WoW Woman in FemTech I Dr Maryam Mehrnezhad, Associate Professor at Information Security Group, Royal Holloway University of London

Dr Maryam Mehrnezhad is an Associate Professor at Information Security Group (ISG), Royal Holloway University of London (RHUL), UK. She has a PhD in Computer Science, an MSc in Information Security, and a BSc in Software Engineering. She is a cybersecurity expert and has published over 50 peer-reviewed papers in international conferences and journals. She is the Primary Investigator of an EPSRC PETRAS grant: CyFer (cybersecurity, privacy, trust, and bias in FemTech). 

Maryam, tell us more about your project.

This interdisciplinary project with multiple stakeholders and collaborators delivered multiple peer-reviewed academic papers, blog posts, and a research day (CyberMi2 2023), and led to established collaboration with new industry partners. To the best of my knowledge, the CyFer project is one of the largest (if not the largest) projects internationally which is directly focusing on the security and privacy of FemTech. This project includes a team of 20 international academic researchers across disciplines, industrial partners, designers, artists, and beyond who have been working on this topic since 2019.

We investigated existing security practices in FemTech IoT systems as well as user perception and practice and socio-technical bias and trust in FemTech data and algorithms. The project revealed how most FemTech apps (e.g., fertility and pregnancy trackers, some associated with IoT devices) track the user right after the app is open and before any user consent, and how new sensors (e.g. on IoT devices) put users at serious risk, yet user perception is much lower than actual risks. We also examined over 20 IoT devices that are advertised as FemTech and identified several Bluetooth vulnerabilities including non-encrypted communication of sensitive data and the usage of unknown Bluetooth services in these products. The published papers can be found on the project homepage.

Our work in CyFer is not limited to academic papers. This project has been featured in the international news several times and we have engaged with multiple stakeholders over the last three years. We also commissioned 8 international artists and designers competitively (among around 60 applications) from an open call and delivered an art-science exhibition, which was on display from June to Sep 2023 at RHUL and partially went to the V&A museum (digital week).

How long did it take you to be where you are now? How did you become interested in FemTech security and privacy? 

I have 15 years of experience in the field of cybersecurity and privacy. In 2012, I started to use a period tracker mobile app which I immediately noticed is showing me personalized advertisement. Coming from a cybersecurity background, this annoyed me. However, at the time, I was doing my PhD on a different topic, and I only came back to this in 2020 when I started a collaboration with Teresa Almeida (my friend and colleague from Umea University in Sweden who is an international lead in intimate digital health and HCI design). We published a paper in ACM CHI (the flagship conference in Human and Computer Interaction).. We published a paper in ACM CHI (the flagship conference in Human and Computer Interaction). In 2021, I was awarded the CyFer grant by EPSRC PETRAS National Centre of Excellence for IoT Systems Cybersecurity. I have been working with a fantastic team of more than 20 experts exploring cybersecurity, privacy, bias and trust in FemTech.

What sort of data do FemTech apps and devices gather from users? How is the data used?
Via studying these apps, my research team has shown that FemTech apps and devices collect a wide range of information about users including information about User (e.g., name, photo, age, gender), Contact (e.g, mobile, email, address), Lifestyle (e.g., weight, diet, sleep), Period (e.g., cycle length, ovulation days), Pregnancy (e.g., test results, due dates, IVF), Nursing (e.g., type, volume, pain), Reproductive organs (e.g., cervical mucus, muscle strength), Sexual activities (e.g., date, contraceptives, orgasm), Medical information (e.g., medication type, blood pressure, lab reports scan), Physical symptoms (e.g., headache, constipation), and Emotional symptoms (e.g., happy, anxious). 

In addition to data directly concerning the user, these devices also ask for or automatically collect data about others including Baby or child (e.g., nursing, sleep cycles, fetal movements), Social media profiles, forums, or plugins (e.g., Facebook, Spotify), Partner (e.g., details of partnered sex activities, name, age, photo). These technologies might even ask about the medical history of the user’s family (e.g., cancer). 

Finally, these systems also have access to the devices’ resources on the phone and the IoT device e.g, camera, microphone, device files and storage, phone’s contacts and calls, communicational sensors (WiFi, Bluetooth, NFC), motion and environmental sensors from the phone or the device (e.g., temperature, pressure, Co2).

This data can be used for several purposes including functioning the app. However, we have shown that the majority of these apps and IoT devices do not need such a wide range of information to deliver their service. The data can be also monetized i.e., being shared with third parties without valid consent from the user or even their knowledge.

What privacy and security issues can FemTech solutions pose to users?

These technologies deal with a wide range of sensitive and intimate information such as health and medical, reproductive health, and sexual life. The risks associated with them are complex to recognize and address. That is why in our CyFer project, we worked (for two years) with 8 international artists and designers to translate our intersectional research results for different stakeholders including citizens via art and design. This exhibition was on display at Royal Holloway University of London (June-Sep 2023) and went to the V&A museum in London later Sep 2023. Link: https://petras-iot.org/update/artistic-exhibition-by-the-petras-cyfer-project-meet-the-artists-and-designers/. A virtual tour of the exhibition will soon be available too.   

