Concerns about how period and pregnancy tracking apps handle and share user data have existed for years now, but the recent Roe v. Wade decision has put this aspect of information privacy in the spotlight. Amid concerns that tech companies will share potentially incriminating information with states that have outlawed abortions, a coalition of Democratic lawmakers and privacy advocates is renewing calls for enhanced regulation of the big tech platforms that host these various apps.
Overturn of Roe v. Wade sparks concerns about misuse of user data
The landmark Roe v. Wade decision handed down in June ends a federal mandate that a certain standard of abortion care be medically available throughout the country, freeing states to implement their own laws. Some states have long desired to greatly restrict abortion to a degree not previously allowed by federal law, and have had “trigger laws” sitting on the books in the event that Roe v. Wade was overturned; 13 states automatically restricted abortion to “medically necessary” cases in the first and second trimester in this way, and about half a dozen more are expected to vote to revert to similar pre-Roe laws in the coming months.
Texas provided a forewarning of the Roe v. Wade decision, and one of the most unusual state laws that has raised the greatest privacy concerns about apps handling user data. Passed in late 2021, the state’s new law allows for private individuals to sue each other over suspicion of having an abortion after a legally allowed six-week limit. If the plaintiff wins the case they can collect up to $10,000, something that pro-choice and privacy advocates have called a “bounty system.” A combination of app-collected user data, such as a period tracker combined with an Uber ride to an abortion clinic, could provide the evidence needed to facilitate such a lawsuit.
Activists worry not just about similar bounty laws springing up in certain states, but that states will subpoena tech companies to hand over user data of this nature. A coalition of Democratic lawmakers, those that have been heavily involved with trying to establish a federal data privacy law, immediately called on the Federal Trade Commission (FTC) to restrict the two largest tech companies in the mobile OS space (Google and Apple) from allowing the use of user data in this way.
The lawmakers specifically want restrictions on the use of advertising identifiers that tie a person to a device, and allow for tracking of their movements and personal profiles of information to be built. Technologies such as the Apple Identifier for Advertisers (IDFA) and the Google advertising ID (GAID) were supposed to facilitate targeted interest-based advertising in an anonymous way by identifying a unique device rather than a user, but have repeatedly been found to facilitate the building of detailed personal profiles by unscrupulous third party data brokers. Apple tacitly admitted this with its recent restrictions of the use of the IDFA, requiring app developers to obtain affirmative user consent to make use of it.
Tech companies yet to take a position on potential state subpoenas
A number of major tech companies, Apple and Google included, responded to the Roe v. Wade development by promising employees that they would give employees time off and cover travel expenses for abortions. Tech companies have been much more hesitant to take a position on the use of user data for potential tracking of abortions, however, likely because the issue is nested with ongoing legal scrutiny of how personal data is collected, used and sold by their advertising programs.
Jake Williams, Executive Director of Threat Intelligence for SCYTHE, explains more about the circumstances in which tech companies might be subpoenaed by a state: “Search providers are required to comply with subpoenas from law enforcement when the search results themselves are evidence of a crime. Given the rapidly changing laws around access to abortion, searches for abortion and abortion related topics can be risky. While some have recommended searching using private browsing (or Incognito mode), these searches are still tied to your IP address. Ownership or use of the IP can be revealed through your ISP or mobile provider. You should ideally use a VPN when searching for legally ambiguous topics. Some past subpoenas have relied on geofencing to locate mobile phone subscribers within a particular area. It is also conceivable that this technique will be used to identify those who have traveled to a specific location where abortion or abortion related services are offered.”
Subpoenas for text messages and search history related to abortions have happened in at least two cases in recent years, both relating to women that attempted to induce abortions on their own and then subsequently presented at hospitals claiming a miscarraige. In one case, text messages in which the woman discussed the use of abortion pills with a friend were introduced. In the other case, the woman’s search history was requested and found to contain searches for abortion pills.
It remains unclear to what degree state prosecutors might choose to go after individuals in this way in the post Roe v. Wade world. They may opt to focus on abortion providers instead. But the Texas law indicates that the idea of going after the store of user data that tech companies hold to track and prosecute individuals is at least on the table for some states.
The Electronic Frontier Foundation (EFF) responded to the Roe v. Wade decision with a blog post aimed at tech companies outlining some ideas that might serve as near-term legal protections for user data. These include data minimization, default encryption of all user data, formal policies of refusing to comply with improper orders from states, and proactive notification to users of what laws they may be forced to comply with if subpoenaed in relation to an abortion invstigation. The EFF also suggests that the customers of tech companies that might be impacted by this ruling take privacy of their user data into their own hands, using “burner” accounts or devices for period tracking and searches related to abortion, switching to privacy-focused search and browsing services such as Brave and DuckDuckGo, and blocking collection of location data whenever possible.