Hello, friends,
When a draft of a Supreme Court opinion that could overturn U.S. abortion rights leaked to the press earlier this month, I started to panic about my 17-year-old daughter’s future.
Although we live in New York, which is not one of the 26 states that are certain or likely to ban abortion if the law is overturned, I still can’t help but worry about my daughter’s ability to control what happens to her own body.
Even more troubling are laws like the one passed in Texas last year that not only ban nearly all abortions but create incentives for individuals to act as bounty hunters exposing and suing those who seek abortions.
The combination of new laws and incentives for civilian enforcement likely means that people seeking reproductive health care could be subject to extensive surveillance and monitoring, as well as to targeted influence campaigns. In other words, the toxic combination of online surveillance and disinformation that has infected our digital world is now being turned against pregnant people.
Reproductive rights advocates warn that anti-abortion groups have already created “a nationwide, government-funded, digitally sophisticated network that targets low-income pregnant people who may or may not be considering abortion, collects their sensitive medical and personal information, and feeds it to anti-abortion organizations that store big data without clear privacy protections.”
As a start, I asked my daughter to delete her period-tracking app, as some of these apps have been found to send ovulation data to Facebook, have been funded by anti-abortion groups, and have found ways to monetize women’s health data. I also shared with her a new website called Three for Freedom, which offers links for mail-order birth control, emergency contraception, and medication abortion pills.
To get a deeper understanding of the risks of reproductive surveillance, I called Laura Lazaro Cabrera, legal officer at Privacy International, a nonprofit group that promotes privacy rights, where she leads the project on social protection and specifically reproductive health. Lazaro Cabrera worked on Privacy International’s report on data exploitation in the exercise of sexual and reproductive rights and has a background as a human rights litigator at the Open Society Justice Initiative and at the Inter-American Court of Human Rights.
Our conversation, edited for brevity and clarity, is below
Angwin: In 2020, Privacy International published a report documenting the surveillance and disinformation tactics anti-abortion groups use to limit people’s access to reproductive health care. Can you describe some of the findings?
Lazaro Cabrera: We found that a fair bit of users’ online interactions and personal information was being collected by these organizations through a range of different technologies. For instance, some anti-abortion groups targeted advertisments and information at people inside abortion clinics through the use of geofencing. This means that many pregnant people inside these facilities were likely being targeted with false information.
Another concerning finding was the use of online chat services by anti-abortion organizations. Many of these chat services didn’t provide a privacy policy, so it wasn’t clear how they were processing data. In some cases, we saw that in order to initiate a conversation, you needed to provide your name, demographic information, location data, and pregnancy status. That first step is already incredibly intrusive. The connected concern is whether the information you are given through an online chat service is reliable. Is it medically accurate and scientifically verified?
Lastly, we discovered that anti-abortion organizations were developing digital dossiers, or personal profiles of people who were connecting with crisis pregnancy centers. For instance, we wrote about a type of software called Next Level developed by Heartbeat International, a U.S.-based anti-abortion organization, which crisis pregnancy centers commonly use as data management software.
This is incredibly concerning because over the course of a consultation, whether it is with a certified home health professional or with a crisis pregnancy center, a lot of information is shared and all of the notes from the appointment can be added to the system, potentially revealing incredibly personal information. It’s not clear how that information is used, and how much of it is shared. The Next Level privacy policy states, for example, that it may share information with its affiliates, partners, vendors, or contract organizations. “Affiliates” and “partners” are broad terms that could be used to encapsulate a wide variety of like-minded actors.
Angwin: The advocacy group the Alliance wrote that the crisis pregnancy center industry “is now functioning as surveillance infrastructure for the anti-abortion movement, amassing data that could be used in pregnancy- and abortion-related prosecutions.” What are the risks of these centers?
Lazaro Cabrera: Crisis pregnancy centers are operations run by organizations whose primary aim is to dissuade people with an unplanned pregnancy from accessing abortion care. Many of these pregnancy centers will be ideologically entrenched, as many of them are affiliated with religious networks.
It can sometimes be hard to identify a crisis pregnancy center because they often don’t present as such, and they frequently use neutral language presumably to appeal to a wider range of people. They are dangerous because they often deliberately give the impression that they are clinical centers offering legitimate medical services and advice, but in reality this is often not the case. An investigation by Open Democracy found that crisis pregnancy centers in some Latin American countries provided individuals with inaccurate medical advice.
