What a digital law expert wants you to know about post-Roe data privacy

Following the U.S. Supreme Court’s decision to abolish federal abortion rights by overturning Roe v. Wade, experts have raised concerns about the type of personal data that’s collected within certain reproductive health apps, such as trackers of menstrual cycles or fertility. The fear is that this type of information could be used against someone seeking an abortion in a state that has made it illegal, or has severe restrictions in place.

The White House has also expressed its concerns over such reproductive health apps. “I think people should be really careful about that,” Jen Klein, the director of the White House's Gender Policy Council, told reporters on July 8. That was the day President Biden signed an executive order calling on the Federal Trade Commission to consider steps to protect the privacy of consumers when seeking reproductive health care.

“The world has changed in many ways since Roe [v. Wade]. But one of the ways that it's changed is we have a digital surveillance infrastructure now that did not exist before,” Corynne McSherry, legal director for the Electronic Frontier Foundation, a nonprofit defending digital privacy, told Yahoo News.

McSherry said the concern extends beyond reproductive health apps and explains why text messages and internet searches for abortion services could be problematic, and what people can do to help protect themselves.

(Some responses have been edited for length and clarity.)

Yahoo News: Could reproductive health apps, text messages and internet searches be problematic in a post-Roe America?

McSherry: It absolutely can be problematic for people who are seeking abortions, people who are providing abortions, people who are supporting abortion care or reproductive health care in some way. Absolutely, all of these applications can be problematic, and the reason why is, absent search engines and all the internet services that we rely on every day, is that many of these services and apps are surveilling us. The world has changed in many ways since Roe [v. Wade]. We have a digital surveillance infrastructure now that did not exist before. All of these services that make everything so convenient, help us find information, connect with each other and provide services to others — all of these involve relying on service providers. Most of those service providers are collecting information about you every time you use their service in any way. That's the key to the problem. I really think it's extremely important that people not have the impression that if they delete that app from their phone, they're safe.

How could digital data regarding abortion services be used against a person?

You might consciously do a search, looking for medication abortion information. In the event you ended up being prosecuted for what they call “pregnancy outcome,” the prosecutors might try to get access to your laptop or your device and look at your search history. Then they might use that information against you. Abortion providers will likely be their targets before women. It is also true that the devices of a woman who is alleged to have sought an abortion might be used — might be searched — in order to provide evidence against someone who supposedly provided that abortion. This is why privacy is a community activity. It's not just a one-way thing. If you are texting with a friend or with family and talking about what you're planning to do, or if you're a provider and talking about your practice, those prosecutors might try to get access to those texts. That's one set of things you might think about.

The other thing that is potentially even more dangerous is all of the data that's being collected about you from the apps on your phone, by your phone itself and not just collected, but often shared without your real knowledge. You may have signed a terms of use, but everyone knows that no one reads those. It might be shared widely, without your knowledge. Usually, the folks that will share it will say it's “anonymized.” They will claim that it's anonymized in a variety of ways, but sadly, it’s extremely easy to de-anonymize data that's provided.

A big concern that we see already has to do with location data brokers. They are people that collect information about how many people are in a given area, at a given time of day. They will sell that information to anyone who wants it, including law enforcement, for very little money. A lot of these services are set up for more marketing purposes. But it is also true that it's very easy to, for example, acquire information regarding the phones and the data that they've collected around a Planned Parenthood at a given time of day or a given place. Then you start collating, cross-referencing different sorts of data and then you start building a picture.

There's also been keyword searches where law enforcement has sought information from Google on how many people searched for a given keyword, within a given timeframe. They'll try to use this information in the context of their prosecutions. This is just the tip of the iceberg. It is really shocking. The reason we know about some of these things is that this practice isn't new and the law enforcement techniques are not new. It's just that up until now, I think many people haven't been paying a lot of attention, because they think that's probably just going to get used against bad guys, and I'm not worried about that. Now it's a situation where that information could be used against your sister or your daughter or your aunt or your friend, and used to put them in jail.

Could reproductive health app data be used as evidence?

