For Clinicians
Manage subscription Try Flo today
Product
Product
    Product
  • Tracking cycle
  • Getting pregnant
  • Pregnancy
  • Help Center
  • Flo for Partners
  • Anonymous Mode
  • Flo app reviews
  • Flo Premium New
  • Secret Chats New
  • Symptom Checker New
Health Library
Health Library
    Health Library
  • Your cycle
  • Health 360°
  • Getting pregnant
  • Pregnancy
  • Being a mom
  • LGBTQ+
  • Quizzes
Calculators
Calculators
    Calculators
  • Ovulation calculator
  • hCG calculator
  • Pregnancy test calculator
  • Menstrual cycle calculator
  • Period calculator
  • Implantation calculator
  • Pregnancy weeks to months calculator
  • Pregnancy due date calculator
  • IVF and FET due date calculator
  • Due date calculator by ultrasound
About
About
    About
  • Medical Affairs
  • Science & Research
  • Pass It On Project New
  • Privacy Portal
  • Press Center
  • Flo Accuracy
  • Careers
  • Contact Us
For Clinicians
For Clinicians
Manage subscription

Open-Sourcing Anonymous Mode: Why We Shared Our Privacy Technology

By Laure Lydon, VP of Security and Infrastructure 

In 2022, we contributed to open-source OHTTP implementation powering Anonymous Mode, collaborating with Cloudflare on privacy infrastructure.

This struck some people as crazy. 'You're giving away your competitive advantage!' But as we've seen, open-sourcing can actually enhance trust and industry standards, which benefits everyone, including your organization. 

Looking back at the results, including broader industry adoption of OHTTP for privacy applications, I can say that open-sourcing our privacy tech was one of the best decisions we made.

Here's why we did it, what we learned, and why you should consider open-sourcing your privacy-critical code too.

Note: Code examples are simplified overviews based on what we open-sourced, illustrating the types of implementations we shared rather than complete production code.

The Trust Problem in Privacy Technology

Let's start with the fundamental problem of verifying privacy claims made by various organizations. 

Some companies will claim anonymity on their website, but they’re just words. How do you verify them?

For most software, you can't. The code is closed-source. You have to trust the company. Trust they implemented what they claim. Trust they didn't make mistakes. Trust they've thought about every little detail.

That's a lot of trust for reproductive health data in a post-Roe world, and companies cannot afford to make mistakes.

The Cryptographic Principle: Kerckhoffs's Principle

Cryptographers solved this problem 140 years ago with Kerckhoffs's principle, which states: "A cryptosystem should be secure even if everything about the system, except the key, is public knowledge."

In other words, security should depend on keys (kept secret), not on algorithm secrecy. If revealing your algorithm breaks security, your security is weak. Modern cryptography follows this same ethos; AES, RSA, and TLS are all public algorithms. Thousands of researchers and developers have scrutinized them until they were battle-tested. Security comes from key secrecy, not algorithmic secrecy.

We applied the same principle to Anonymous Mode because strong privacy should survive public scrutiny.

The Open-Source Collaboration

We contributed to Cloudflare's open-source OHTTP implementation, including the relay service, gateway implementation, and client libraries (compiled in Rust for iOS/Android). This open-source solution implements RFC 9458 with post-quantum cryptography (X25519 + Kyber-768 hybrid construction). Here are some additional details on the individual components: 

  • OHTTP Protocol Implementation The open-source solution implements RFC 9458 (Oblivious HTTP), the IETF standard that cryptographically separates client identity from request content. The relay sees who you are but not what you're doing. The gateway sees what you're doing but not who you are.
  • Post-Quantum Cryptography The implementation includes hybrid post-quantum key exchange, combining X25519 (classical) with Kyber-768 (post-quantum, now standardized as ML-KEM-768). This protects against both current and future quantum computer attacks.
  • Cross-Platform Client Libraries: The open-source Rust library compiles for iOS, Android, and the web, enabling a consistent OHTTP implementation across all clients without reimplementing the protocol for each platform.
  • Relay Infrastructure The relay component runs on Cloudflare Workers, handling the forwarding of encrypted requests without the ability to decrypt them. This infrastructure is part of Cloudflare's Privacy Gateway service.
  • MIT License The open-source implementation uses the MIT license, a permissive license that allows anyone to use, modify, and deploy the code, including for commercial applications.

Challenges We Encountered

Not everything was smooth, and we faced several bumps along the way. 

  • Challenge 1: Maintenance Overhead - Open source requires work, including reviewing pull requests, answering questions, triaging issues, and keeping documentation up to date. This makes it an ongoing engineering effort to ensure documentation is accurate and up-to-date.
  • Challenge 2: Security Disclosures - We received security reports. Many weren't real issues; they were only misunderstandings about how the system works. But triaging takes time, and finding legitimate bugs made our thorough review of these reports worthwhile.
  • Challenge 3: Public Confusion - Some people saw "open source" and thought: "Anyone can see the data!" Not true. Open source means the code is public, but the data stays private. We added FAQs and educational content to help address these concerns.

Everyone Benefits from Open-Source Privacy Tech

The case for open-sourcing privacy technology comes down to trust, security, and shared progress. When privacy protections are visible and testable, they’re stronger — and more credible.

Here are the three biggest reasons we chose to open-source Anonymous Mode:

  • The most fundamental reason is verification. 

When companies say "trust us" about privacy, they're asking for faith without evidence. Open source flips this dynamic entirely. Instead of asking people to trust privacy claims unquestioningly, you invite them to verify them. Researchers can audit the code, journalists can investigate the implementation, and privacy advocates can confirm the architecture actually works as described. 

This transforms privacy from a marketing claim into a provable fact. The shift from trust to verification is powerful because it replaces faith with evidence.

  • Open-sourcing privacy technology advances the entire ecosystem. 

When other companies adopt strong privacy practices — or even build on our approach — their users benefit. And that’s a win for everyone. In femtech especially, every app that strengthens anonymity and data protection makes the entire ecosystem more trustworthy. Our goal was never to be the only app offering meaningful privacy safeguards. It was to raise the standard across the industry so that multiple apps provide protections users can verify and rely on. 

A healthy market isn’t one where a single company holds a monopoly on strong privacy. It’s one where users don’t have to trade functionality for safety — or choose between apps based on who protects them better.

By sharing the thinking and engineering behind Anonymous Mode, we’re contributing to a higher baseline for health app privacy. The more companies that build systems this way, the safer reproductive health tracking becomes for everyone — on their own terms.

  • Open-source privacy work attracts exceptional engineering talent. 

Engineers want to work on meaningful problems that matter, and privacy technology that protects reproductive health data is deeply meaningful work. Open-source privacy work attracts engineers who care about meaningful problems and demonstrates your organization's values. 

Open-sourcing Anonymous Mode brings in people who care about privacy as much as we do.

Conclusion

Open-source privacy technology is the future. For privacy-critical systems, closed source is becoming unacceptable. "Trust us" isn't enough when the stakes are high because people expect (and increasingly demand) verification. And the result is better privacy for everyone. That's worth it.

If you're building privacy-sensitive applications, consider open-sourcing your privacy-critical code:

  1. Review for security (no secrets, no infrastructure details)
  2. Choose a permissive license (MIT or Apache 2.0)
  3. Document thoroughly
  4. Establish a security disclosure process
  5. Budget for ongoing maintenance

The Open Source Security Foundation has excellent guides for secure open-source development. 

Privacy claims backed by open source are stronger than closed-source promises. As data privacy becomes more critical, we expect to see more privacy tech go open source.

Related Resources