Ethan Cook (12:31)

Perspectives is back with an all new season. This season is all about change. Whether it be emerging technologies like AI, shifting governmental roles or evolving threats, we are sitting down with security experts and getting their insights to help you make sense of these changes.

Kim Jones (12:47)

We are part of a larger ecosystem and if you look at the largest cyber incidents, they have massive downstream effects.

Ethan Cook (12:54)

I'm Ethan Cook, editor of Cisco Perspectives at N2K CyberWire. This week host Kim Jones with his first guest, Ben Yellen to discuss the current state of regulation. Absolute security by definition is an oxymoron. I can secure you absolutely if you shutter your doors, wipe your computers, wrap them in Lucite and drop them in marine ass trash. But then again, you ain't going to make no money. CISO perspectives is an N2K Pro exclusive show, but for this season we're sharing the first two episodes free on the Cyberwire daily. To hear the full season, visit TheCyberWire.com and click on subscribe now to become an N2K Pro Member.

Narrator/Announcer (13:36)

At Talas, they know cybersecurity can be tough and you can't protect everything. But with Thales, you can secure what matters most. With Thales industry leading platforms, you can protect critical applications, data and identities anywhere and at scale with the highest roi. That's why the most trusted brands and largest banks, retailers and healthcare companies in the world rely on Thales to protect what matters most applications, data and identity. That's Thales T H A L E S. Learn more@talasgroup.com cyber compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you're thinking there has to be something more efficient than spreadsheets, screenshots, and all those manual processes, you're right. GRC can be so much easier and it can strengthen your security posture while actually driving revenue for your business. You know, one of the things I really like about Vanta is how it takes the heavy lifting out of your GRC program. Their trust management platform automates those key compliance, internal and third party risk, and even customer trust so you're not buried under spreadsheets and endless manual tasks. Vanta really streamlines the way you gather and manage information across your entire business. And this isn't just theoretical. A recent IDC analysis found that compliance teams using Vanta are 129% more productive. That's a pretty impressive number. So what does it mean for you? It means you get back more time and energy to focus on what actually matters, like strengthening your security posture and scaling your business. Vanta GRC Just imagine how much easier trust can be. Visit vanta.com cyber to sign up today for a free demo that's V A N T a dot com CYBER My Caveat Podcast co host Ben Yellen recently sat down with Michelle Kellerman, cybersecurity engineer for air and missile defense at Johns Hopkins University Applied Physics Lab. They're discussing women's health apps and the legal gray zone that they create with hipaa.

Kim Jones (16:24)

So today we're going to be talking about period tracking apps and digital privacy, especially in the post Dobbs era. So we're now three years after the Supreme Court's decision in Dobbs, which held that Roe versus Wade was overturned. There's no constitutional right to an abortion. It's an issue left to the states. Can you just kind of talk about the context of this issue, why you became interested in it, what the implications are of these period tracking apps?

Michelle Kellerman (16:57)

Yeah, so when the Dobbs decision was made, women obviously were trying to figure out what this meant for them, what this meant for their safety. But then as the dust settled from the immediate shock, we were looking into how does this affect our everyday lives and things other than just wanting a strict access to abortions, and that includes all reproductive health. So on the a lot of women's spaces on Reddit or on social media, people started talking about how you need to delete your period tracking apps. And the conversation was very confusing because we were all under the impression that our health information was safe and protected. We're all raised that Your doctor is the only one who has the right to know what's going on in your doctor's office. So this huge shift was really surprising. And to look at period tracking apps, come to find out they're not protected under hipaa.

Kim Jones (17:57)

So yeah, that was going to be my follow up question. So our listeners are probably thinking like, oh, private health information that triggers hipaa. Why are period tracking apps not covered under hipaa?

Michelle Kellerman (18:11)

Health information specifically is a unique case. A lot of times when we have, when we talk about tech law, a lot of the current coverage is co opted from older laws that we see over the last three or four decades. But that's because it covers a data type, a type of information. HIPAA is unique, it covers entities. It doesn't matter what type of data it is, it matters who is owning the data. So doctors, clinics, you know, psychologists, hospitals, your health plans. It only covers specific entities, not the type of information as a whole. So it's not covered because an application is not a doctor is not a covered entity.