The simple thing is that, let's say you've been recording your period for seven years, or however long, faithfully. Suddenly you stop. What's that about? It's a very simple, crude tool. There could be any number of reasons. It's the kind of thing where maybe you combine that with, have they managed to get evidence that suggests that you went to a clinic, right around that same time or shortly thereafter? Could this evidence be used? In some states, they don't have complete bans on abortion, but they still have bans within six weeks, 15 weeks. Maybe, it could be used to suggest, how pregnant were you? Contrary to what you might see on TV, people aren't usually convicted based just on confessions. That's not usually how it works. Usually, it’s circumstantial evidence. I can see prosecutors coming in with circumstantial evidence.

Another way of thinking about this is that your information might be sought, not because anyone's pursuing data directly, but rather, they're pursuing the provider or someone who helped. The statutes do go after providers. Many of the ones that are proposed talk about aiding and abetting (laws in Texas and Oklahoma). And the reason they do that is because they realize politically, it may be not as palatable right now to go after the women directly, so you go after everybody else.

Are there real instances when abortion-related digital data was used to prosecute someone?

There [are] a couple different examples where text messages and search history were used against women already. A thing that many people aren't aware of is that prosecutions for what we call pregnancy outcomes are not new. In fact, the criminalization of pregnancy is a long-standing thing. What will happen, and what has happened, is there will be a pregnancy and it will end in maybe a late miscarriage or some other kind of situation. Hospitals, sometimes, will report to child protective services or to other government officials that they have a concern. That's already happened.

(In 2017, Latice Fisher was charged with second-degree murder after she experienced a stillbirth at home at 36 weeks in Mississippi. Police found that she had searched for abortion information online. The murder charge was eventually dismissed.)

(In 2015, Purvi Patel was convicted of feticide from a self-induced abortion and was sentenced to 20 years in prison in Indiana. The prosecution used text messages as evidence in which she talked about her plans to take abortion pills. Patel was released after her conviction was overturned in 2016.)

In neither case did they expect that [the messages and internet searches] would be used against their argument, that they would be facing this kind of challenge or this kind of search and this kind of prosecution.

The other reason to be aware of is because it's already happening in other contexts. These are law enforcement techniques. They're used in all kinds of contexts. There's no particular reason to think that a dedicated attorney general or sheriff wouldn't use the same techniques against any criminal or anyone they view as a criminal. If you're violating the law of state, this is the approach they're going to take. It's just evidence, from their view.

Are there any federal laws that protect someone’s digital data?

At the federal level, there's an Electronic Communications Privacy Act called ECPA. There's a Store Communications Act, which governs emails. There are some protections in place, but they are so out of date, they are decades old. They are not what we need for this moment, by a long shot. That's why really, what we need is comprehensive, serious federal privacy legislation.

One of the reasons we don't have that right now is because I think there's a whole lot of companies that don't want to have to deal with that. It'll be burdensome. Also, because there's a whole lot of companies that base their entire business model around collecting information about their users. That is what they do.

What are some steps someone can take to help protect their digital data?

I don't think we want to push for a world in which no one gets to use an app. I also don't think that people should have to turn themselves into security experts in order to live their lives, just because they happen to be at a reproductive age.

There are some things though, that you can do. One of the key things is to really find out. Are they collecting data on you? Where's it going to be? There are apps that you can find where you could just, it's on your phone. The data is collected, but it stays on your phone, within your control, for you. That's not perfect. You can still face or warrant or whatever, but it still helps. Once your information is in the hands of a third party, you don't control it anymore.

You can use encrypted messaging. WhatsApp has an encrypted messaging feature, you can use Signal. There are several services that allow you to message in an encrypted way.

Also, really pay attention to location. For example, if you're using Google maps, Apple maps, they need to know where you are in order to help you navigate. Turn on location tracking for that moment, turn it off afterwards.

If you're doing any kind of search where basically, you don't want a third party to know about it, turn on your private browsing window. It's not perfect security protection, but lots and lots of browsers allow you to do that.

I don't think it should be up to users to protect themselves all the time. This is what we have representatives for. We all need strong, legal protections that we just don't have right now. It's criminal, to be honest, that we don't have them yet. It's really shocking.

(Three House lawmakers, Reps. Carolyn Maloney, Raja Krishnamoorthi and Sara Jacob, have launched an investigation into the handling of reproductive health data by data brokers and health apps. Additionally, a group of senators introduced the Health and Location Data Protection Act in June. The bill would ban data brokers from selling health and location data.)