Following the Overturning of Roe v Wade, Action is Needed to Protect Health Data

With the Supreme Court’s seismic and precedent-shattering decision today, people seeking reproductive health care in the U.S. face calamitous new threats to their privacy. The ruling creates incentives for unprecedented monitoring of the most intimate activities and choices Americans make in their bedrooms and doctors’ offices.

The Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization overturned Roe v. Wade and Planned Parenthood of Southeastern Pa. v. Casey, allowing individual states to limit or outright ban abortion. State reactions will likely be swift and varied, with some states outlawing abortions or significantly limiting them. Such laws will create a strong motive to track and know the identities of people who seek to obtain reproductive health care, or to provide it. Below, we describe how that tracking can and does happen, how states have anticipated and responded to the overturning of Roe, what companies can do, and how people can protect themselves. 

1. Digitally Tracking People’s Reproductive Choices Is Frighteningly Easy

Everything we do online — and common ways we interact with electronic devices — generates a large amount of data about how we live our lives: our browser history, location information, the apps we download, and information we store in those apps can all reveal intimate details about a person’s health and reproductive status. Often this happens in ways users do not expect or understand, and is particularly problematic in the case of location information. Some apps gather users’ location information even if it is not necessary for the services the app provides; even a flashlight app reportedly collected it.

Because of the nature of the internet, our use of devices provides a litany of easy, cost-effective ways for companies and governments to track and collect data regarding people seeking reproductive services. A reporter recently purchased a week’s worth of location data from a data broker (data brokers collect data about people directly from companies without those people being aware) about where people who visited a Planned Parenthood came from, and where they went afterwards–information that can reveal a person’s identity. Another report found that Placer.ai was providing free heat maps of people who visited Planned Parenthood clinics, and then offering more detailed information if the requester followed up. The data brokers in those stories purchased or otherwise collected that data from everyday apps on people’s phones that were tracking their location, which the brokers to purchase would then sell (or provide for free) to anyone. While some argue that some of the location data was de-identified, such data is easy to re-identify, with one study showing that one needs only up to four location points to identify the person. If, for example, the data shows a person went from a residential address to a health clinic and then back again to the residence, re-identification may be quite straightforward.

Location information is just one example of available data that can reveal a person’s reproductive health decisions. Sources like browser and search histories, email and text message logs (metadata that the government can acquire without warrants), use of reproductive health apps, and other commercial products with which many users interact daily all can be similarly revealing. A person’s search query for “abortion clinic near me,” their visit to a website to learn about medically induced abortion, and logs of their communications with clinics and doctors all disclose information about their reproductive health.

As another example, reproductive health apps have been found to share information with third party advertisers (and even, in one case, the user’s own employer). Beyond medical data that directly implicates reproductive health and decisions, commercial data of seemingly innocuous activities (purchase records, daily travel, etc.) can be combined through Big Data techniques to unveil the most intimate details of people’s lives. In fact, we’ve already seen this type of commercial data harnessed to discover when people become pregnant.

2. States Have Anticipated the Overturning of Roe

In the wake of the Dobbs decision, a growing number of state laws threaten to turn this data into evidence against people seeking or providing reproductive care. Now that Roe is overturned, a significant portion of states are immediately triggering laws that criminalize abortion, as well as anyone who supports it. In Texas, a recent law permits private citizens to sue anyone, including people who are not residents of Texas and who have no other ties to Texas, who performs an abortion or “aids and abets” a procedure. Aiding and abetting might even be applied to cover scenarios like a California resident who has never been to Texas and has no business ties to Texas being sued for donating to a fund that finances abortions in Texas, though we expect the constitutionality of such a claim would be fiercely contested. Plaintiffs who have no connection to the patient or the clinic may sue, relying on evidence like location data, and, if successful, recover legal fees, as well as $10,000. Texas is not alone. Oklahoma recently passed a similar law, and Louisiana recently enacted a law that would allow the state to imprison doctors for up to 15 years and fine them up to $200,000 for performing abortions. 

This new regime will create frightening new incentives for law enforcement and civilians to seek out electronic data that could reveal information about medical, familial, and sexual plans and activities from people seeking reproductive care and the providers who support them, as well as anyone merely suspected of seeking or providing such services. Government monitoring could focus not only on doctors and those seeking abortions, but also people who have miscarriages or other reproductive health issues, people engaged in family planning, and those who try to provide basic information and education about services. For example, the government could freely use geofence warrants or stingrays to collect identifying information on all phones that enter a given area, such as a reproductive health clinic. 

