[NoTranslationL]

If anyone is interested in a privacy focused tracking app that stores all your data locally, I make an app called Reflect [0] whose sole purpose is this, plus on-device analysis.

We’re working on a menstrual tracking feature right now and it’s pretty far along. We’ve just released an anomaly detection feature as well.

[0] https://apps.apple.com/us/app/reflect-track-anything/id64638...

[pickledoyster]

The report in the OP raises valid concerns about SDKs from third parties, including Google and Facebook. Your own site showcases the Reflect SDK which is, I quote:

> The Reflect SDK is the iOS framework that powers the Reflect – Track Anything app and is designed to help you: > > Create forms to track customer product usage and experience > Collect customer biometric data [...]

Source: https://ntl.ai/products/

Let's just say I'm skeptical about your claims.

Edit: provided a more extensive quote and link to source.

[NoTranslationL]

This is a totally valid concern. Initially we were considering augmenting our income with a B2B model to license the library we’ve built, but that didn’t pan out and our priorities have changed, so we solely work on the apps for customers now. I actually forgot this was even on our website and, since we aren’t trying to offer those services or license anymore, I’ve removed them.

[hamburglar]

This looked promising, but the first two things I tried to record with it seemed just outside of its capabilities. I track blood pressure daily, but it didn’t seem to have a way to record a metric that has two numbers. In addition, I record the sodium and potassium values of everything I eat, and I want a way to record the name of the food item along with those two values (preferably providing a dropdown for previous entries that auto-fills the numeric parts).

Also, the nagging about buying premium was quite aggressive and it made me feel like I couldn’t even get a feel for what the app is like first.

[NoTranslationL]

Yeah, there is no support for “multi-dimensional” metrics. So systolic and diastolic would each have to be their own metric. Food tracking in Reflect could use some work, but if you link with Apple Health, Reflect can pull data from Cronometer or MyFitnessPal for example.

Any particular place you thought the premium was very aggressive? I’m open to changing that, it’s not the kind of feedback we normally get. Thanks for saying so

[hamburglar]

A lot of things I clicked on just led to an upsell page that wanted me to do a week trial that led to a $49 monthly, which surprised me since I hadn’t even begun to explore and only had a single metric which I’d never even recorded a datapoint for. And it seemed like I only was allowed to define a single metric, so I tried to delete it in order to create a new one, but clicking “delete” on it was apparently a premium feature as well. I gave up.

You really need to let people actually use the product with no commitment, see how it’s useful, and then bug them a month later.

Btw, I found a bug: on the page where there are three big buttons and the third is “load a csv”, the csv button isn’t clickable. Only the icon on it is.

[NoTranslationL]

Thanks for all that feedback! One minor point is that the 49.99 is annual. You can define and record unlimited metrics and data on the free version so if you can’t then that’s a bug for sure. Also, noted regarding the import bug, thanks for that.

[PythagoRascal]

Could you elaborate on which features are premium only? Or maybe also put them in the AppStore description? I tend to be averse to even downloading apps with IAP, without knowing what they are going to be.

[bryanhogan]

That looks very interesting. I'm building almost the same actually: http://dailyselftrack.com/

Any reason your app is iOS only?

[NoTranslationL]

Reflect started as a passion project for myself and my partner with no intention to make a product out of it. By the time we thought to do so, we’d already put so much into just iOS that doing an Android version as well was its own huge project.

We still plan to implement Android, we have a roadmap where we track this: https://changemap.co/ntl/reflect/task/9239-android-version-o...

[wferrell]

Are you going to have it be local only?

I think you would be interested in seeing what Flo has done using OHTTP: https://oblivious.network/ohttp

[bryanhogan]

It won't be local-only, it will be local-first. So you won't have to put your data online if you don't want to.

[leereeves]

That sounds like a good idea with one obvious challenge: how can you prove that data will remain private forever?

[NoTranslationL]

That’s a tough guarantee, ultimately you’re placing trust in the device’s security once you limit your attack surface to just local data. So that’s why we’re working on encryption with key custody. Any feature like cloud backups are explicitly opt-out by default so no one is putting their data onto someone else’s servers without knowing what they’re getting into.

[kevinventullo]

Just to be clear, you’re saying cloud backups are off by default, and the user must explicitly enable them?

If so, just FYI I believe that pattern is usually referred to as “opt-in.” As in, the feature is off by default, and the user must opt in to using it.

[NoTranslationL]

Yes, you have that right

[ethbr1]

(Don't take any of the below in a negative sense! It's awesome you built a privacy-first solution and care about these things, to the extent practical. Below just musings)

I assume the attack vector here is more along the lines of 23andme bankruptcy -- if developer is bought by a new corporate entity / priorities change, what guarantees exist that privacy architecture won't backslide via updates?

