A leaked draft opinion suggesting the US Supreme Court could overturn landmark decision on abortion rights Roe v Wade has reiterated concerns about ways US law enforcement could ask tech companies to hand over US data if they prosecute individuals who receive or provide abortion services.
Technology companies and data brokers have often been collecting, storing and selling information about their users for years. Few federal regulations protect such data, making the information, including data about location, Internet searches, and communication history, extremely valuable and easily accessible to law enforcement.
That data could also make it easy for law enforcement to track down people seeking information about or seeking abortion in states where the practice would be criminalized, reducing the need for data privacy regulation, healthy individual “digital security hygiene” and better retention of company data would increase policy.
“The worst damage will be that all this data collected about location, people’s health, periods and pregnancies will now be used to find and prosecute people who may or may not even need these services. looking for these services,” said Cooper Quintin, senior staff technologist at the digital rights group Electronic Frontier Foundation. “I am concerned that all this data that is already available and just sitting in data silos will be used for mass prosecutions, mass arrests and really significant damage.”
While there are steps individual users can take to protect themselves and minimize the data they hand over to companies that can be requested by law enforcement, Quintin says the decisions companies make when it comes to user data can have far-reaching consequences.
“There’s a 100% parallel with climate change — it’s often framed as an individual consumer problem, when really it’s up to businesses and institutions that do the most damage and have to do the most work to fix it,” he said.
How the police could search for abortion seekers
Concerns about digital security around abortion are already playing out in several US states. “While abortion is still legal in all 50 states, the reality is that many people in this country already live in a post-Roe world and dozens of people have been criminalized for their pregnancy outcomes,” said senior helpline counselor Elizabeth Ling. at the reproductive legal hotline if/when/how.
As a result, many people opt for a “self-managed” abortion where they get pills in the mail rather than going to local clinics, Ling said. The internet has made self-managed abortion options more accessible to those seeking legal and safe abortion routes outside of a medical setting. But it has also created a digital footprint that makes an individual’s attempt to seek abortion much easier to trace.
Information such as someone’s internet search for abortion pills has already been used in cases of miscarriage and termination of pregnancy. “If Roe is destroyed, the need to regulate abortion itself will certainly increase and the surveillance of people seeking abortion care will be at an all-time high,” she said.
Today, there are several ways law enforcement officers can access user data. Agencies can easily access your phone, whether at the border or through a subpoena. Law enforcement and government agencies may also purchase user information through data brokers, companies such as Lexis Nexis, Equifax and X Mode, which collect, buy and sell user information. Or they can issue subpoenas and warrants to tech companies requesting the data those companies have collected.
Different types of law enforcement requests to technology companies yield different types of user information. In some cases, technology companies may only disclose an individual’s subscriber information in response to certain subpoenas. But there are also broader warrants that law enforcement officials are increasingly using that can capture a wide network of consumer information, such as geofence warrants and keyword search warrants.
In both cases, the police ask a technology company for information about all devices that meet certain conditions. In the case of geofence orders, the police search for all devices that are in a certain place at a certain time. For keyword search warrants, the police look up all the information for devices that search the Internet for a particular term.
Police have used geofence orders, for example, to get a list of people who had been near an alleged crime scene at the approximate time it occurred. People have already come forward that they have been suspected or arrested for a crime they did not commit simply because they were in the wrong place at the wrong time† A keyword search warrant that searches the device information for anyone who has searched for an abortion pill or a geofence warrant that searches for anyone who was in or around a Planned Parenthood, for example, is not out of touch with reality in a post-Roe world . This one could all be used to access information about, and potentially criminalize, people seeking or researching abortion, Quintin said.
While there are a few steps consumers can take to try to limit the information they share with companies, which could then end up in the hands of law enforcement, companies have the most power to protect users, he said. “First, I would really like companies to stop working with data brokers and stop selling location data to these data brokers,” he said. But the most important thing companies can do is reduce the amount of data they store about their users, especially since they may not have the power or ability to deny a legal request such as a court subpoena.
“Any company that doesn’t want to be responsible for the massive amount of damage that will result should now start taking concrete steps to minimize data,” Quintin said. “So data brokers, stop holding onto data that is not absolutely necessary. Companies, make it easy for your customers to actually delete their data.”
Quintin also said companies should encrypt all customer data they store in a way that only consumers can decrypt. “But that’s a technology challenge that not every company wants to take on, although I’d say they should, especially companies that deal with women’s health.”
How to practice ‘digital security hygiene’
While the lion’s share of the responsibility rests with the companies that profit from the sale of data, experts say there are still quite a few individuals can do to put good “digital security hygiene” into practice.
“Understandably, people are concerned about how their efforts to learn about their legal rights and options to terminate a pregnancy in order to make the best decision for themselves could be used as evidence against them.” said Ling. “People can go to the Repro Legal Helpline’s internet safety resource to learn about steps they can take, such as using a VPN, using secure messaging apps like Signal, or preventing others from seeing their search history as they share a device.”
In addition to consulting EFF’s Surveillance Survival Guide, Quintin said people offering or seeking abortions should consider leaving their phones behind or, if they can’t, turn off their phones and location services. “Those are reasonable steps you can take if you think what you’re doing will be criminalized,” he said. He also said that people should have the disappearing messages feature enabled when using services such as WhatsApp and Signal, and should use Tor browsers to prevent their web browser history from being tracked and saved.
Abortion providers have a more intense threat model because they are at risk from physical attacks, but they can take the same steps as individuals, he said. “It’s the same principle of data minimization: leave as little data as possible behind.”
While there aren’t many secure appointment-booking software options that abortion clinics and providers can use, Quintin said he suspects “that’s something every healthcare provider is really thinking about right now.”