How state politics and abortion data risks drove fertility app Proov to move from AWS to Google Cloud

All politics are local – and as statewide abortion restrictions force new data protection worries for health app providers like Proov, all reproductive health data is political. Cloud providers will face new challenges.

Proov app.

"As ... the environment changes, things that were safe before aren’t safe anymore,” said Amy Beckley, founder and CEO of Proov.

Image: Proov

Fertility app provider Proov had already thought about consolidating where its data lived to one cloud. But in May, when the Supreme Court draft opinion presaging the eventual overturning of Roe v. Wade was leaked, the company knew how important the geographic location of the servers where its data is stored would be.

On Monday, Proov kicked off its data migration from AWS and Microsoft Azure to a single new home: Google Cloud. Proov’s decision came down to having the most options for data storage in states that protect abortion rights in order to ward against possible subpoenas for the ovulation test and other fertility-related data it stores about its users.

The leaked court draft “was certainly an accelerator to consolidate within one platform,” said Jeff Schell, Proov’s chief technology officer.

“As things change and the environment changes, things that were safe before aren’t safe anymore,” said Amy Beckley, founder and CEO of Proov, who said the primary goal of the move is to ensure that “as state laws change, we still maintain the ability to protect women’s data.”

But the decision to overhaul Proov’s data storage did not come lightly. Not only will the move to Google Cloud cost the company tens of thousands of dollars, in the long run it could be “slightly more expensive for us to work with Google than to work with Amazon [AWS],” said Schell. And migrating Proov’s data storage and processing operations has “dramatically increased the level of effort that we're putting in, that I'm putting in as a CTO and that we're putting in as a team,” he said.

Consolidating to one cloud provider bucks the general trend toward companies working with multiple providers, as illustrated by data broker Acxiom’s approach.

Betting on Nevada

Proov earns revenue from selling ovulation test strips, rather than from monetizing user data through advertising and other purposes as other period tracking apps do. Proov customers upload images of their fertility tests to the app, which uses an algorithmic system to calculate hormone values and ovulation scores.

Before deciding to make the move to Google, Proov already had strict data privacy and security protections in place, and gave customers a “delete account” function to completely remove their accounts and data, including from their devices and Proov’s server. But the company wanted to make sure the sensitive reproductive health data it handles is physically stored in a state that is less likely than others to restrict abortion rights in the future. And it wanted to have at least one fallback in case state laws change.

Schell and his team evaluated AWS, Azure and Google Cloud along with smaller cloud options before finalizing the debate between AWS and Google. By their measures, Google had more viable options for protecting its customers’ fertility information. Both Google and AWS offer data center storage options in California and Oregon, which together issued a multistate commitment last month to defend reproductive health care access. And both cloud providers offer storage in more restrictive states including Ohio and Virginia.

But Nevada was what tipped the scales toward Google. It was one additional option offered by Google, but not AWS, that Proov believes will be a safe home for its reproductive health data.

“To have another option domestically would seem to expand our choices if we need to be nimble moving forward with Nevada. And when you're talking two versus three viable options, it is significant, so that was something that informed our choice to move to Google,” Schell said. “We are less likely to be subject to subpoenas to produce the data of our consumers.”

Nevada Governor Steve Sisolak in June issued an executive order ensuring the state's commitment to allowing safe access to abortions.

“Housing data on a server in an abortion-restricted state may make it easier for that state to obtain abortion-related data,” said Bethany Corbin, senior counsel at Nixon Gwilt Law, who specializes in legal issues related to reproductive health tech. “If a company houses data in an abortion-restricted state, that state could use the company's presence and in-state data storage facility to present an argument that the company should be compelled to turn over any data in response to a lawful subpoena or court order regarding suspected abortions.”

An AWS spokesperson confirmed that the company does not offer its large-scale cloud storage in Nevada. It does offer what it calls a “local zone” presence in Las Vegas and other places where abortion rights are protected including Boston and New York; those options feature fewer core services and are aimed at serving apps operating in the area.