Users shouldn't be concerned that a minor update or corporate sale will change the bargain they made around their privacy.

Honestly, it'd be great if there were scaled third-party cloud key escrow services coupled with enforced legal guarantees.* ^

It feels like we did cloud wrong from a legal/privacy perspective by not separating keyholder from data-at-rest-holder (legal entity wise). Tenant-based encryption is basically there... just still mingling data and key ownership in the same entity.

GDPR / right to be forgotten would be trivial if there were always a third party (who enforced requirements on any first party) I could submit a request to, that would burn my keys on their side, thus rendering first-party stored data un-practically-retrievable.

(And a third party because, similar to the browser+CA system, balancing power against each other to enforce guarantees of good behavior seems effective)

* Legal guarantees like "no caching keys for longer than X" or "no unencrypted user data at rest"

^ Cloud hosting encryption keys would also solve the ugly UX edge of strong encryption around "I lost my key... help?"

[fn-mote]

This is a wonderful comment, but also ...

Is there a way to prevent future versions of the app from uploaded the locally saved data? Even if none if it was in the cloud to begin with?

That's the route I would be most concerned about.

After that, I agree with the rest of your comment.

[ethbr1]

Blocking network access by a specific app at the OS level would be the way to achieve this.

I don't believe iOS currently has this ability (all network, not just cellular).

Android has solutions like NetGuard.

[illiac786]

But you can make updates manual instead of automatic, that’s something.

[bmacho]

Simple + open source + no access to network + no updates (idk about Android/iOS cross-app data sharing).

[xenator]

Still data can be uploaded to the cloud and will be available to cloud providers.

So there is more vectors to protect user data.

[dylan604]

Still, I can steal your phone or use my $5 wrench to get the data. There is no guarantee, so why bother. Hypotheticals can always be used to shit on any idea. They just are not always helpful

[1718627440]

> no access to network ?

[josephg]

I wish this were a capability you could (as a user) grant or reject at will. But there’s a UI problem: people are sick of clicking accept on a million dialog boxes already.

[rustcleaner]

GrapheneOS gives per-app network access control.

[antiframe]

Your wish exists. The first thing my phone asks before I install a new app is whether to allow network access or not.

[UnreachableCode]

Android and iOS developers need to explicitly request network access in their app's configurations.

[ablob]

What's your threat model?

[omeid2]

I was going to say operate it under a non-profit but then I laughed in Altman.

[Ylpertnodi]

For people living in the US of Freedom, wouldn't it be good think to 'keep putting in' cycles, despite pregnancy? Should anything untoward happen later, a quick flash o' the app and "Nope, Officer, no siree. Like clockwork, me...".

[XorNot]

Duress modes are a frequently overlooked feature in general - e.g. I don't want to just block access to my location, I want to lie about my location entirely.

[SOLAR_FIELDS]

I also would like “give an incorrect location” as an option. Something like that would probably never be supported by Google or Apple officially, because unlike some other privacy features, it’s actively and overtly hostile to advertisers.

[argomo]

Not just location, but all privacy sensitive API's. The OS should have built in support for segregating location, contacts, calendars, storage, etc. (GrapheneOS does this quite well with storage scopes). As part of this segregation you should be able to redirect the API to a custom implementation.

Thus, my transit app would have access to my real location while Amazon thinks I'm still at home and Pokemon Go thinks I'm on an around-the-works trip to collect location specific items.

[Wowfunhappy]

You mention Pokemon Go... this would basically be the end of that game, no? That's probably worth the tradeoff, but worth mentioning.

[fn-mote]

People are already spoofing location, and it hasn't been the end of the game so far. Or did I miss something?

[freedomben]

For years when Android was a lot more root friendly, this was easy to do. IIRC there was an Xposed module you could activate to do it. If you root I'm certain there are still apps that will do it, though I'm sure Google/Apple will be actively hostile against it, let alone actually support it

[dylan604]

regardless of what apple/google allow officially, the cell carrier also has tracking locations. if you're going out to do something that you would want to hide your location, it's best to just leave the device at home. get a burner phone paid for in cash by someone not you doing the transaction.

[bluGill]

Your cell carrier operators under very different laws and ability to harm you. Sure they know where you are, but most of the data flowing across their network is encrypted and so they mostly know you have a lot of data to AWS, google, and the like but not what it is. Google as the endpoint of that data has the decrypted version of the data and so they know what it is, and so they can target you in different ways.

If you are going to commit a crime (rape, murder), then all the police need is to know who owns the phones in the area and so you need a burner phone to hide your tracks.

However most of us are not worried about crimes. We are worried about privacy. We are not doing anything illegal, but google still knows far too much about us and is using that to legally abuse us with advertisements. While we all want to pretend we are good at ignoring advertisements, most of us have bought things we don't need and don't really want (or spent too much on things we did need/want).

