Guess who is collecting and sharing abortion-related data?
Basically everyone at this point. But developer Easy Healthcare has promised to stop
In case of any lingering doubt about whether abortion and location data is being collected — and used to track — people in post-Roe America, a lawsuit and two investigations should put those doubts to rest.
On Thursday, the US Federal Trade Commission reached a settlement with Easy Healthcare, which makes fertility tracking app Premom. The deal relates to charges that the app shared sensitive personal information and health data - including pregnancy status - with third-parties, including marketing firm AppsFlyer and Google, all without users' consent.
Google is fighting its own legal battle over claims that it unlawfully collects health data, including searches related to abortion, on third-party websites that use Google technology.
Meanwhile, a Wall Street Journal report on Thursday says a Midwest group used geofencing to send targeted anti-abortion ads to mobile phones belonging to people who visited some Planned Parenthood clinics.
And internal emails show that social media monitoring firm Dataminr helped the US Marshals Service surveil abortion rights advocates by flagging protest organizers' and attendees' Twitter posts, and sharing them with the federal law enforcement agency.
Easy, but not very private
The FTC settlement stems from a legal complaint [PDF] filed earlier this month against Easy Healthcare, which developed a fertility tracking app called Premom.
The app collects users' health information including dates of menstrual cycles, temperatures, pregnancy and fertility status, whether and when pregnancies started and ended, weight, progesterone and other hormone results, and pregnancy-related symptoms.
Court documents state that Premom "repeatedly" promised users that it would not share their health info with third parties, and that the data collected was only used for its own analytics or advertising.
Despite these pledges, however, the fertility tracker allegedly deceived users by disclosing sensitive and identifiable health details to AppsFlyer and Google by integrating their software development kits (SDKs) into the Premom app, and disclosing consumers' health information to these third-parties through something called "Custom App Events," which are records of user-app interactions unique to Premom.
"For example, when a user uploads a picture of an ovulation test, Defendant records the user's interaction with that feature as a Custom App Event that is shared with Google and AppsFlyer," the court documents state.
- Google sued over 'interception' of abortion data on Planned Parenthood website
- Texas mulls law forcing ISPs to block access to abortion websites
- Google pushes fake abortion clinic ads to lower-income women, report says
- Period-tracking apps, search engines on notice by draft law
Also, instead of anonymizing these events, Premom uses specific terms to describe them in its records, the lawsuit claims.
"For example, when a user opens Premom's calendar and logs her fertility, Defendant records the Custom App Event as 'Calendar/Report/LogFertility,' it says. "And when a user logs and saves information related to her period, Defendant records the Custom App Event as 'Log period-save.' Defendant chose other descriptive titles such as 'Signup/Birth' and 'Ovulation/Static/Success.'"
Under the proposed order [PDF], Easy Healthcare will pay $200,000 and be permanently prohibited from sharing users' personal health data with third parties for advertising. The company will also be required to seek deletion of the data it has already shared, among other remedies.
Easy Healthcare maintains it does not, "and will not ever sell any information about users' health to third parties, nor do we share it for advertising purposes."
Its settlement with the FTC "is not an admission of any wrongdoing," the company said in a statement. "Rather, it is a settlement to avoid the time and expense of litigation and enables us to put this matter behind us and focus on you, our users." Make of that what you will.
How to get caught geofencing
Marketing firms aren't the only ones that want to get their hands on mobile users' pregnancy status.
Veritas Society, a nonprofit fund established by the organization Wisconsin Right to Life, used precise geolocation data from mobile phones to send targeted anti-abortion ads to people who visited Planned Parenthood clinics.
"Took the first pill at the clinic? It may not be too late to save your pregnancy," reads one such ad, cited by the Wall Street Journal.
An older version of Veritas Society's website brags about the success of this advertising campaign:.
"We captured the cell phone IDs of women who visited all Planned Parenthood locations in Wisconsin along with similar locations and their associated parking areas … The Veritas Society digital campaign for Wisconsin Right to Life during 2020 served 14.3 million ad impressions across mobile devices captured at these addresses and then served ads to those devices across the women's social pages, Facebook, Instagram and Snapchat."
The larger privacy concern here is that while these mobile device IDs are supposedly anonymous, when combined with geolocation coordinates it doesn't take too much analysis to connect the phone to a person — and that can put the individual at risk of serious harm.
No warrant required
A separate investigation by The Intercept, published on Monday, found that Dataminr tipped off the US Marshals Service to "dozens of protests," including abortion rights demonstrations, by mining Twitter users posts between April to June 2022 — roughly the time from when the US Supreme Court's decision to overturn Roe v. Wade was leaked, to the formal ruling removing a constitutional right to abortion that was handed down on a Friday in June.
The Intercept reviewed 800 pages of the US Marshals' internal emails and documents, collected through a public records request, and found that "Dataminr flagged the social media posts of protest organizers, participants, and bystanders, and leveraged Dataminr's privileged access to the so-called firehose of unrestricted Twitter data to monitor constitutionally protected speech."
For example, on May 3 last year, a New York-based artist Alex Remnick tweeted about a protest planned later in the day. Dataminr passed this tweet to the Marshals, and continued sending the law enforcement agency alerts as the rally progressed — messages including "protestors block nearby streets near Foley Square" and photos of demonstrators — all collected from Twitter. ®