Kim Jones (18:52)

Before this became such a live issue, was there any effort in Congress or at the state level to amend HIPAA or state level equivalents to include applications? Like was this something that was on the radar or is it just an issue that's never really come up.

Michelle Kellerman (19:09)

It's come up in congressional inquiries. So with Cambridge Analytica and Facebook selling your data to these data brokers. But it didn't get into health specific information. It was just your online privacy as a whole coming up in these bigger inquiries by Congress. But not an effort specifically to legislated outside of data privacy laws. But health isn't always covered in data privacy laws. Practically only about 50% of them do.

Kim Jones (19:38)

Of course, at the federal level it's more the absence of a data privacy law. Anyway, that's what they're great at, as we all know. So can you kind of walk us through how period tracking apps could be used by law enforcement in a case relating to reproductive rights and if there is any case law on what happens in those scenarios.

Michelle Kellerman (20:00)

Before we get to that, there was an effort to amend hipaa. Luckily by the Biden Harris administration, they added a new provision in 2024, June of 2024, that prohibits a HIPAA covered entity from releasing phi for the purpose of conducting criminal, civil or administrative investigations and the identification of anybody involved with reproductive health. It was specific to reproductive health. So HIPAA now covers, has a specific health provision for reproductive health. So they are, they, there are amendments to it. Very recently in wake of the Dobbs decision.

Kim Jones (20:39)

Is that something that the Trump administration has tried to reverse? I'm kind of surprised they haven't, either through like the Congressional Review act or just through promulgating new regulations.

Michelle Kellerman (20:51)

So they overturned two Biden era executive orders that were about allowing better access to reproductive health and then also protections. So there were two Biden era executive orders that have been overturned for access to reproductive health, including abortion.

Kim Jones (21:09)

Gotcha. Okay, so now we can kind of go back to that original question, just walking us through what a typical case would look like and then where we are in terms of state case law, or federal case law for that matter, with these period tracking applications.

Michelle Kellerman (21:26)

When you install a period tracking app, it asks for standard health information about you, your name, your age, your gender. And then it gets into date of last period on the most basic level. And then you have other, you have some applications that get more into it, your mood swings, how heavy your, how like heavier, other your period symptoms are or your symptoms when you're not having your period. Are you tracking fertility? Are you attempting to have a child? Even things like fertility monitors like Anito is one of them where you can have all that information and you can have your body temperature, blood work, you can have any like a wealth of information that go to these applications that are not doctors in ITO and other fertility monitors. And peer tracking apps are completely separate.

Kim Jones (22:20)

Can you talk about state laws or state applications where law enforcement has been trying to use data from either period tracking apps or otherwise in criminal or civil cases relating to reproductive rights?

Michelle Kellerman (22:39)

We haven't seen any cases at this moment where they specifically name period tracking apps, but we are seeing a patchwork of laws try to come from the states. So Virginia in 2023 presented a bill that would have banned police from looking at data in period tracker apps when executing a search warrant. As you know, search warrants are very broad. It can be on device in general. And this bill would have barred period tracking and health apps from the scope of a search warrant. Unfortunately, Governor Youngkin's administration opposed it and it died in chambers. We're also seeing Massachusetts just updated their shield law, strengthening protections for providers and patients. And actually the law prohibits Massachusetts state and local authorities from cooperating with any federal or out of state investigation. So it's not just up to the local municipality if they want to get involved in helping an additional, a different state like Texas, for example, who is attempting to criminalize out of state abortions. This law actually bars the process altogether from cooperating with other states. So we're starting to see States get involved, but it's very patchwork and it's very dependent on the political winds.

Kim Jones (23:53)

What is kind of the horror story that you're anticipating with period tracking apps? Like, what is the data that they are going to pull out to potentially use in a prosecution? Like, how would a prosecutor try and build a case based on a period tracking app? And then I think with that context, we can talk about remedies and potential solutions to this issue.