[dylan604]

You seem to have lost the plot a bit. In several locations, it is illegal for women to get certain health care. There are parties out there that are very interested in policing those policies. To prove that, it doesn't matter where they get the tracking data as long as they can prove your location. If someone needs a warrant/subpoena to get the data from a cell carrier or some app developer it doesn't matter to the person being persecuted for seeking health care.

[rustcleaner]

Just pointing out this is an all-or-nothing strawman argument summed up as: if you can't have it all, don't bother trying. It's fallacious. That is all. :^)

[dylan604]

I disagree to it being a strawman. If you are doing something where you location being identified could put you in a spot of bother, do not carry anything that can track your location. There's just no way around it. If you want to use wavy hands to pretend tracking of location isn't so bad, then you go ahead and call it a strawman. For people whose physical safety depends on not being tracked, it is not a strawman.

[makeitdouble]

Apps that fuzzy or fake your GPS location are available on android.

I needed one when working on an app with store location detection and it worked pretty decently. I have no idea what it became or if it can be recommended, but there should be a bunch with recent reviews in the Store.

[em-bee]

murena - e/OS/ has that as a feature.

[josephg]

I want this for my contact address book too. “This app would like to know all your contacts. Allow / send empty contact list / generate garbage data”

I’d also enjoy if my advertising cookies were randomly reused by people all over the globe. And I’d like my phone number and email address to get associated with dozens of other identities.

[em-bee]

there is an alternative contact app that doesn't share your data. you can then fill the default contact app with fake data or leave it empty.

i am not sure if the last point is a good idea though. i get what you want to achieve. anonymity in numbers and plausible deniability, but you are more likely to get mixed up with problematic stuff others are doing rather than protecting yourself. having a common name already shows that. it is both a blessing and a curse.

[freehorse]

> there is an alternative contact app that doesn't share your data. you can then fill the default contact app with fake data or leave it empty.

You may want to share your contacts with app X but not with app Y, though.

[em-bee]

yes, fair point. i solve that by using shelter where the app and a contact app run with an independent configuration. the downside is that i have to duplicate contacts in the shelter vs outside. however that is what i want because not all contacts are duplicated.

[ASalazarMX]

I don't get the downvotes. Plausible deniability is a valid concern when menstrual cycles and geolocation can lead to criminal repercussions in many states of USA [0].

Nevertheless, if I was a fertile woman, I'd be more concerned of my phone/tablet/car leaking my visits to an abortion clinic than a police officer checking my phone.

0. https://states.guttmacher.org/policies

[dzhiurgis]

Is this actually enforced?

[Zak]

Are abortion bans actually enforced? Yes, absolutely.

Have period tracker apps been used as a source of evidence in such prosecutions? Not that I know of.

[wferrell]

Are you using OHTTP? If there are cloud aspects - I think you would want to. Learn more: https://oblivious.network/ohttp

[NoTranslationL]

No, because we don’t have any servers. We don’t track anything about our users, not even logs or usage.

[DrammBA]

Are you affiliated with OHTTP?

[2Gkashmiri]

What kind of "analysis" is done on the data ? We have apps like mensinator that are very simple.

I'd like to know if it is different from these simple apps ?

Note: im a guy btw

[NoTranslationL]

Do you mean for menstrual data specifically?

Currently for general data there is pearson correlation, five different anomaly detection algorithms, and T tests for significance among other things.

The work in progress we have for menstrual tracking takes temperature, flow, and past grund truth data into account. I know that’s vague, and it’s because my partner is working on it, not me :)

When we release the cycle tracking we’ll have a full writeup

[fragmede]

What homomorphic encryption technology have you looked into using? this is a good use case for that technology.

[NoTranslationL]

I agree it could make sense one day but, as I mentioned in another thread, we don't have any servers and so we don't collect or host any user data (encrypted or not). In fact, I really don't want to; it's overhead and costly, and might involve compliance with HIPAA or GDPR, and I just would rather the user be in charge of their own data.

Having FHE for local data would be very interesting though.

[TechPlasma]

Do you have a link to the Android app?

[NoTranslationL]

Unfortunately no android yet, but you can track progress here: https://changemap.co/ntl/reflect/task/9239-android-version-o...

[bryanhogan]

I'm building an app with the same concept but web based first and converted to Android and iOS via Capacitor, for now.

It's not released yet, but if you'd like to get an e-mail notification you could take a look here: https://dailyselftrack.com/

[Mistletoe]

Really neat app, thanks for sharing.

[tveyben]

Thanx - sounds like what I need ;-)

[oulipo]

I guess using FHE like from https://zama.ai you could provide server-side features without compromising privacy