View in browser

Welcome to the TechStream newsletter! If this email was forwarded to you, sign-up here.

A pro-choice demonstrators sunglasses reflect her taking a photo and the facade of the Supreme Court

America's post-Roe data-privacy battle

In the aftermath of the Supreme Court’s ruling to overturn Roe v. Wade, more than two dozen U.S. states are poised to ban abortion or have already done so. And as prosecutors seek to enforce abortion bans by, in many cases, relying on data generated by abortion-seekers, the criminalization of what had been a routine medical procedure represents the next major conflict over data privacy in the United States.

Research shows that abortion bans do not prevent the procedure; rather, they simply force individuals seeking an abortion to rely on less safe methods. This means that individuals seeking an abortion in the 26-some states expected to ban the procedure face difficult questions about how to obtain access. For some, this will mean traveling to a state with more liberal abortion laws; for others, it will mean securing an abortion pill by mail. Depending on how local policymakers decide to draft their anti-abortion statutes, such activity could implicate medical providers as well as the individuals seeking an abortion.

But how might, for example, inter-state "abortion tourism" be tracked? In many cases, the answers will be found in databases run by America's tech giants: search queries, email correspondence, text messages, and navigation instructions, among other things. Consumer data like this can give prosecutors the ability to build concrete, non-circumstantial cases against abortion-seekers—if they can get access.

This type of data has already been used to prosecute abortion-seekers in the past. In 2015, prosecutors relied on text messages to prove that Indiana resident Purvi Patel had committed “feticide” when she ordered abortion pills online and used them to terminate her pregnancy. She was sentenced to 20 years in prison. In 2017, Mississippi resident Latice Fisher was charged of killing her unborn child after her browser data revealed an online purchase for abortion pills; there was no proof that she had taken them.

Cases like these indicate how prosecutors are likely to enforce anti-abortion laws and point to the conflicts likely to arise when law enforcement officials seek to obtain the sensitive medical data that could serve as the basis for prosecution. Period tracking apps, widely used to predict menstrual cycles and track reproductive health, have been implicated as a treasure trove for prosecutors. Other stores of data can be equally revealing. Text messages between friends and family could be used to show intent. Location history could document a trip to the reproductive clinic one state over.

Much of this data is likely to be easily available: data describing menstruation, missed periods, and visits to health clinics can be obtained either via subpoena or by purchase through data brokers. Indeed, the availability of this type of data via data brokers raises the possibility that vigilante action of the type lauded by Texas’s anti-abortion laws might be facilitated by data purchased via these brokers. With states like Texas, Oklahoma, and Idaho incentivizing the reporting of abortions with cash bounties, malicious hackers have an incentive to acquire sensitive user data.

Notably, none of the states that are slated to ban (or have already banned) abortion offer robust data protection laws. Abortion-seekers in these states will remain, for the time being, at the mercy of major data-holders and the policies they choose to combat, overlook, or embrace.

Many of these concerns could conceivably be addressed via a comprehensive federal privacy law, but with Congress deadlocked on the issue and Republicans unlikely to sign on to provisions that would make it more difficult to enforce anti-abortion laws, conflicts over user data related to abortion will be left up to companies to address. In many cases, companies are likely to cooperate with legal requests for data. Presented with a court order to turn over user data, companies are unlikely to mount a costly legal fight. Google, for example, complies with 80% of legal requests to turn over user data, and while the company has said it would fight overly broad data requests, there is little prior evidence to suggest it would resist a targeted request. Furthermore, because many of these requests are accompanied by a gag order, users are unlikely to learn about the disclosure of their data until it has already exchanged hands.

Major tech companies have been quick to say that they will cover expenses for employees needing to travel out-of-state to secure an abortion. They have been less forthcoming about how they will handle concerns around user data. Employee petitions have circulated at companies such as Amazon encouraging executives to take a firm stance, but Amazon has yet to issue any public statements on the issue. Google has said it will delete location data if users are detected to have visited an abortion clinic, a domestic violence shelter, or other similarly sensitive location, but it is unlikely that move will significantly hamper efforts to prosecute those seeking or providing abortions.

A bill introduced by Sen. Ron Wyden, the Oregon Democrat, would go much farther in restricting the collection of reproductive health data, but in a gridlocked Congress, that measure is unlikely to move forward. In its absence, how to obtain and provide abortions while avoiding prosecution is going to fall on abortion providers and those seeking the procedure. This means that both abortion providers and seekers will need to abide by strict data security precautions to avoid legal trouble. But placing the onus on providers and seekers to obscure their digital footprint also means that the marginalized communities least equipped to navigate this treacherous digital landscape will be those most at risk of prosecution.

– Dylan Hanson (@dylanhansononhere) and Elias Groll (@EliasGroll)

Recently on TechStream

China's use of search engines to spread propaganda

For authoritarian states like China, search engines represent a key—and underappreciated vector—to spread propaganda to audiences around the world. On a range of topics of geopolitical importance, Beijing has exploited search engine results to disseminate state-backed media that amplify the Chinese Communist Party’s (CCP) propaganda. Users turning to search engines for information on Xinjiang, the site of the CCP’s egregious human rights abuses of the region’s Uyghur minority, or the origins of the coronavirus pandemic are surprisingly likely to encounter articles on these topics published by Chinese state-media outlets. By prominently surfacing this type of content, search engines play a key role in Beijing’s effort to shape external perceptions, Jessica Brandt and Valerie Wirtschafter write.

