Hey, online pharmacies: Quit spreading around everyone's data already
Google says don't worry, EFF warns of 'potentially horrific outcome'
At least nine online pharmacies that sell abortion pills share information with Google and other third parties, such as search history and geolocation, that can be used to identify the websites' users, according to a ProPublica probe.
And while this may be troubling to any data privacy advocates, it could prove downright dangerous in post-Roe America — or other countries that have outlawed abortion — where law enforcement can subpoena this type of private information to prosecute women who seek to end their pregnancies.
Sometimes police don't even have to use the courts to compel businesses to hand over this sort of data, because execs surrender it willingly, without a warrant.
Since the US Supreme Court's Dobbs ruling, which overturned Roe v. Wade and removed constitutional rights to abortion, a dozen states in the nation have banned the surgical procedure and medical abortions — aka abortion pills.
For its analysis, ProPublica used The Markup's website privacy inspector to determine the type of web trackers the pharmacies use. It found at least nine of the websites that sell abortion medication also collect and share data about their customers, including other websites they visited, search terms used, general location, and general device information.
The data is essentially shared with online tools that the websites use to track visitor numbers and traffic patterns, provide live-chat support, and the like.
"The nine sites are also sending data to Google that can potentially identify users, ProPublica's analysis found, including a random number that is unique to a user's browser, which can then be linked to other collected data," the investigative non-profit's report claimed.
Companies selling abortion pills should immediately stop sharing data with Google and Facebook
The nine pharmacies are: Abortion Ease, BestAbortionPill.com, PrivacyPillRX, PillsOnlineRX, Secure Abortion Pills, AbortionRx, Generic Abortion Pills, Abortion Privacy and Online Abortion Pill Rx.
None of the pharmacies responded to The Register's inquiries.
"Companies selling abortion pills should immediately stop sharing data with Google and Facebook," Electronic Frontier Foundation (EFF) Senior Staff Technologist Cooper Quintin told The Register.
"Web developers may not have thought they were putting their users at risk by using Google Analytics and other third-party trackers, but with the current political climate, all websites, but especially websites with at-risk users, need to consider that helping Google, Facebook and others build up records of user behavior could have a potentially horrific outcome," Quintin said. "They can't keep acting like Roe is still the law of the land."
While EFF hasn't yet seen any cases of law enforcement agencies using this type of data to prosecute abortion seekers or providers, Quintin said "my concern is that in the future someday data stored by Google, Facebook, and big tech in general could be used to carry out dragnet searches and prosecutions of women who have sought out abortions or other reproductive care."
Most tech companies, if served with a court order, will turn over users' private data and messages to the cops. Google received more than 87,000 subpoenas and search warrants in 2021 (it hasn't yet published info for 2022).
Google: 'Purely hypothetical and technically impossible'
Google doesn't say if any of those requests were related to health information. But the search giant isn't afraid to push back against — or flat out reject — government demands to hand over user data, according to a spokesperson.
Additionally, Google Analytics' customers are prohibited from uploading information that Google could then use to identify a person, according to the web giant.
The search king also strongly pushed back on the non-profit's conclusions.
"The allegations described in ProPublica's latest article regarding Google Analytics are purely hypothetical and technically impossible," Google Analytics Product Director Steve Ganem said in an email to The Register.
"Google Analytics was designed specifically so users could not be identified by Google for ourselves or anyone else, including law enforcement," Ganem added. "Also, Google has strict policies against advertising to people based on sensitive information."
Google last year pledged to update its location history system so that visits to medical clinics and similarly sensitive places are automatically deleted.
- Period-tracking apps, search engines on notice by draft law
- Google location tracking to forget you were ever at that medical clinic
- Facebook hands over chats to cops in post-Roe abortion case
- Meta, Twitter, Apple, Google urged to up encryption game in post-Roe America
In addition to limiting the types and amount of information that websites can collect about netizens, some digital rights advocates have also called for on-by-default end-to-end encryption across messaging services to secure users' communications, and prevent conversations from being shared with police and others.
Meanwhile, a bill proposed by Washington state lawmakers would make it illegal for any business or website to sell consumers' health data — and mandate that the website not collect this personal info in the first place without a user's "voluntary, specific, and unambiguous written consent."
The Washington proposal would also give folks the right to withdraw consent at any time, demand that websites and apps delete their health data, and get prompt answers about whether the business is collecting or sharing this type of private information and with whom.
California is one of a handful of states that already has a much broader data privacy bill on the books, and the CA attorney general has indicated he is willing to take legal action against corporations that sell or share information about people without their full consent. ®