceptions and Protective Actions in Female-oriented Technologies." The European Symposium on Usable Security, ACM, Denmark, 2023

Open access link: https://dl.acm.org/doi/fullHtml/10.1145/3617072.3617100

Mar 2024: Paper: Mind the FemTech Gap: Regulation Failings and Exploitative Systems, Frontiers Journal in IoT

Previously published at: PEP (SOUPS Workshop)

Authors: Maryam Mehrnezhad, Thyla ven der Merwe, Mike Catt

Abstract: We study the female-oriented technologies (FemTech) ecosystem including regulations, IoT systems, mobile apps, and web-sites and reveal the exploitative patterns embedded in such systems due to inadequate regulations and/or enforcement. We advocate for the policymakers to explicitly acknowledge and accommodate the risks of these technologies in the relevant regulations.

Feb 2024: Panel Discussion: Citizens’ Rights and the Cybersecurity Implications of Wearable Technologies, PETRAS Summit

In Feb 2024, I (Dr Maryam Mehrnezhad) participated in a panel during PETRAS National Centre of Excellence for IoT Systems Cybersecurity flagship summit: We Are Connected – Are We Protected?

Together with Peter Novitzky, Julie Dawson (Yoti), and Mike Hobby (Cambridge Consultants), we discussed Citizens’ Rights and the Cybersecurity Implications of Wearable Technologies.

You can watch the video here: https://lnkd.in/e6f488_8

I specifically highlighted these issues in the context of FemTech, which I have been working on since 2019: https://lnkd.in/ex5mnGyP

We continue this research via the AGENCY Research! If you are active in this field (or wish to) and want to have a chat, this is the best time since my teaching at Royal Holloway, University of London is over for this semester ;)

Jan 2024: Paper: The Importance of Collective Privacy in Digital Sexual and Reproductive Health, UK Fertility

Authors: Teresa Almeida, Maryam Mehrnezhad, Stephen Cook

Accepted in the 17th Annual UK Fertility Conference 2024. Abstract version here, All papers, here. 

Abstract: There is an abundance of digital sexual and reproductive health technologies that presents a concern regarding their potential sensitive data breaches. We analyzed 15 Internet of Things (IoT) devices with sexual and reproductive tracking services and found this ever-extending collection of data implicates many beyond the individual including partner, child, and family. Results suggest that digital sexual and reproductive health data privacy is both an individual and collective endeavor.

2023 Outputs

Dec 2023: 360 Tour of CyFer Art Exhibition  

We are super excited to release the virtual 360 tour of our CyFer exhibition: https://lnkd.in/dK4xSzQe (visit the exhibition with your mobile, tablet, or laptop)!

CyFer is an interdisciplinary project with over 20 international academic and industrial partners as well as designers and artists who work on the cybersecurity, privacy, bias, and trust in female-oriented technologies (FemTech), a subset of digital health tech e.g., apps, websites, and IoT devices dealing with sensitive and intimate health, medical, and sex data.

This high-quality art-science project is brought to you by the excellent Royal Holloway, University of London Culture team (https://lnkd.in/d8UxTRzn), more specifically, Dr Naomi Lebens and Margaid (Peggy) Ainsworth.

The core team behind the CyFer exhibition is Joe Bourne (The Alan Turing Institute), Teresa Almeida (Umeå University), Ehsan Toreini (University of Surrey) and myself.

This work is sponsored by PETRAS National Centre of Excellence for IoT Systems Cybersecurity, Research Institute for Sociotechnical Cyber Security (RISCS), and RHUL gender institute; special thanks to Prof Laura Sjoberg and Josephine Carr.

The artists who delivered this world-class collection include: Vasiliki Tsaknaki, Lara Reime, Nadia Campo Woytuk, Nicolas Harrand, Elena Falomo, Mengxi "Althea" Rao, and Sian Fan (her CyFer work also appeared in the Victoria and Albert Museum)! This selection was also featured in the Mozilla Festival (MozFest 2023).

For more information about this collection, visit:

- the 360 tour (https://lnkd.in/dK4xSzQe),

- the PETRAS page (https://lnkd.in/e5JnP_HV), and

- the CyFer project (https://lnkd.in/ex5mnGyP)

Don't forget to share your thoughts and ideas with us!

