Data protection concerns spike as states get ready to outlaw abortion

The use of personal data from brokers, apps, smartphones, and browsers to identify those seeking an abortion raises new data protection and privacy risks.

big brother privacy eye data breach security binary valerybrozhinsky getty
ValeryBrozhinsky / Getty

The U.S. Supreme Court will almost certainly stick to its leaked draft decision to overturn the landmark Roe v. Wade decision that legalized abortion 50 years ago. According to some tallies, abortion may be banned or tightly restricted in as many as 28 states in the weeks after the Court formally hands down its decision next month.

As the American Civil Liberties Union (ACLU) has noted, "The lack of strong digital privacy protections has profound implications in the face of expanded criminalization of reproductive health care." Enforcement of the law will likely hinge on increased digital surveillance by authorities to more efficiently identify, arrest, and prosecute pregnant people who contemplate or seek abortions. "Expanded criminalization of abortion will become an increasingly attractive target for prosecutors and police," the ACLU says.

Lawmakers press data brokers and apps for answers

Law enforcement and other state agencies can track suspected abortion seekers using commercial services even without direct surveillance by authorities. Location data firms sell information related to clinics such as Planned Parenthood that provide reproductive health services and can even show where people visiting abortion clinics live.

Data marketplaces sell information on users who have downloaded period-tracking apps. Privacy experts are already warning people not to use period-tracking apps because of the extensive personal data they retain.

Federal lawmakers are taking note. Senate Democrats are already demanding answers from location data firms SafeGraph and Placer.ai to provide information about any collection or sales of cellphone data tied to visits to abortion clinics. "Especially in the wake of the Supreme Court's leaked draft opinion overturning Roe v. Wade, your company's sale of such data—to virtually anyone with a credit card—poses serious dangers for all women seeking access to abortion services," the senators reportedly wrote to SafeGraph, with similar wording in a letter to Placer.

Representative Suzan DelBene (D-WA), who has introduced several pieces of privacy legislation, said, "It's important that people are aware of the information that's out there that isn't protected today, and what the risks are to consumers and, in particular, the huge concerns and risks that would be in place for women if the Supreme Court moves forward and we don't protect their personal information."

Few state laws protect privacy

No federal privacy law exists to protect abortion seekers' data, and only four states have enacted comprehensive privacy legislation that might limit some of their exposure. California, Colorado, Utah, and Virginia have enacted laws that could, to some degree, protect the privacy of those in search of reproductive health options.

Even these laws are insufficient. For example, in California, which has one of the strictest privacy laws in the world, reproductive health care advocates are urging the adoption of a package of legislation that "enhances privacy protections for medical records related to abortion care under California's Reproductive Privacy Act against disclosures to law enforcement and out-of-state third parties seeking to enforce hostile abortion bans in other states."

Shannon Olivieri Hovis, director of NARAL Pro-Choice California, tells CSO, “It would essentially protect anybody seeking care here from having their private healthcare information shared elsewhere. A state cannot reach into another state and try to dictate what one of their residents is doing outside of the state.”

Advocates are already also pushing for stronger abortion-related data protection measures in states that don't have comprehensive privacy laws. Activists in Massachusetts, for example, are calling for new laws that protect abortion providers’ and patients’ privacy and invest in clinic infrastructure and security.

Federal privacy law needed

With only a handful of states protecting the data of abortion healthcare seekers and providers, the best option is to adopt a national federal privacy law. India McKinney, director of Federal Affairs at the Electronic Freedom Foundation (EFF), tells CSO, "What rules exist around how the app or the social media company or your ISP or your browser or anything can collect and monetize that data depend on your location, what state you're in, not whether or not the data itself is sensitive."

From one vantage point, the data is "not so special," McKinney says, merely a series of zeroes and ones, accessible on-demand via purchase or warrant or subpoena much like any other user data. "Internet companies and data brokers and insurance companies and employers and the Missouri secretary of health can get access to this information because they want it. It feels like it's something that shouldn't be true, or it feels like something that shouldn't be legal, but it is because we don't have a federal privacy law that says otherwise. "

"When it's your gender or how many times you had sex recently and your reproductive goals, and when you last started your period and what the quality of your cervical mucus is, it feels like there should be an additional level of protection because those are personal and private things."

