When someone gets an abortion, they may decide not to share with friends and family. But chances are their smartphone knows.
The leak of a Supreme Court draft opinion proposing to overturn Roe v. Wade raises a data privacy flash point: If abortion becomes criminal in some states, how might a person’s data trail be treated as evidence?
There is precedent for it, and privacy advocates say data collection could become a major liability for people seeking abortions in secret. Phones can record communications, search histories and body health data, to name a few. Just yesterday, there was new evidence that commercial data brokers sell location information gathered from the phones of people who visit abortion clinics.
“It is absolutely something to be concerned about – and something to learn about hopefully before being in a crisis mode, where learning on the fly might be more difficult,” said Cynthia Conti-Cook, a technology fellow at the Ford Foundation.
It’s now common for law enforcement to make use of the contents of people’s phones, including location and browsing information. One case against an alleged Jan. 6 insurrectionist drew upon thousands of pages of data from the suspect’s phone as well as Facebook records, prosecutors said.
A major data source is our digital surveillance economy – Facebook, Google and apps galore – in which companies track consumers to figure out how to sell to them. The data may change hands several times or seep into a broader marketplace run by data brokers, which can amass huge collections.
That data is an easy target for subpoenas, or orders from judges, and many tech companies don’t give straight answers about what information they’d be willing to hand over. Google, for one, reports receiving more than 40,000 subpoenas and search warrants in the United States in the first half of 2021.
Police and private citizens alike could buy data and use it to investigate suspected abortions. Phone location information has been used by activist groups to target ads at people in abortion clinics to try to dissuade them.
Crunching all that data isn’t easy, and law enforcement agencies have plenty of “lower-hanging fruit” to pursue, says Alan Butler, executive director and president of Electronic Privacy Information Center. Those more traditional methods include checking credit card records, collecting data from cell towers or talking to friends and family.
But without Roe v. Wade, it’s tough to predict how restrictive state abortions laws will become. “Even a search for information about a clinic could become illegal under some state laws or an effort to travel to a clinic with an intent to obtain an abortion,” Butler said.
No matter what happens, the possibility of mass data-collection to enforce abortion bans will hang over the heads of people seeking abortions or helping others get them, said Nikolas Guggenberger, executive director at the Yale Information Society Project. “People want to be on the safe side, so even if the law doesn’t apply to what they’re doing, it has a chilling effect,” he said.
A number of groups have published citizen guides to avoiding surveillance while seeking an abortion or reproductive health care, including the Digital Defense Fund, the Repro Legal Helpline and the Electronic Frontier Foundation.
Here are three potential contributors to the data trail on people seeking abortions – and how they might be used.
Phones can collect precise information about your whereabouts – right down to the building – to power maps and other services. Sometimes, though, the fine print in app privacy policies gives companies the right to sell that information to other companies who can make it available to advertisers, or whoever wants to pay.
On Tuesday, Vice’s Motherboard blog reported that for $160, it bought a week’s worth of data from a company called SafeGraph showing where people who visited more than 600 Planned Parenthood clinics came from and where they went afterward.
This kind of data could be used, for example, to identify clinics that provide abortions to people from out of state in places where that’s illegal.
SafeGraph CEO Auren Hoffman told The Washington Post on Tuesday his company was discussing whether to stop offering aggregated data on physical traffic to abortion providers. SafeGraph and companies like it don’t usually sell the location information linked to names or phone numbers, though it has come under fire from privacy advocates before and has changed some of its practices to make it harder to tie data to specific people. “You can find someone to say they can de-anonymize the data, but if it could be done someone would have written a paper by now,” said Hoffman.
But privacy watchdogs say you can learn a lot by connecting the dots on multiple places a single person has visited. For example, last year, a Catholic blog obtained location information originally generated by the dating app Grindr to out a priest as gay. They were able to infer that the same person at a church-related location was also visiting gay bars.
Both Apple and Android phones offer settings to turn off location services for individual apps – or entirely for the phone. But doing so might make certain functions, such as a transportation app, not work.
Search and chat histories
Searching for information about clinics and medications can leave a trail of records with Google, which in some cases saves queries to a user’s profile.
In 2017, prosecutors used Internet searches for abortion drugs as evidence in a Mississippi woman’s trial for the death of her fetus. A grand jury ultimately decided not to pursue charges, according to the National Advocates for Pregnant Women. And last year, the Supreme Court of Wisconsin decided that detectives did not violate the rights of convicted murderer George Burch when they accessed downloaded data from his phone, including his Internet search history without a warrant.
Private messages can also become evidence. In 2015, a series of texts about getting an abortion helped convict a woman of child neglect and feticide.
A 2020 report by Upturn, a nonprofit focused on technology and justice, found that law enforcement agencies use “mobile device forensic tools” – which can give them access to Internet histories as well as unencrypted emails and texts – for everything from marijuana possession to graffiti.
There are some things people can do to keep their search and chat histories private. Ford Foundation’s Conti-Cook said people don’t have to volunteer their phones when police ask, and they can opt for encrypted messaging apps and a virtual private network, or VPN, to obscure their identities while searching.
Reproductive health apps
Millions of people use apps to help track their menstrual cycles, logging and storing intimate data about their reproductive health. Because that data can reveal when periods, ovulation and pregnancy stops and starts, it could suddenly become evidence in states where abortion is criminalized.
There is evidence these companies play fast and loose with privacy. In 2019, period tracker Ovia got pushback for sharing aggregate data on some users’ family planning with their employers.
Last year, the Federal Trade Commission settled with period-tracking app Flo after the app promised to keep users’ data private but then shared it with marketing firms including Facebook and Google.
A recent investigation by Consumer Reports found shortcomings in the way five popular period-tracking apps handle the sensitive user data, including sending it to third parties for advertising.
How are they allowed to share such personal data? Our interactions with health-care providers are covered by a federal privacy law called the Health Insurance Portability and Accountability Act, or HIPAA. However, period-tracking apps aren’t defined as covered entities, so they can legally share data.
The Washington Post’s Joseph Menn contributed to this report.