Here is the digital copy of the brochure. I have plenty of the printed ones in my office. If you are around, come and get one. 

Nov 2023: Interview: Women of Wearables (WoW)

Dr Maryam Mehrnezhad has done an extensive interview about the CyFer project and its findings with Women of Wearables (WoW), a leading global organisation and ecosystem that brings together like-minded women and allies in health tech, digital health and women’s health from more than 50 countries worldwide. WoW's members are startup founders, designers, technologists, industry experts, researchers, bloggers, journalists, investors, and many more. Read the interview here. 

Oct 2023: Paper: User Risk Perceptions and Protective Actions in FemTech, EuroUSEC

Authors: Maryam Mehrnezhad, Teresa Almeida 

Full title: "My sex-related data is more sensitive than my financial data and I want the same level of security and privacy": User Risk Perceptions and Protective Actions in FemTech

Abstract: The digitalization of the reproductive body has engaged myriads of cutting-edge technologies in supporting people to know and tackle their intimate health. Generally understood as female technologies (aka female-oriented technologies or 'FemTech'), these products and systems collect a wide range of intimate data which are processed, transferred, saved and shared with other parties. In this paper, we explore how the "data-hungry" nature of this industry and the lack of proper safeguarding mechanisms, standards, and regulations for vulnerable data can lead to complex harms or faint agentic potential. We adopted mixed methods in exploring users' understanding of the security and privacy (SP) of these technologies. Our findings show that while users can speculate the range of harms and risks associated with these technologies, they are not equipped and provided with the technological skills to protect themselves against such risks. We discuss a number of approaches, including participatory threat modelling and SP by design, in the context of this work and conclude that such approaches are critical to protect users in these sensitive systems.

Sep 2023: CyFer Exhibition Work at the V&A Museum

We are please to see one of our art pieces- Secret Keeper, in the CyFer Exhibition is featured in the Digital Week of Victoria and Albert Museum in Sep 2023. Secret Keeper is an art design which is challenging the notion of "privacy", in response to our CyFer Exhibition call. 

Seekret Kepper is created by Sian Fan's and is also internationally featured in Urban Screens, Sydney, Australia. 

Sep 2023: Blog Post: Challenges of Extracting Data from Social Media: The Case of Women's Health Misinformation

Author: Dr Adrian Bermudez-Villalva (adriano.bermudezvillalva@rhul.ac.uk) 

In the field of cybersecurity research, gathering data from social media platforms has become an essential task for understanding various trends, behaviours, and patterns on the internet. However, when it comes to sensitive and intimate topics such as women's health and misinformation, researchers face a multitude of challenges in extracting relevant data from popular platforms like Facebook, Twitter, and Reddit [1]. In this blog post, we will explore the difficulties researchers encounter and the limitations imposed by the social media giants, which hinder their efforts to acquire valuable data.

Facebook: Restricted API and Crawler Roadblocks

Being one of the largest social media platforms, Facebook poses significant challenges for researchers trying to access public posts containing content regarding topics such as women's health such as abortion. The primary obstacle is the restrictive nature of Facebook's API (Application Programming Interface), which severely limits the type of data that can be extracted from the platform.

To bypass the limitations of the API, some researchers resort to web crawling methods, often utilising tools like Selenium to extract data from Facebook. While this approach seems promising, it comes with its own set of difficulties:

1.     Account Blocking: Facebook employs stringent anti-scraping measures to protect user privacy and platform integrity. As a result, researchers who create dedicated accounts for web crawling purposes are likely to encounter account blocks and restrictions due to the platform's automated security measures.

2.     Account Verification: The process of creating multiple Facebook accounts for data extraction is further complicated by the mandatory verification requirements, which involve phone numbers and other personal information. This makes it challenging for researchers to create the necessary number of accounts for their studies.

3.     Dynamic Website Elements: Facebook's web interface is highly dynamic, relying heavily on JavaScript to generate and display content. Consequently, web crawlers built with Selenium or other tools often struggle to locate and extract the required data consistently, as the website structure may change frequently [2].

4.   Ethical and Legal Considerations: While web scraping itself might not be illegal, scraping Facebook's data can raise ethical and legal questions, as it involves accessing user-generated content without explicit consent from all parties involved [3].