And despite the good intent, companies willing to pay for their employees to travel out of state to receive an abortion might inadvertently compound the privacy problem, further underscoring the need for a federal solution. "If they live in a state that outlaws abortion, it's like, well, that's cool. But that means you have to disclose to your employer that you need an abortion," says McKinney.

ISPs can expose data too

Data brokers and apps are not the only threats to protecting sensitive data in the post-Roe world. "Your ISP knows the websites you visited and, in some cases, they are allowed to share that data with advertisers and data brokers," McKinney says. "So, if you Googled, ‘How do I have an abortion at home or where is the nearest Planned Parenthood?’ or ‘How to induce a miscarriage?’ or whatever, and you visit websites that talk about those things, your ISP knows that."

"Right now, somebody's browsing history, to see if they've been to any abortion provider's website, that's going to be a difficult thing to get by a judge [to gain a warrant] because it's not illegal," she says. But if you're living in a state post-Roe where abortion is outlawed, "it is a different story."

‘Dystopia has already started’

"It's terrifying, and I want to be clear: I think this has already started right now," Erin Matson, co-founder and executive director of reproductive justice organization Reproaction, tells CSO. "This is not waiting for Roe to fall. Things are getting really real, really fast. The dystopia has already started, and people could already find themselves in big trouble for stuff they're doing right now. The digital trail that they are putting in place today in May could be used against them in July."

Matson and other abortion rights defenders say that prosecutors already have a track record of using electronic information in abortion situations to imprison people. For example, "Purvi Patel is a woman in Indiana who actually spent time in prison before she was ultimately released early for self-managed abortion. Part of what was used against her was text message records."

Anti-abortion actors could also expose personal and private data by tricking desperate people, Matson says. "Another piece of the problem is these anti-abortion fake clinics, sometimes called crisis pregnancy centers, known for doing geo-targeting outside abortion clinics. These are bad actors linked with the anti-abortion movement. It's truly terrifying to think about what they may do with data and who they may turn data over to."

Steps to protect privacy

There are steps that abortion seekers can take to help limit their data exposure. "People need to stop using period trackers and stop using pregnancy trackers. There is one tracker called Euki created by IBIS Reproductive Health that is totally secure," according to Matson.

However, she cautions that bad faith organizations run several pregnancy apps. "Bad actors actually run a number of these apps. The American Pregnancy Association would be one example of a website that looks neutral but is actually run by anti-abortion actors."

“[Use] Signal instead of regular text messages," Matson says. "Use things like Tor, a secure web browser, when looking up information about abortion, whether that's in-clinic or self-managed abortion care. There are times when people just might want to leave their phone and not take it with them. I don't say that lightly because folks want to be in contact with people they care about when they're having an abortion."

Tech companies should walk the walk

In terms of what tech companies can do to address the problem, "This is the time for them to come together and adopt a statement of principles on the security of data and also make clear they do not wish to be used in the face of prosecution” says Matson. “If big tech really wants to walk the walk, they should be convening right now, making public statements on accountability, and putting pressure on legislatures."

McKinney thinks that companies, especially period tracker companies, should just say, "they're not going to sell this data to data brokers anymore. They could decide that they don't want to do that as a business decision."

However, that wouldn't stop law enforcement from gaining a warrant or subpoena. But companies could "choose to fight the subpoena depending on the situation. These are choices that companies could make," McKinney says.

Transgender privacy rights are also in jeopardy

The same forces that sought to repeal Roe are also enacting laws that could expose sensitive data for transgender people. Texas, which has passed one of the most onerous abortion bans in the country, also put in place an order to conduct child abuse investigations against those providing gender-affirming care to transgender children.

Arkansas enacted a law last year prohibiting gender-confirming treatments or surgery for transgender youths. In addition, Alabama Governor Kay Ivey signed a law banning medical care for transgender youth who are transitioning.

Texas-based abortion rights advocates AVOW tweeted, "It's not a coincidence that trans and abortion rights are experiencing a full-on assault throughout Texas and the country. Both movements are about the fight for dignity, respect, and bodily autonomy."

When it comes to gender-affirming care, "it’s absolutely the same opponents and the same struggle,” Matson says. “It’s about self-determination.”

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.