In this new environment, companies’ data practices, gaps in laws like HIPAA, and loopholes that law enforcement exploits to circumvent warrant requirements need fixing now more than ever. Elected leaders and companies should embrace privacy protections to prevent the unwanted, unanticipated, and unknown use of sensitive information that reveals details about a person’s health. CDT’s Proposed Consumer Privacy Framework for Health Data contains examples of the types of policies that would prevent harmful data uses, and creates a roadmap for companies to follow and legislators to act upon. Equally important, new limits on sharing of data with law enforcement entities should be put in place. 

3. Law Enforcement Data Practices

Law enforcement agencies rely on data to conduct criminal investigations. Typically, government agencies seeking to compel disclosure of the personal electronic data of Americans must secure a form of legal process, like a warrant, court order, or subpoena, to obtain that data. That process can be mandated by the Constitution (the Fourth Amendment’s warrant and probable cause requirement), by federal statute (such as the federal Electronic Communications Privacy Act, or ECPA), or by various state laws that govern state and local law enforcement access to data. But as indicated in a recent CDT report, Legal Loopholes and Data for Dollars: How Law Enforcement and Intelligence Agencies Are Buying Your Data from Brokers, law enforcement agencies are increasingly sidestepping these legal requirements by purchasing data on Americans from data brokers. 

As a result of the Dobbs decision, prosecutors in anti-abortion states will apply for warrants and court orders — as well as issue subpoenas — to obtain communications data of people and providers of reproductive health services. Law enforcement can also use tax dollars to buy their way around these requirements, purchasing records from data brokers that are relevant to their investigations relating to abortion. The range of private information that could be swept up in these investigations is vast, and includes the most personal details about their medical activities, family plans, and romantic relationships. Criminalizing abortion will also lead to outsized impact on communities already disproportionately impacted by policing, including people of color, LGBTQ people, and disabled people.

4. What Companies Should Do In the Wake of Dobbs To Protect Privacy

Companies should limit how they collect, retain, sell, transfer, or otherwise use information that can be used to generate insights or predictions about a person’s reproductive health. This type of information includes location data, browsing and search history, email logs, and data specifically tied to reproductive health. It also includes data from health trackers like FitBit. In fact, most data can be “reproductive health data” if it is used for such purposes, even if it appears unrelated on its face. Companies should also encrypt data that they hold, and they can offer their users services that are encrypted end-to-end so that only the sender and recipient(s) have access to the content on those services. CDT has proposed some approaches in our Proposed Consumer Privacy Framework for Health Data and Legal Loopholes and Data for Dollars reports. 

Companies should also ensure that their content moderation policies, practices, and algorithms do not suppress access to information related to reproductive health. Companies should resist pressure they receive from state officials to remove reproductive health information or limit access to it. They also should counter attempts to disseminate dis- and misinformation abour reproductive health, such as the recent example directing people who searched for an abortion clinic to a fake clinic. 

Further, companies should carefully scrutinize and seek to limit the scope of surveillance demands issued in prosecutions to enforce anti-abortion laws; they should also have clear and consistent standards for refusing overbroad requests. As an aspect of their efforts to ensure the validity of law enforcement demands, they should also require that the court orders and warrants they receive specify the statute(s) that prohibit the conduct that justifies the order. Companies should commit to giving their users timely notice of these and other surveillance demands so their users can protect their rights. Companies should refuse to acquiesce to orders that are improperly broad — such as geofence orders that encompass unnecessarily broad areas or spans of time, or fail to narrow targets when able — and insist that law enforcement entities narrow their requests to comply with particularity requirements for reasonable searches. They should report publicly on the numbers of surveillance demands they receive in investigations regarding reproductive health services, the percentage of orders that are complied with or refused, and their record in giving users timely notice. 

5. What People Should Do In The Wake of Dobbs to Protect Themselves

People seeking to obtain or provide reproductive care—or support those doing so—in states where legal restrictions are coming into effect should consider the digital trail they leave behind, and take careful steps to avoid having their data used against them. The most effective way to avoid location tracking is to simply not carry a phone to sensitive locations. Safe web browsing and web searching requires using a public computer, or secure tools like Tor. Using secure messaging systems like Signal and WhatsApp is also important. The Electronic Frontier Foundation, Digital Defense Fund, and Project On Government Oversight all have detailed guides on practical steps on how people can best preserve their privacy when seeking reproductive care information or services.

6. Conclusion

Dobbs is a call to action for many people on many fronts. The privacy implications of the Court’s decision are profound, and those who support reproductive rights must come together to protect the privacy of those seeking and providing reproductive care.