Twitter: Limited API Access for Researchers

Twitter, another prominent platform, has historically provided academic researchers with access to its API, allowing them to collect valuable data for various studies, including those related to misinformation. However, the landscape has changed, and researchers now face significant obstacles:

1.     API Restrictions: Twitter's API access for academic researchers has been severely limited, leaving researchers with reduced access to public posts and historical data [4]. As a result, studies focusing on timely topics such as intimate health and women's health misinformation may face data scarcity and incompleteness.

2.     Challenges in Data Collection: The limited API access hinders researchers' ability to gather real-time data from Twitter, which can be crucial for tracking and analysing the rapid spread of misinformation.

3.     Lack of Data Granularity: With restricted API access, researchers may struggle to obtain detailed information such as user demographics, retweet networks, and engagement metrics, limiting the depth of analysis possible.

Reddit: Ephemeral Nature of Intimate Health and Misinformation

Reddit is a popular platform with various subreddits dedicated to discussions on intimate topics such as women's health. However, extracting misinformation content from Reddit poses unique challenges:

1.     Content Moderation: Reddit's content moderation is a combination of actions taken by both human central administrators, automated programs and community users [5]. As a result, posts containing misinformation related to women's health are swiftly removed within seconds or minutes after publication, making it extremely challenging to capture such content for research purposes.

2.     Transparency and Access: Reddit's API provides limited access to historical data, and the platform does not offer a comprehensive way to retrieve deleted posts. This lack of transparency hinders researchers from gaining insights into the spread and impact of misinformation over time.

Conclusion: The Uphill Battle for Researchers

As cybersecurity researchers in academia, the pursuit of knowledge about intimate health and other sensitive topics such as misinformation related to vaccine and women’s health on social media platforms is key to develop countermeasures to tackle this issue. However, the challenges imposed by restricted APIs, web crawling complexities, and limitations in historical data access have turned this endeavour into an uphill battle. To bridge the gap between cybersecurity research and understanding the nuances of misinformation, it is imperative for social media platforms to collaborate with academic institutions, facilitating responsible access to data and fostering a culture of open and transparent research.

As we move forward, it is crucial for researchers, policymakers, and social media platforms to work together to find ethical and sustainable solutions that empower researchers to explore the intricate landscape of misinformation and ultimately contribute to a safer and more informed online environment.

If you are an active researcher in this field and have expertise and experience to offer, please get in touch via emailing Adrian (adriano.bermudezvillalva@rhul.ac.uk).

References

1. Stieglitz, S., Mirbabaie, M., Ross, B., & Neuberger, C. (2018). Social media analytics–Challenges in topic discovery, data collection, and data preparation. International journal of information management, 39, 156-168.

2. Deen Freelon (2018) Computational Research in the Post-API Age, Political Communication, 35:4, 665-668, DOI: 10.1080/10584609.2018.1477506.

3. Mancosu, M., & Vegetti, F. (2020). What You Can Scrape and What Is Right to Scrape: A Proposal for a Tool to Collect Public Facebook Data. Social Media + Society, 6(3).

4. Davidson BI, Wischerath D, Racek D, et al. Social Media APIs: A Quiet Threat to the Advancement of Science. PsyArXiv; 2023.

5. Shagun Jhaver, Iris Birman, Eric Gilbert, and Amy Bruckman. 2019. Human-Machine Collaboration for Content Regulation: The Case of Reddit Automoderator. ACM Trans. Comput.-Hum. Interact. 26, 5, Article 31 (October 2019), 35 pages.

Aug 2023: CyFer-RISCS Research Day

Title: CyFer-RISCS Networking Event and CyFer Exhibition tour, 6th Sept 2023

Date/Time: Wednesday 6th September 2023, 12:00 – 17:00 

Venue: Emily Wilding Davison Exhibition and Event Spaces, Royal Holloway University London, Egham, TW20 0EX 

Description: Join an interdisciplinary networking event with a visit to an art exhibition associated with CyFer (an EPSRC PETRAS-funded project). We will have a series of talks and round table discussions about the complex risks and harms of modern technologies and the key role of knowledge exchange to diverse audiences. We would like to identify the research challenges and opportunities of communicating science via art and form new research and activity ideas and collaborations.