Michelle Kellerman (24:16)

I would be concerned about criminalizing miscarriages and abortions. So somebody that, because we see a lot of times there's just an idea of like, oh, we think that she's pregnant. People will make assumptions on a woman's fertility status constantly for free, just with. Even though it's none of their business. That's just the natural state of how people are. So I'm concerned of people making assumptions about somebody else. We saw with Texas, they, one of the private entities involved in this released a website where you could snitch or report other people who were getting out of state abortions. So we're already in this state of reporting other people based purely on speculation. And then you would have these apps where you would have a consistent. Maybe if your cycle is regular and you have a monthly period and then all of a sudden you don't, they can make the assumption that you're pregnant. And then if you don't have a child, you could be potentially prosecuted for a miscarriage. Even if it's a fallacy, it's still a grueling, awful position to be in. Even if eventually the evidence comes out that you were never pregnant or never miscarried or had an abortion, it's still criminalizing just a woman's body functioning.

Kim Jones (25:34)

This is what sort of gets me about this is obviously in this country, abortion and reproductive rights generally are a divisive political issue. I wouldn't think that even for those who are rabidly pro life, there would be a lot of enthusiasm about obtaining data from private period tracking applications. Like, I guess maybe this is an unfair question, but how is this an issue? Like, where is the opposition to keeping this data private or adding some type of HIPAA level protection on these applications.

Michelle Kellerman (26:12)

I think people have gotten so used to being in everybody else's business with social media and everything that you do being somehow available for public comment. We've lost the desire for privacy. And we also have come to expect that we just don't really have it anymore. With every time we get a credit report breach and monitoring your credit cards at this point. There's been so many we don't care anymore. And it's a given now that your personal information is just out there. And we still hold the criminalizing a woman's body as this far fetched ideas if it's not really happening. Whereas a baby can be right in front of you and you only see what's directly in front of you. So I think there's just not an appetite for fighting for this amorphous idea of privacy when we already exist in a world where we don't expect it.

Narrator/Announcer (27:09)

That's Michelle Kellerman from the Johns Hopkins University Applied Physics Lab. Be sure to check out their full conversation over on the Caveat podcast. Wherever you get your favorite podcasts, Investigating is hard enough. Your tools shouldn't make it harder. Maltego brings all your intelligence into one platform and gives you curated data along with a full suite of tools to handle any digital investigation. Plus, with on demand courses and live training, your team won't just install the platform, they'll actually use it and connect the dots so fast cybercriminals won't realize they're already in cuffs. Maltego is trusted by global law enforcement, financial institutions, and security teams worldwide. See it in action now@maltego.com and finally on Capitol Hill, lawmakers are turning their attention to a frontier that sounds more like science fiction than policy. Your brain Senators Schumer, Cantwell and Markey have introduced the Management of Individuals Neural Data act, tasking the FTC with writing the rulebook for how companies can handle neural data. The bill aims to prevent tech firms and data brokers from harvesting, bundling, and selling brain signals to nudge you what to buy or how you feel about it. With companies like neuralink and consumer wearables already dipping into this territory without guardrails, senators warn of manipulative ads and predatory schemes pitch straight into your neurons. The FTC would be asked to coordinate with researchers, advocates, and industry to design protections. Apparently, privacy now means guarding not just your inbox, but also your cortex, and that's the Cyber Wire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire2k N2K senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music by Elliot Heltzman. Our executive producer is Jennifer Ibin. Peter Kilby is our publisher and I'm Dave Buckner. Thanks for listening. We'll see you back here tomorrow. Foreign Cyber Innovation Day is the premier event for cyber startups, researchers and top VC firms building trust into tomorrow's digital world. Kick off the day with unfiltered insights and panels on securing tomorrow's technology. In the afternoon, the 8th annual DataTribe Challenge takes center stage as elite startups pitch for exposure, acceleration, and funding. The Innovation Expo runs all day, connecting founders, investors and researchers around breakthroughs in cybersecurity. It all happens November 4th in Washington, D.C. discover the startups building the future of cyber. Learn more@cid.datatribe.com.