The US Supreme Court overturned on Friday the 1973 landmark decision Roe v. Wade,. Already, the digital trails of abortion seekers can become criminal evidence against them in some states where abortion were previously prosecuted. And the legal dangers may extend to abortion seekers in even more states.
Third-party data brokers sell sensitive geolocation data -- culled through a vast web of personal tracking tech found in apps, browsers and devices -- to law enforcement without oversight. Democrats' last-ditch effort to pass an abortion-protection act in May failed in the Senate, with all Republicans and one Democrat voting against it. The bipartisan data privacy legislation now slowly inching through Congress is widely thought toothless. Meanwhile, the Federal Trade Commission's enforcement failures have historically allowed privacy-offending corporations to skirt penalties, and the White House hasn't yet offered an executive order on either privacy or abortion.
And it's getting worse.
Oklahoma and Texas, which have so-called bounty hunter laws in place, are relying on civilian enforcement of abortion restrictions by promising $10,000 or more to would-be informants who successfully sue abortion providers and those who help abortion seekers. Given the inexpensive cost of readily available stores of personal data and how easily they can be de-anonymized, savvy informants could use the information to identify abortion seekers and turn a profit.
As some states have curtailed abortion access in the past few years, these data sets have become richer, with more precise, sensitive and personally identifiable information. Telemedicine abortions have been on the rise, along with the amount of abortion-related web browsing data surveilled by both commercial and law enforcement entities.
The result: Your phone's data, your social media accounts, your browsing and geolocation history, and your ISP's detailed records of your internet activity may all be used as evidence if you face state criminal or civil charges for a miscarriage.
This risk has grown now that the Supreme Court has overturned Roe v. Wade, breaking with five decades of legal precedent giving women the right to an abortion.
Though the right to an abortion is no longer constitutionally protected, abortion remains legal in several states. However, a number of Republican-led states have introduced or enacted legislation severely curtailing access to an abortion. And some have enacted near-total bans on abortion -- notably Texas, whose law the Supreme Court previously allowed to stand.
Some states had already moved to protect abortion rights in the event federal protections were overturned, but 26 states previously passed anti-abortion "trigger laws" that now go into effect immediately to restrict patients' rights. It's still a legal gray area in some cases, but most of those state laws include language that could be interpreted to include self-managed abortion. More than two dozen laws would allow police to arrest you for seeking an abortion -- or for simply failing to satisfy police investigations into your miscarriage.
Abortion medication is safe. But now that Roe is overturned, your data isn't.
When abortion is a crime, police surveil it like one
The risks aren't just hypothetical.
Latice Fischer spent two years in jail because she had a miscarriage in 2018 after Googling abortion pills, and Mississippi authorities used her search as evidence when they charged her with second-degree murder. Indiana resident Purvi Patel's text messages to her friend and her online abortion pill purchase were both used as evidence against her when she was jailed in 2015 for alleged feticide. She spent three years in prison before her conviction was overturned.
Meanwhile, Georgia police attempted to use federal DNA criminal databases in 2018 to track down the origin of a 20-week-old fetus. Government surveillance of period and pregnancy data came to light again in 2019, when the director of Missouri's health department was discovered tracking menstrual cycles of Planned Parenthood patients.
In Oklahoma, three new laws aren't explicitly aimed at abortion seekers or providers but nonetheless stand to sharply increase police access to geolocation data. One law requires wireless carriers to immediately provide call location data to police on request, and to work with the Oklahoma Bureau of Investigation. Another raises questions around mandatory reporting requirements as it formalizes 911 operators into "first responders." A third gives county officers, including sheriffs, the green light to hire more data processing and IT staff.
These kinds of laws, which allow police to access more data, are already cause for concern, and criminal defense lawyers had previously sounded the alarm about potential mass incarceration if Roe was overturned. Women are already the fastest growing demographic in US prisons, with Latina and Hispanic women 20% more likely to face incarceration than white women. The trend is driven overwhelmingly by state and local imprisonment rates, with the sharpest decade-over-decade increases found in Oklahoma.