Agenda:

12-1 pm Lunch and networking

1:30-2 pm Dr Maryam Mehrnezhad: Welcome talk (Title: CyFer: Cybersecurity, privacy, bias and trust in FemTech)

2-3 pm CyFer Art-Science Exhibition Tour

2-3 pm Tea/Coffee break

3-3:45 pm Dr Ola Michalec: Talk (Title: Artistic responses to research exploring human dimensions of digital energy transformation)

3:45-4:45 pm Breakout sessions

• Lead 1: Dr Adrian Bermudez Villalva (topic: Misinformation on social media: Research challenges and opportunities)

• Lead 2: Scott Harper (topic: PETs for pets: A different approach for privacy enhancing technologies in animal tech) 

• Lead 3: Taylor Robinson (topic: Bodily changes through life: The case of menopause)

4:45-5 pm Prof Genevieve Liveley (RISCS Director) closing remarks

Jun-Sep 2023: CyFer Art Exhibition

We are excited to present the artists and designers who will participate in the CyFer project‘s extraordinary artistic exhibition from 19 June to 10 September 2023. The artworks and designs presented will respond to scientific research on the privacy, security, and ethics of female-oriented technology at The Exhibition Space, Royal Holloway, University London. Artists and designers from around the world have contributed sculptures, textiles, digital art, and interactive experiences that encourage visitors to reflect on the security and privacy of their personal medical information, as well as their expectations regarding menstruation and fertility data. The CyFer exhibition core team includes Maryam Mehrnezhad, Joe Bourne, Teresa Almeida, and Ehsan Toreini. 

Jul 2023: Blog Post: Women's Health-related Misinformation on Social Media

Author: Dr Adrian Bermudez-Villalva (adriano.bermudezvillalva@rhul.ac.uk) 

• This post is featured in the ISG's Newsletter of 2023 (Page 7). 

The rise of social media has brought about a revolution in the way people access and share information. While this has created new opportunities for people to connect and learn, it has also led to an increase in the spread of misinformation [1]. This is particularly problematic when it comes to women's health, where misinformation can have serious consequences such as poor health outcomes, anxiety, and confusion. Misinformation about women's health on social media is widespread and takes many forms. Some common examples include misinformation on contraceptive methods, pregnancy, childbirth, menstrual health, breast cancer, and menopause [2]. For example, some posts suggest that unassisted home births are safer and preferable to hospital births, where they can be dangerous to both mother and baby. Another example of misinformation is on COVID-19 vaccination, with posts claiming that these vaccines cause infertility [3].

Women who are exposed to inaccurate information may make poor decisions regarding their reproductive health, delaying or avoiding important medical care, or choosing treatments that are not based on scientific evidence. This can lead to negative health outcomes, such as unintended pregnancies, untreated sexually transmitted infections, delayed diagnosis and treatment of breast cancer, and unnecessary anxiety surrounding (in)fertility as well as menopause.

In the CyFer project, funded by the EPSRC PETRAS National Centre of Excellence for IoT Systems Cybersecurity, we are exploring the issue of misinformation related to women’s health on social media. The team working on this aspect of CyFer includes myself (Dr Adrian Bermudez-Villalva, Research Associate), Dr Maryam Mehrnezhad (PI), and Dr Ehsan Toreini (Co-I). We are analysing social media content to measure the prevalence of misleading information related to several aspects of women’s health. We are developing a crawler to extract posts from various platforms such as Facebook by using different keywords related to health misinformation themes. To analyse the text contained in the posts, we use natural language processing (NLP), a branch of AI that uses computational techniques to analyse and understand human language. Once the content containing misinformation has been identified, the next step is to extract key information from the content, such as the topics being discussed, the sources of the misinformation, and the sentiment of the content.

To tackle the issue of misinformation surrounding women's health on social media, a multi-disciplinary approach is necessary. Information security plays an important role in identifying and preventing the spread of misinformation on social media in order to protect users from a range of complex risks and harms. One example of such measures is the use of content moderation. Content moderation refers to the process of reviewing and removing content that violates the policies of a social media platform. Social media platforms can use content moderation to remove false information related to women's health, which can help to reduce the spread of misinformation. Another measure is the use of data analysis to identify patterns in the spread of misinformation related to women's health. By analyzing data on how false information is spread, social media platforms can develop strategies to address the issue and prevent the spread of misinformation. Social media platforms can also use ML algorithms to identify misinformation related to women's health. ML algorithms can be trained to recognize patterns and identify content that is likely to be false or misleading. By using ML, social media platforms can proactively identify and remove misinformation and the accounts associated with them.