“Customers choose AWS because it gives them complete control of their data, where it’s stored, and who has access to it, meaning they can use our infrastructure to meet data residency and protection requirements,” the company said in a statement emphasizing its data encryption capabilities.

According to AWS, it typically suggests that a customer choose one primary data storage region, then pick a second as a backup that can store replicated data in case a quick switch is necessary.

Google Cloud and Microsoft declined to comment for this story.

Reproductive health data has been used in legal cases. In a 2019 lawsuit citing safety concerns at a Planned Parenthood clinic, the director of the Missouri state health department said he directed a state investigator to compile a list of menstrual calendar data about the clinic’s patients, in order to identify people who had problems with medical abortions performed there.

Concerned about the potential misuse of data from reproductive health apps, lawmakers last week asked other companies that provide apps for tracking menstruation, ovulation, fertility and pregnancy — including BioWink, maker of Clue; Flo Health, maker of Flo; and Glow, which makes the Glow app — to provide information and documents regarding the collection and sale of personal reproductive health data.

Image: Proov

Proov’s data storage plan isn’t a failsafe. Simply doing business in a state means a company is susceptible to data subpoenas, Corbin said. “States that prohibit abortion can still request data from companies that keep their data stored on servers in other states, so long as that company is doing business in the abortion-prohibited state or the data request concerns someone who received abortion services while physically located in that state.”

Why government data request policies mattered

While data sovereignty was a primary reason for Proov’s decision to migrate to Google Cloud, Schell pointed to other factors that pushed the company toward Google, including the Android-maker’s dominance in the mobile app universe.

“For our specific use case, leveraging the infrastructure of Google is slightly better than leveraging the infrastructure of AWS,” Schell said, calling AWS and Google Cloud “both great platforms” with strong health data protections. “Microsoft and Amazon don't have the level of ecosystem that Android is on,” he said.

Schell also pointed to nuanced distinctions between Google’s and AWS’ policies for handling government data requests that Proov believed were important. Google Cloud’s policy states that if the company receives a government agency request for customer data, “Google informs the government that it should issue the request directly to the organization in question.” In the same situation, AWS’ policy states it “will attempt to redirect the governmental body to request that data directly from the customer.”

It’s a minor distinction, but one Schell said matters. “From policies and procedures, Google is slightly stronger than Amazon in terms of how this might impact our specific business,” he said. “This is a hypersensitive and very important area for us.”

In addition to reconsidering data storage locations, Corbin said companies might also consider other technical alternatives such as storing data locally on a consumer’s device as opposed to in the cloud, where it may be more vulnerable to cyberattacks and data breaches. However, local data storage limits the amount of algorithmic data processing that is feasible in an app.

Ultimately, companies handling reproductive health data should look beyond just improving privacy and security measures, Corbin said. “They should be minimizing the amount of data they collect and only collecting what is minimally necessary.”


How GM plans to make its ambitious EV goals reality

The automaker's chief sustainability officer is optimistic that GM is well-positioned to rapidly scale up the EV side of its business.

"I think everything that’s been put in place to support the transition will be a real positive for the industry and for the country."

Photo: Eva Marie Uzcategui/Bloomberg via Getty Images

Automakers are on the cusp of an entirely new era.

The transition to electric vehicles is quickly becoming more than just theoretical: More models are coming onto the scene every day. This week, the Inflation Reduction Act was signed into law, enshrining a new structure for EV tax credits and offering a boost to domestic critical mineral mining. The transition isn’t coming a moment too soon, given that the transportation sector makes up the largest share of greenhouse gas emissions in the U.S.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).

As management teams at financial institutions look for best practices to make part of their regular toolkit, they are reaching most for the ones that increase the speed and reduce the risk of large-scale change.