There are two connected concerns here. The first is whether they’re giving out misleading or inaccurate medical advice. The second is whether or not they can be held accountable for it. Currently, they are treated as if they’re exempt from the regulatory oversight that health care facilities are typically subject to.
Angwin: Now that some states have passed laws that criminalize abortion and incentivize individuals to turn people in, this kind of data could be really dangerous. How can people protect themselves against this kind of surveillance?
Lazaro Cabrera: This is very concerning. These laws seek to encourage third-party disclosures by providing financial incentives to crisis pregnancy centers, or other similarly minded individuals, to disclose the data they already have. It would only take a moment for any of them to share that information with law enforcement.
As far as protecting oneself online goes, it’s tough because information can come from a range of sources. You can use a VPN [virtual private network] to make sure that you’re protecting your online activity including your browser history, you can choose to browse privately—that’s a simpler step to take—and you can disable cookies. You may also want to look back and identify the actors with whom you shared relevant information, whether online or offline. That involves tracing back your steps and reflecting on what, in hindsight, may be the most incriminating. What sort of data did you provide that clearly provides a link with, for instance, a potential abortion? And what can you do about that data?
In my personal opinion, evidence of browsing history on its own can rarely be used as conclusive evidence to prove an event or action occurred. However, considered cumulatively in light of other sources of information, it can potentially be damning. Privacy is a time-shifted risk: The information that we could be comfortable sharing one day could lead to trouble the next. This is one of the reasons why we advocate for privacy-preserving approaches: We cannot always anticipate what information may subsequently have life-altering implications. We should always be careful about how we share our personal data, and particularly sensitive data, which includes health data, like information about a potential pregnancy.
Angwin: People have said everyone should delete their digital health apps, especially pregnancy and fertility ones. Do you have concerns about these apps?
Lazaro Cabrera: If you use a period-tracking app, and you share what could be regarded in hindsight as incriminating data, then there is very little a company can do to refuse turning over that data when it is requested by law enforcement in legally permissible ways.
I’d like to remind people that the deletion of an app does not necessarily mean the erasure of the data. More often than not, the user data will be retained for a period of time, after the last engagement with the app unless otherwise requested. If people are worried, and many of them will be, the first step should be to check what needs to be done to have that data erased. This is usually in the privacy policy, but at the very least, it will require someone to send an email explicitly asking for the data to be erased. In the U.S., privacy laws rarely guarantee the right of erasure of one’s personal data.
Angwin: There have been stories about data brokers who can tell by your location if you’ve visited an abortion clinic. How incriminating is that evidence, and do you recommend that someone turn their phone off if they are going to an abortion clinic?
Lazaro Cabrera: When it comes to the use of location data as evidence, the location would need to be tied to a particular person. However, even if the data doesn’t include a person’s name or any other identifier, it could be aggregated with additional data that could then be used to identify a person.
As for data protection tactics, if you turn off your device, then you’re making sure that you’re avoiding location data being collected. Otherwise, you need to take lots of small steps to make sure that location data isn’t shared, including managing the permissions that each of the apps have, not connecting to the local Wi-Fi (unless you have a VPN), and turning GPS off. So turning off your phone completely would be the quickest way to ensure nothing is shared.
The problem is that data brokers–those who sell and purchase location data, among others–remain an unknown unregulated ecosystem, which makes it very concerning. And that means that basically anyone can get the data, potentially even governments.
Angwin: Here in the U.S., we don’t even have a baseline privacy law. What do you recommend that would make this a better situation?
Lazaro Cabrera: We think the GDPR [General Data Protection Regulation] is a good blueprint for the world to follow. It’s not perfect, but it gives protection to health data regardless of the processing entity. HIPAA [the U.S. health privacy law] applies only to certain data processors instead of applying to all health data. So while there are no hard-and-fast guarantees against law enforcement access in GDPR, there are additional layers of safeguards that a processor has to overcome in order to process health data in any way, shape, or form. So the U.S. could offer better protections if sensitive data was put at the heart of the law rather than the type of entity holding the data.
As always, thanks for reading.
Best,
Julia Angwin
The Markup
P.S. If you have followed or are interested in The Markup’s investigations into flawed tenant screening algorithms, investigative reporter Lauren Kirchner will be talking about her work at an event with ProPublica on May 26 at 4 p.m. EDT. You can register by clicking here.
Additional Hello World research by Eve Zelickson