While technical measures such as content moderation, data analysis, and the use of ML algorithms can help to mitigate the spread of false information, it is not enough. Tackling misinformation in the context of women’s health is a complex problem since it is happening not only on social media platforms, but also other places such as forums, darknet, and via communication tools too. Therefore, addressing it comprehensively requires collaboration between information security experts, medical professionals, AI and ML experts, policymakers, industrial partners, and the end users. By working together, we can help to ensure that accurate and reliable information is shared on social media platforms and that women are empowered to make informed decisions about their health and wellbeing.

Bio: I have a PhD in Security Science from University College London (UCL). I have been working on various topics related to cybersecurity and cybercrime where I used data-driven approaches to measure and understand malicious activities on the Internet. My research consisted of conducting experiments, data collection and analysis to study different types of illegal activities on the Internet such as data theft, malvertising and black markets [4,5].

References:

1. Systematic literature review on the spread of health-related misinformation on social media. Social science & medicine, 240, 112552.

2. Nature and diffusion of gynecologic cancer–related misinformation on social media: analysis of tweets. Journal of Medical Internet Research, 20(10), e11515.

3. Widespread misinformation about infertility continues to create COVID-19 vaccine hesitancy. Jama, 327(11), 1013-1015.

4. A measurement study on the advertisements displayed to web users coming from the regular web and from tor. In 2020 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW) (pp. 494-499). IEEE.

5. The shady economy: Understanding the difference in trading activity from underground forums in different layers of the web. In 2021 APWG Symposium on Electronic Crime Research (eCrime) (pp. 1-10). IEEE.

Jun 2023: CyberMi2 Research Day

To celebrate the end of our CyFer project, we had a research day to initiate CybeMi2 (Cybersecurity and Privacy for Minority and Minoritized People). CyberMi2 2023 took place on the 20th of June 2023 at RHUL. This was an invitation-only event where my team and those who have been collaborating with us present their work on security and privacy (SP) and minority and minoritized users. The majority of research this year was related to gender and SP. We had participants from academia, industry, government, and the regulatory sectors. See the agenda here. 

May 2023: Paper: Intimate Data: Perceptions of Privacy and Privacy-Seeking Behaviors through the SCM, IFIP INTERACT

Authors: Diana P. Moniz, Maryam Mehrnezhad, Teresa Almeida 

Abstract: Privacy is a fundamental human right in the digital age. With the proliferation of intimate health technologies, such as datadriven apps and connected devices that track bodily care and sensitive topics, privacy is increasingly critical. In this paper, we explore the complexity of intimate data and user perspectives and the choices they make to protect themselves. We introduce a story completion study with 27 participants to examine individuals’ concerns about data privacy, their protective or avoidant actions, and the potential mismatches between privacy concerns and actual behaviors. We suggest future research that combines User-Tailored Privacy (UTP) and participatory threat modeling to create privacy solutions that account for users’ needs and the potential risks and harms associated with the use of their data.

Apr 2023: White Paper: Towards a research agenda: Tackling violence against women and girls online

Authors: Michalec O, Barker K, Coopamootoo K, Coventry L, Duppresoir F, Edwards M, Johnson S, Johnstone E, Jurasz O, Mehrnezhad M, Moncur W

Summary: This report introduces the topic, presents a review on the recent related work, and provides a set of recommendations based on the literature provided by the REPHRAIN researchers. They include: Defining and measuring online harms, Understanding perpetrators, Developing public services, policies and standards, Co-designing safer technologies, and Improving the police practice and the justice system. As the future research questions and priority areas it provides the following: Defining and measuring online harms, Understanding perpetrators, Developing public services, policies and standards, Co-designing safer technologies, Improving the police practice and the justice system, and Revictimisation. The report concludes with a section on Policy Recommendations.

Mar 2023: Mozilla Festival: CyFer Creative Exchange

In this extended workshop in MozFest 2023 you will meet researchers and artists in an interactive experience of creative responses to research challenges on the privacy, ethics, trust and security of female oriented technology.