That forward-thinking approach can lead financial institutions to leverage AI technology, which can help give decision-makers trusted tools to solve integral challenges vital to the health of the business. One of the leading providers of AI and machine-learning software, DataRobot continues to attract clients in financial services who want to de-risk their AI investments and rapidly scale AI to almost every part of their operations, resulting in improved productivity and higher customer satisfaction.

Keep Reading Show less
David Silverberg
David Silverberg is a Toronto-based freelance journalist, editor and writing coach. He writes for The Washington Post, BBC News, Business Insider, The Toronto Star, New Scientist, Fodor's, and several alumni magazines. He also writes for brands such as 23andme, Shopify and Bold Commerce. He has served as editor of B2B News Network, Canada's only B2B news magazine, and Digital Journal, a leading pioneer in citizen journalism. Find more about him at www.davidsilverberg.ca

How Embracer Group bought ‘Lord of the Rings’ rights for a bargain

The Swedish holding company, known best for its gaming acquisitions, bought the rights to “The Lord of the Rings.” But the deal is much more complicated than it seems.

Who really owns LOTR's rights?

Photo: New Line/WireImage

A new stakeholder has entered the complex licensing web of “The Lord of the Rings,” and the landmark deal has further complicated the already messy media empire surrounding author J.R.R. Tolkien’s fantasy epic.

The buyer, the acquisition-hungry Swedish gaming conglomerate known as Embracer Group, has purchased Middle-earth Enterprises, and with it the associated film, video game, board game, merchandise, theater production and theme park rights to the core LOTR book trilogy and “The Hobbit'' from its previous owner, The Saul Zaentz Company. Formerly Tolkien Enterprises, Zaentz’s holding group has held onto the rights since purchasing them from United Artists in 1976. (Tolkien initially sold them to UA in 1969, four years before his death.)

Keep Reading Show less
Nick Statt

Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.


Upstart has a new plan to sell Wall Street on its loans

The AI-powered lender will hold some loans on its balance sheet as it seeks partners for long-term capital.

Despite the current struggles, Upstart views the marketplace model as the best way to write to keep its loan business growing.

Photo: Upstart

After a revenue drop its CEO called “unacceptable,” the leadership at fintech lender Upstart is making a bet on the strength of its ability to underwrite loans with AI.

The San Mateo company is planning to leave some loans on its balance sheet that investors do not want to buy, as concerns about the economy shift Wall Street away from backing riskier consumer debt. Rather than pull back on its lending in response, the company said it will hold some loans as it seeks longer-term capital partners.

Keep Reading Show less
Ryan Deffenbaugh
Ryan Deffenbaugh is a reporter at Protocol focused on fintech. Before joining Protocol, he reported on New York's technology industry for Crain's New York Business. He is based in New York and can be reached at rdeffenbaugh@protocol.com.

Does your boss sound a little funny? It might be an audio deepfake

Voice deepfake attacks against enterprises, often aimed at tricking corporate employees into transferring money to the attackers, are on the rise. And at least in some cases, they’re succeeding.

Audio deepfakes are a new spin on the impersonation tactics that have long been used in social engineering and phishing attacks, but most people aren’t trained to disbelieve their ears.

Illustration: Christopher T. Fong/Protocol

As a cyberattack investigator, Nick Giacopuzzi’s work now includes responding to growing attacks against businesses that involve deepfaked voices — and has ultimately left him convinced that in today's world, "we need to question everything."

In particular, Giacopuzzi has investigated multiple incidents where an attacker deployed fabricated audio, created with the help of AI, that purported to be an executive or a manager at a company. You can guess how it went: The fake boss asked an employee to urgently transfer funds. And in some cases, it’s worked, he said.

Keep Reading Show less
Kyle Alspach

Kyle Alspach ( @KyleAlspach) is a senior reporter at Protocol, focused on cybersecurity. He has covered the tech industry since 2010 for outlets including VentureBeat, CRN and the Boston Globe. He lives in Portland, Oregon, and can be reached at kalspach@protocol.com.

Latest Stories