US state legislatures passed 108 abortion restrictions in 2021 alone, according to the Guttmacher Institute. As of 2020, 38 states already had "fetal homicide" laws in place; 10 of those states have nothing exempting the pregnant person from prosecution. And even in states with prosecution exemptions, women have still been arrested for losing a pregnancy and, in some cases, for failing to notify the police quickly enough when miscarrying or surviving a stillbirth. Between 1973 and 2005, women were charged with crimes related to their own pregnancy in 68 cases nationally. And as of 2020, at least 20 states had opened investigations into women accused of self-managed abortions, indicating that the currently gray area in anti-abortion legislation may soon be clarified by local prosecutors' interpretations.
Between 2006 and 2015, Alabama led the nation in turning pregnant women into felons, prosecuting nearly 500 for allegedly exposing a fetus to controlled substances, even when they were prescribed. Alabama is just one of 45 states that have prosecuted pregnant women for drug use. In 2021, the American Bar Association estimated that nearly 1,200 women in the US had faced criminal charges based on pregnancy outcomes since 1973.
Notably, Texas law SB8, which bans abortion in the state from as early as six weeks, doesn't actually include a criminal penalty if someone obtains an abortion for themselves. But that didn't stop police in Rio Grande from arresting Lizelle Herrera and charging her with first-degree murder after she showed up a hospital presenting signs of pregnancy loss.
Whether or not abortion seekers face criminal penalties in their home state after terminating their own pregnancy, the patient's own private data may still become a liability to their safety as it flows from tech giants and health care providers into police hands.
Researchers have sounded privacy alarms for years
Law enforcement agencies' use of a digital surveillance arsenal -- and collected data -- continues to grow with little oversight, presenting a more legally threatening environment for abortion seekers than what the country knew pre-Roe, according to Salon's Amanda Marcotte.
But spending millions of dollars on database-building and the local use of high-powered mobile tracking tools may still be more cumbersome for law enforcement agencies than simply reusing data obtained under unrelated subpoenas. In 2021, a Wisconsin man's cellphone contents were collected by law enforcement in one county without a warrant and then -- after he was cleared of charges and the case was closed -- the same data was used by law enforcement in a different county for an unrelated case.
Easier than reusing evidence, law enforcement can simply request private data from ISPs and wireless carriers like AT&T. Verizon has been selling customer location data for years and already collates crowdsourced location data for its police partners -- boasting of its nearly real-time tracking capabilities. Both are among the six providers called out by the FTC in October for tracking and selling massive amounts of customer data. The , FBI and police have repeatedly asked those same providers to track customer data.
Data giants like Google, Apple, Facebook and Twitter also readily hand over users' personally identifiable data to law enforcement when requested to. But the companies are now under investigation by federal authorities after being duped into fulfilling fake legal requests that were then used to target and sexually extort women and minors.
These surveillance tactics are among the reasons cybersecurity researchers are increasing calls to action around the privacy of abortion data, spotlighting not just general data vulnerabilities around the web, but geolocation-specific data gathered through mobile apps and made available for purchase by third-party data brokers.
Following the Supreme Court's Roe v. Wade draft opinion leak in May, sharp warnings from privacy experts swept across Twitter. The Electronic Frontier Foundation's cybersecurity director, Eva Galperin, pointed to the resurgence of data privacy concerns regarding apps that track menstrual cycles.
"If you are in the US and you are using a period tracking app, today is good day to delete it before you create a trove of data that will be used to prosecute you if you ever choose to have an abortion," Galperin tweeted.
As first noted by Kaiser Health News, a 2019 BMJ study found that 79% of the 24 health apps identified in the Google Play Store routinely share data. That number may seem small, but the apps collected 28 different types of data and shared it across an even larger net of entities.
"Fifty-five unique entities, owned by 46 parent companies, received or processed app user data ... suggesting heightened privacy risks," researchers said. "These apps claim to offer tailored and cost effective health promotion, but they pose unprecedented risk to consumers' privacy given their ability to collect user data."
Consumer Reports analyzed eight of the most popular period and fertility apps in 2022 and 2020, finding that only three -- Drip, Euki and Periodical -- stuck with privacy-protective, local-only data storage and were totally clean of third-party trackers.
The privacy alarms have been sounding for years. In a 2018 Defcon appearance, a security researcher who goes by the name of Pigeon detailed the extent of surveillance vulnerability among those who seek information on abortion and called on security researchers to help bolster health privacy efforts.