What we’re following

EU tech laws. The European Parliament adopted two landmark laws seeking to impose greater competition in the tech sector and to sharpen rules for acceptable content online. Taken together, the Digital Services Act (DSA) and the Digital Markets Act (DMA) represent the signature effort of the European Union to rein in the powers of the largest tech companies. The laws will require companies to improve the interoperability of their services, improve user safety online, and mandate greater transparency. Amid Washington’s inability to move forward on antitrust reform and a comprehensive privacy law, the adoption of the DSA and DMA firmly establishes Brussels as the global center of gravity for tech policy.

Chinese data breach. In what may be the largest data breach in Chinese history, a hacker is offering to sell a massive trove of personal data believed to have been collected by police in Shanghai. The data may cover as many as 1 billion Chinese citizens and was reportedly easily accessible online without a password. Chinese authorities in recent years have amassed a huge amount of data on Chinese citizens, and the breach exposes the full scale of that system and the privacy risks it poses to ordinary Chinese citizens.

India. Twitter is suing the Indian government and challenging its wide-ranging powers to censor online content. The move is the latest challenge to the Indian government’s increasingly aggressive effort to control online speech and establish wide-ranging powers of foreign technology platforms operating in the country.

Antitrust. U.K. antitrust regulators announced they will investigate the $68.7 billion acquisition of video game studio Activision Blizzard by Microsoft. The deal was struck earlier this year amid a wave of consolidation in the video game industry and as competition regulators are increasing scrutiny of the tech industry.

North Korea. U.S. officials accused North Korean hackers of being responsible for a rash of recent ransomware attacks targeting American hospitals and healthcare facilities. North Korea has in recent years turned toward cybercrime and ransomware attacks as a way to fund its illicit weapons program and circumvent sanctions, but the value of its cryptocurrency holdings have plummeted in recent months as the global market for digital currencies has cratered.

Spyware countermeasures. Apple unveiled new security features in the latest version of its iOS mobile operating system aimed at countering the ability of highly sophisticated spyware to target high-risk users. The new features, dubbed “Lockdown Mode,” sharply reduce the functionality of features that software built by companies like NSO Group target in spying on users.

Chip wars. South Korean chipmaker Samsung said it has beaten its Taiwanese rival, TSMC, in successfully manufacturing 3 nanometer computer chips. The production of ever-smaller computer chips is key in developing faster, more power-efficient chips, and access to these cutting-edge semiconductors has become a key point of strategic competition amid a global chip shortfall.

TikTok. A bipartisan coalition of lawmakers on the Senate Intelligence Committee are calling for yet another investigation into TikTok's data sharing with its Chinese parent company. Renewed scrutiny has emerged following recent reports that Chinese employees are able to view U.S. data despite the company's insistence otherwise. The allegations are the latest in a saga of national security investigations into the company and its dubious data security practices.

Startup winter. After nearly a decade of seemingly limitless growth, the last three months have seen a steep decline in the amount of investment into U.S. startups, the first such decline in years. The drop-off comes after steep losses in public markets that have led companies—both startup and legacy—to conserve capital and prepare for hard times.

Data transfers. With European and U.S. officials failing to reach a new agreement governing data transfers between Europe and the United States, Meta may be shutting down Facebook and Instagram for users in Europe. The move is the latest fallout from the ongoing conflict between Europe and the United States over whether European user data stored on U.S. systems provides users with sufficient privacy protections.

Amazon and the UAE. To comply with local laws, Amazon will no longer serve products and results related to the LGBTQ community to users in the United Arab Emirates (UAE). The company has operated in the country since 2017 and is pulling results for LGBTQ-related keywords in order to avoid unspecified penalties.

Reverse Google searches. A law enforcement technique that allows investigators to identify suspects based on their search history is facing its first major challenge in court. Using the technique, commonly known as reverse searching, investigators subpoena search engines for records of all users who searched a relevant, incriminating term. The defendants, accused of arson, were identified after they searched for the address where the fire would later be set. The case has major implications for how search data might be used as part of prosecutions, including potentially as part of abortion-related cases.

Digital payments. India's Universal Payment Infrastructure (UPI) will be piloted in France, marking its first foray into European markets. UPI is an alternate, mobile-first payment protocol that allows consumers and financial institutions to transfer money globally without mediation or middlemen. It was first piloted as a means for the Indian government to send money to its poorer citizens without relying on intermediaries. The infrastructure now supports over $100 billion in transactions per month. While U.S. entrepreneurs taut web3 and decentralized currency as the future of trustless finance, India's global success with the UPI system suggests that there may be solutions beyond the blockchain.

Reports we’re reading

AI chips. A report from the Center for Security and Emerging Technology examines how China’s armed forces are able to access U.S.-made chips specialized for artificial intelligence applications.

A final point

“If you want this information, I can get it.”

— A hacker-for-hire's offer, as documented in a fascinating Reuters investigation of how mercenary hackers are being used in litigation battles.

Amazon, Facebook, Google, and Microsoft provide financial support to the Brookings Institution, a nonprofit organization devoted to rigorous, independent, in-depth public policy research.