The “FemTech industry” remains largely unregulated. There is a lack of clarity in the law and uncertainty concerning industry and user practice in relation to this extremely sensitive data on different levels i.e. user consent, third-party sharing, and algorithmic bias which may lead to malicious purposes.

The event will provide a short exploration of the research problems and why PETRAS invited artists to address these with us. You will be given two twenty-minute opportunities to interact with two artists/designer’s work in depth. Following these two interactions, we will all come back together as a group to share reactions and discuss the privacy, ethics, trust and security of female oriented technology.

The session will be led by PETRAS’s Synthesis Research Fellow; the CyFer research team from Royal Holloway University of London, Surrey University and Umeå University, and the five artists/designers who joined this creative exchange.

There will be lots of space in this session to ask questions to both the research team about the science and the artists/designers concerning their methods, experience and the meanings of their work.

2022 Outputs

Oct 2022: Paper: Bodies Like Yours: Enquiring Data Privacy in FemTech, ACM NordicCHI

Authors: Teresa Almeida, Laura Shipp, Maryam Mehrnezhad, Ehsan Toreini

Abstract: The digitalisation of the reproductive body has seen a myriad of cutting-edge technologies to prioritise neglected intimate health and care topics, such as fertility and contraception. The impact of these intimate data on livelihood and society is pervasive including that privacy is critical to safeguarding security as this increasing digitalisation also produces increasingly large datasets. In this paper, we enquire the collective nature of privacy in female-oriented technologies (FemTech) to show how this ever-extending collection of data implicates many beyond the individual. We introduce a pilot study on the data collection practices of a subset of FemTech devices with fertility tracking service. We demonstrate that data is collected about the user and others, such as their immediate relationships and user groups as a whole. We suggest that it is critical we ask who is vulnerable and discuss approaches to mitigate collective harm.

Aug 2022: Paper: Vision: Too Little too Late? Do the Risks of FemTech already Outweigh the Benefits?, EuroUSEC

Authors: Maryam Mehrnezhad, Laura Shipp, Teresa Almeida, Ehsan Toreini

Abstract: Female-oriented technologies (FemTech) promise to enable women to take control of their bodies and lives, helping them overcome the many existing challenges in medical care and research. From lack of data about women in general, to bias and discrimination in health studies, data sets, and algorithms, FemTech has come a long way to centre women in the design and development of such systems. Yet, the FemTech industry remains largely unregulated, particularly when it comes to security, privacy, and safety. These issues can lead to catastrophe given the highly sensitive nature of the data FemTech technologies handle. In this paper, we show how such threats are already putting women at risk; where in some cases, the lack of proper security and privacy safeguards can put human life at risk. We also present the results of some of our ongoing research on the massive data collection of FemTech about end-users and others (baby, partner, family, etc.). We set an agenda for research on the security and privacy of FemTech and call for a better legal framework to regulate FemTech.

2021 Outputs

May 2021: Blog post: Fertility Apps and Cybersecurity: Who Can Access Your Data?

Published by: Newcastle University

Fertility apps house the sensitive data of millions of users globally. Read our blog from Dr Maryam Mehrnezhad on the risks surrounding fertility app users’ privacy. 

April 2021: Paper: Caring for Intimate Data in Fertility Technologies, ACM CHI

Authors: Maryam Mehrnezhad, Teresa Almeida

Abstract: Fertility tracking applications are technologies that collect sensitive information about their users i.e. reproductive potential. For many, these apps are an affordable solution when trying to conceive or managing their pregnancy. However, intimate data are not only collected but also shared beyond users knowledge or consent. In this paper, we explore the privacy risks that can originate from the mismanagement, misuse, and misappropriation of intimate data, which are entwined in individual life events and in public health issues such as abortion and (in)fertility. We look at differential vulnerabilities to enquire data’s vulnerability and that of ‘data subjects’. We introduce the General Data Protection Regulation (GDPR) and how it addresses fertility data. We evaluate the privacy of 30 top ‘fertility apps’ through their privacy notices and tracking practices. Lastly, we discuss the regulations and fertility data as critical to the future design of tracking technologies and privacy rights. 

This work was also invited to be presented in Fertility Conference 2022, the 15th joint fertility meeting organised by the Association of Reproductive and Clinical Scientists (ARCS), the British Fertility Society (BFS) and the Society for Reproduction and Fertility (SRF), and the 2nd online Fertility meeting.