"We have the opportunity to lend our security skills to those disproportionately likely to experience surveillance: those seeking to self-induce abortions by ordering medication online," she wrote in her post.
Among her other findings, Pigeon demonstrated how purchasing abortion medication online comes with its own set of paper trails. Out of the top 20 websites used for online abortion pill purchase, she found that 17 used unencrypted HTTP, instead of the more secure HTTPS.
A 2020 report by Privacy International highlighted 10 methods through which anti-abortion organizations have used data to target abortion seekers. Among them are the development of digital dossiers on those seeking pregnancy options and the tactic of integrating with government operations targeting young migrant women. The tactics were again called out by University of London researchers in May, in a study detailing how similar data exploitation tactics are employed globally.
Police have drawn criticism from civil rights advocates over the use of geofencing tactics against protesters and other groups, including using geofence data to generate leads for other criminal charges. In its May report, the Surveillance Technology Oversight Group noted that the number of geofencing warrant requests have escalated dramatically since beginning in 2018, with more than 20,000 warrants served. In 2020 alone, Google received 11,554 geofencing warrants. Only 4% were from federal agencies. The rest were from state and local law enforcement.
Geofence warrants, which account for nearly half of all US warrants, would be largely nonexistent if Google didn't warehouse user location data. Forty members of Congress, all Democrats, have called on it to stop, specifically because they worry the information would be used to identify people obtaining abortions. With encouragement from a landmark federal district court ruling in March, states could also ban geofence warrants and corporate geofencing technology from targeting clinics. Currently, only Massachusetts has done so.
Opting out isn't simple
Worse still, no data nets are as difficult for abortion seekers to escape than those of the third-party data brokers police buy from.
Another common tactic for anti-abortion groups is buying Planned Parenthood visitor data collected through corporate geofencing methods.
Recent reporting from Motherboard's Joseph Cox shined a spotlight on SafeGraph, a data broker selling detailed information on the visitors to clinics that provide abortion, including Planned Parenthood facilities. Vice bought a week's worth of the data for $160 and confirmed it could be used to detail how many people visited Planned Parenthood locations, along with where those people came from and went afterward.
SafeGraph responded by saying it would no longer sell people's data in packages that group clinic visitors together. But SafeGraph is the same Peter Thiel-backed company contracted by the Centers for Disease Control and Prevention to track millions of Americans' movements during COVID lockdowns, selling 5 million people's location data to the Illinois Department of Transportation.
And it's just one company.
The problem is fueled in part by websites targeting abortion seekers that collect user data with web trackers -- and nonprofit organization sites are often among them. A 2021 investigation by The Markup found that Planned Parenthood's website contained 70 trackers and third-party cookies.
The common advice from many privacy advocates is to manually opt out. But opting your data out of every brokers' collection has become almost impossible for most people.
There are around 4,000 data brokers globally, and each has its own process by which a person may or may not be able to opt out, so you'd potentially have to review about 4,000 company websites and follow the instructions on each. Even if you do all that, however, you still can't win. Several data brokers -- like LexisNexis, which aggregates location-sensitive data for ICE -- don't allow you to opt out of their data gathering in most cases.
One Band-Aid option is to use subscription services like Optery that scan brokers' databases for your information and create a single-site opt-out process. But Optery's cheapest plan costs $10 a month and removes you only from about 100 data brokers. Even its most expensive plan, at $25 a month, removes you only from around 200 brokers. It isn't a sustainable long-term option for the people most at risk of being targeted for abortion-related arrests or harassment: low-income women in areas with reduced access to privacy tech and internet service.
Or, as Elizabeth Joh puts it, writing for Slate: "Telling the typical person who might seek an abortion to install a virtual private network or focus on encrypted apps isn't going to help much. And the recourse to self-help misses the point."
Until federal regulations and legislation establish a set of digital privacy laws, abortion seekers are caught in the position of having to create their own patchwork of digital defenses, from often complicated and expensive privacy tools. A bipartisan data privacy bill introduced in June faces stiff opposition from not only the wider private sector profiting off data, but from the data-collecting tech giants' own lobbyists posing as privacy advocates.