America's post-Roe data-privacy battle
In the aftermath of the Supreme Court’s ruling to overturn Roe v. Wade, more than two dozen U.S. states are poised to ban abortion or have already done so. And as prosecutors seek to enforce abortion bans by, in many cases, relying on data generated by abortion-seekers, the criminalization of what had been a routine medical procedure represents the next major conflict over data privacy in the United States.
Research shows that abortion bans do not prevent the procedure; rather, they simply force individuals seeking an abortion to rely on less safe methods. This means that individuals seeking an abortion in the 26-some states expected to ban the procedure face difficult questions about how to obtain access. For some, this will mean traveling to a state with more liberal abortion laws; for others, it will mean securing an abortion pill by mail. Depending on how local policymakers decide to draft their anti-abortion statutes, such activity could implicate medical providers as well as the individuals seeking an abortion.
But how might, for example, inter-state "abortion tourism" be tracked? In many cases, the answers will be found in databases run by America's tech giants: search queries, email correspondence, text messages, and navigation instructions, among other things. Consumer data like this can give prosecutors the ability to build concrete, non-circumstantial cases against abortion-seekers—if they can get access.
This type of data has already been used to prosecute abortion-seekers in the past. In 2015, prosecutors relied on text messages to prove that Indiana resident Purvi Patel had committed “feticide” when she ordered abortion pills online and used them to terminate her pregnancy. She was sentenced to 20 years in prison. In 2017, Mississippi resident Latice Fisher was charged of killing her unborn child after her browser data revealed an online purchase for abortion pills; there was no proof that she had taken them.
Cases like these indicate how prosecutors are likely to enforce anti-abortion laws and point to the conflicts likely to arise when law enforcement officials seek to obtain the sensitive medical data that could serve as the basis for prosecution. Period tracking apps, widely used to predict menstrual cycles and track reproductive health, have been implicated as a treasure trove for prosecutors. Other stores of data can be equally revealing. Text messages between friends and family could be used to show intent. Location history could document a trip to the reproductive clinic one state over.
Much of this data is likely to be easily available: data describing menstruation, missed periods, and visits to health clinics can be obtained either via subpoena or by purchase through data brokers. Indeed, the availability of this type of data via data brokers raises the possibility that vigilante action of the type lauded by Texas’s anti-abortion laws might be facilitated by data purchased via these brokers. With states like Texas, Oklahoma, and Idaho incentivizing the reporting of abortions with cash bounties, malicious hackers have an incentive to acquire sensitive user data.
Notably, none of the states that are slated to ban (or have already banned) abortion offer robust data protection laws. Abortion-seekers in these states will remain, for the time being, at the mercy of major data-holders and the policies they choose to combat, overlook, or embrace.
Many of these concerns could conceivably be addressed via a comprehensive federal privacy law, but with Congress deadlocked on the issue and Republicans unlikely to sign on to provisions that would make it more difficult to enforce anti-abortion laws, conflicts over user data related to abortion will be left up to companies to address. In many cases, companies are likely to cooperate with legal requests for data. Presented with a court order to turn over user data, companies are unlikely to mount a costly legal fight. Google, for example, complies with 80% of legal requests to turn over user data, and while the company has said it would fight overly broad data requests, there is little prior evidence to suggest it would resist a targeted request. Furthermore, because many of these requests are accompanied by a gag order, users are unlikely to learn about the disclosure of their data until it has already exchanged hands.
Major tech companies have been quick to say that they will cover expenses for employees needing to travel out-of-state to secure an abortion. They have been less forthcoming about how they will handle concerns around user data. Employee petitions have circulated at companies such as Amazon encouraging executives to take a firm stance, but Amazon has yet to issue any public statements on the issue. Google has said it will delete location data if users are detected to have visited an abortion clinic, a domestic violence shelter, or other similarly sensitive location, but it is unlikely that move will significantly hamper efforts to prosecute those seeking or providing abortions.
A bill introduced by Sen. Ron Wyden, the Oregon Democrat, would go much farther in restricting the collection of reproductive health data, but in a gridlocked Congress, that measure is unlikely to move forward. In its absence, how to obtain and provide abortions while avoiding prosecution is going to fall on abortion providers and those seeking the procedure. This means that both abortion providers and seekers will need to abide by strict data security precautions to avoid legal trouble. But placing the onus on providers and seekers to obscure their digital footprint also means that the marginalized communities least equipped to navigate this treacherous digital landscape will be those most at risk of prosecution.
– Dylan Hanson (@dylanhansononhere) and Elias Groll (@EliasGroll)