Big Tech silent on data privacy in post-Roe America
We asked what they will do to prevent cases being built against women. So far: Nothing
Period- and fertility-tracking apps have become weapons in Friday's post-Roe America.
These seemingly innocuous trackers contain tons of data about sexual history, menstruation and pregnancy dates, all of which could now be used to prosecute women seeking abortions — or incite digital witch hunts in states that offer abortion bounties.
Under a law passed last year in Texas, any citizen who successfully sues an abortion provider, a health center worker, or anyone who helps someone access an abortion after six weeks can claim at least $10,000, and other US states are following that example.
"We are just a few steps away from digital dragnets for people who are providing access and possibly for people seeking abortions," EFF Director of Cybersecurity Eva Galperin told The Register.
And fertility-tracking apps are just the tip of the digital surveillance iceberg.
Yes, they are "often a privacy and/or security nightmare," Galperin said. "They track a lot of various sensitive health data including data about whether a person is potentially pregnant." But, she added, there's a bigger concern.
The single greatest danger right now is the location data sale industry, location data brokers, and also the privacy of your web searches
"The single greatest danger right now is the location data sale industry, location data brokers, and also the privacy of your web searches," Galperin said. "One of the very first steps that people take when they are searching for abortion information is a web search."
The second step often includes mapping out a health clinic, or a drug store that could be visited to pick up an abortion pill.
Who is tracking the trackers?
However, more than just maps collect location data. All sorts of apps, from weather to retail, use devices' GPS technology to track users' locations and unless someone opts out, these trackers can pinpoint exactly where a user is without any manual data entry.
Location data company Placer.ai, for example, claims its software is deployed on more than 20 million devices and over 500 mobile applications. Ostensibly, this location data is to allow, say, Target to display targeted ads to devices about nearby stores. But it's also a multi-billion-dollar market, and this location data — including health and reproductive information — can be collected, bought, and sold without users' knowledge.
"Companies gather this data, sell it to data brokers, and the data brokers sell it to third parties and sometimes fourth and fifth parties until they can no longer keep track of where that data is — and that is very concerning," Galperin said.
- US senators seek ban on sale of health location data
- FTC urged to protect data privacy of women visiting abortion clinics
- Spain, Austria not convinced location data is personal information
- US lawsuit alleges tool used by hospitals shares patient data with Meta
The US Supreme Court's decision on Friday to overturn Roe v Wade – removing a constitutional right to abortion, and allowing individual states to ban the procedure – has a slew of data privacy and security concerns for individuals and companies across the tech landscape including search engines, ISPs, app developers, social media platforms and beyond.
What service providers can expect
Last month, as it became increasingly clear that constitutional abortion protections would soon be eliminated, EFF warned that "service providers can expect a raft of subpoenas and warrants seeking user data that could be employed to prosecute abortion seekers, providers, and helpers."
The online civil liberties organization also told technology firms to "expect pressure to aggressively police the use of their services," along with new demands to hand over information to law enforcement as this data "may be classified in many states as facilitating a crime."
The nonprofit Center for Democracy and Technology called today's Supreme Court ruling "devastating," and also raised the alarm about private data being used to build criminal cases against people.
"This decision opens the door to law enforcement and private bounty hunters seeking vast amounts of private data from ordinary Americans," CDT President and CEO Alexandra Reeve Givens said in a statement.
"Data about a person's reproductive health decisions can also be revealed from sources like their browser and search histories, email and text message logs, use of reproductive health apps, and other commercial products with which many users interact daily."
It's worth highlighting here that it's not just health app data that could be obtained and used by law enforcement: unencrypted text messages and emails, as well as web searches, are the kinds of information prosecutors have used as evidence in abortion-related cases so far.
Echoing the EFF's earlier call to arms, the CDT appealed to tech companies to "step up" their digital privacy actions. This includes enabling end-to-end encryption by default, limiting the collection of data and only sharing it with trusted partners, and stopping behavioral tracking.
However, as of yet, it's unclear how big tech will respond.
Will tech companies 'step up?'
On Friday morning, The Register reached out to Amazon, Microsoft, Google, Meta and Twitter, and asked: What will your company do to ensure that the data you collect isn't going to be used to build a case against women seeking abortions and people or organizations providing abortion support?
As of 4pm PT, none of them had responded. Given that they generally comply with police and government agents' lawful requests for people's personal information, in the course of criminal investigations, the corporations may ultimately find themselves stuck between just handing over that data or significantly overhauling the way they collect and process it.
We also posed this question to several major fertility apps. A few had already posted preemptive statements about reproductive data privacy.
"As the female Co-CEOs of Clue, we promise you that we will never turn your private health data over to any authority that could use it against you," Carrie Walter, and Audrey Tsang wrote. "Your personally identifiable health data regarding pregnancies, pregnancy loss or abortion, is kept private and safe. We don't sell it, we don't share it for anyone else's use, we won't disclose it."
'We would rather close down'
GP Apps, which makes the popular Period Tracker app, also noted email inquiries from users concerned about Roe being overturned and what that means for data privacy.
"We want to assure our users that we are adamantly opposed to government overreach and we believe that a hypothetical situation where the government subpoenas private user data from apps to convict people for having an abortion is a gross human rights violation," the company wrote.
"In such a scenario, we will do all we can to protect our uses from such an act," it continued. "We would rather close down the company than be accomplice to this type of government overreach and privacy violation."
Ovia Health, in an email to The Register, said it does not sell data to data brokers, and it also allows users to delete their data at any time within its apps.
Finally, we note various corporations are offering to pay the travel expenses of employees who need to go out of state to get an abortion.
Galperin said some tell her that she's exaggerating the Supreme Court's decision. Abortion is still legal in just more than half of US states. "As a rich, white lady in California, no one is taking away my abortions today," she said.
But she is an infosec professional. "It is my job to see threats coming before they arrive," Galperin said.
"And my vision of where this is all going is informed by 15 years traveling all over the world, working with vulnerable populations including journalists and activists in the Middle East and Africa and South America," she continued.
"I can tell you that when things get bad, they get bad very quickly, and the opportunities for mitigating harms and intervening get fewer and fewer as our rights get taken away." ®