Collecting and sharing user data is neither a new nor a simple problem to tackle; particularly when different demographics e.g., gender are factored in. In our research, we have shown that there are several entities who might be interested in such data including (Ex-)Partner and Family, Employers and Colleagues, Insurance Firms, Cyber-criminals, Advertising Companies, Political and Religious Organisations, Governments, Medical and Research Companies, and beyond.

What are the user’s views regarding these risks?

In one of our recent studies, we asked over 100 UK users about their concerns regarding fertility and period trackers. The participants stated a number of issues that they believed to be the disadvantages of such technologies. 65% of the participants believed that “They share user information with third parties or sell to them", 29% chose “They are not accessible to all user groups", followed by 28% choosing “Using such technologies is not easy for certain users", 28% choosing “They are not accurate" and another 26% believing that “They only work for certain user groups and have bias", and 10% said that “They are expensive". Among those who chose “Others" (5%), a few said that Governments or other entities may “track women" via these technologies, and others said these technologies may change what is considered “normal”.

What are your biggest achievements to date?

My academic work has had several media, social, and industry impact. Related to my FemTech research, our CyFer project has been featured in international news (newspapers, TV, online news, etc.) several times over the last three years. The result of my security and privacy research has changed products at companies such as Apple. I also work with several FemTech companies advising them on cybersecurity and online privacy best practices. In recognition of my substantial work in this space, I was a finalist in the top 50 for the Women’s Engineering Society’s (WES) ‘Women in Engineering 2023: Safety and Security’ awards.

What are the projects you are currently working on?

Among my other projects, I am now a co-investigator of a UKRI grant: AGENCY (Assuring citizen agency in a world with complex online harms) where I continue my work in CyFer. In this project, I will focus on other under-studied areas of FemTech such as menopause as well as FemTech for teenagers and their cybersecurity and privacy issues. 

What will be the key trends in the FemTech sector (industry, research, and policymaking) in the next five years and where do you see them heading?

I believe that the security and privacy of digital health and well-being technologies will continue to be a key trend in the next five years. We just saw an announcement by the ICO regarding their plans to review period and fertility tracking apps as a poll shows more than half of women are concerned over data security. The result of our research shows similar concerns among users. However, these risks are not limited to fertility and period trackers only and concern the entire FemTech sector.  I also think other forms of complex risks and harms will become much more serious including algorithmic bias and bias in datasets in FemTech impacting user trust and their engagement with these technologies.

Standardization and regulation dimensions are also becoming interesting to multiple stakeholders. In another recent paper, we discuss that the security and privacy issues around FemTech can lead to differential harm where complex risks are enabled by many factors including gaps in the regulations, non-compliant practices, the lack of enforcement, and limited research and guidelines for secure, privacy-preserving, and safe products. We reviewed the regulations related to FemTech in the UK, EU, and Switzerland and identified the gaps. We ran experiments on a range of FemTech devices, apps, and websites and identified several exploitative practices. We suggest that policymakers explicitly acknowledge and accommodate the risks of these technologies in the relevant regulations.

I believe that collaborative work among different stakeholders is required to protect the users of such technologies. This includes policymakers and the regulatory sectors but is not limited to them. The data collected by such technologies can be related to regulations around general data protection, work discrimination, software, apps, IoT, medical and health, and human, women and children rights. 

What is the most important piece of advice you could give to anyone who wants to start a research career in FemTech?

Coming from a Computing Science (CS) background, working on the security and privacy aspects of FemTech comes with wonderful opportunities and exciting research directions. Focusing on a group of people that are traditionally marginalized by CS research and industry requires a very open mind and critical lens. I would advise early career researchers to critically look at the common and standard practices and question them. This will enable the community to come up with next-generation solutions through an interdisciplinary approach that are more inclusive and benefit all.  

How did you get into this industry? Has it been an easy area to get into or have you had many challenges?

As much as this research topic is exciting, it also has its challenges. The traditional security research community has not necessarily been ready to welcome this type of research. The majority of FemTech research (e.g., menstruation and menopause) continues to be a myth and taboo in many cultures. This somehow is reflected in the academic community e.g., resistance to accepting papers to publish and securing research grants. Despite all of that, I have enjoyed and continue to enjoy researching in an area that I truly care about.

Why are you working on FemTech Cybersecurity and Privacy topics?

People often ask how I came to work on this topic. I have a background in System Security and have been performing attacks on systems. I have also designed trustworthy systems and contributed to standardisation and industrial practices to prevent such attacks. However, human dimensions have consistently been a part of my work. Currently, a major strand of my research is dedicated to minority and minoritized users in cybersecurity and privacy. I have always dreamt of doing something for women’s rights. But I am not an activist, a lawyer, or a social scientist. I am a cybersecurity expert, and I decided to use my expertise to fulfill this ambition of mine. I did it in CyFer, and I continue to do so in my future projects. If you share the same dream, please get in touch.

Connect with Dr Maryam Mehrnezhad on her LinkedIn.