Data privacy laws in a post-Roe world
The leaked draft of a Supreme Court decision that could overturn Roe v. Wade has many preparing for what appears to be an all-but-certain future in which abortion is illegal in many parts of the United States. The pervasive and barely regulated data collection industry could have a big role to play in investigating and proving cases against people accused of performing or getting what may soon be illegal abortions.
We don’t know if that will happen, but we do know a lot of data is readily available if law enforcement wants it because there’s very little, legally, restricting its collection. And we also know the police use that data all the time, getting it through court order or by simply buying it. Through your phone and your computer, they can find out where you go, who you interact with, what you say, what you search the internet for, which websites you visit, and what apps you download.
This isn’t just true of abortion-related data; police have always had ways to access your private data. But now, a lot of people who weren’t concerned about what the police or data brokers knew about them before may suddenly have a lot to worry about — and there’s very little out there to keep their private lives private in a court of law.
“The dangers of unfettered access to Americans’ personal information have never been more obvious,” Sen. Ron Wyden, a longtime advocate and proponent of online privacy laws, told Recode.
One big concern seems to be whether period tracker apps could be used to find and prosecute people who get abortions. Period apps are problematic for a lot of reasons, but somehow tipping off the police that you got an abortion is pretty far down on the list. Far worse is the pervasive and barely regulated data collection industry that has been allowed to build and share detailed profiles of all of us for years. The fact is, it’s easy enough to delete a period app from your phone. It’s a lot harder to delete the data it collected about you. And it’s just about impossible to conceal the rest of the online trail that could help prove you broke an anti-abortion law.
There’s the possibility that all of this data could be used to go after people getting illegal abortions in the future because it’s already being used to help in the investigation of many crimes. An internet search for abortion-inducing drugs was used as evidence to charge with murder a woman who gave birth to a stillborn baby (those charges were dropped). Google data obtained by police placed a man’s phone near the site of a murder; the man was arrested but was later released without charge. Several cases against alleged January 6 insurrectionists have been built on data obtained from companies like Google and Meta. Immigration and Customs Enforcement (ICE) buys location data to try to find entry points used by undocumented immigrants.
That doesn’t mean there’s nothing you can do. The internet as we know it didn’t exist pre-Roe, when abortion was illegal. It does now. Online privacy laws, on the other hand, largely don’t. But they could.
All the data you give away — and who can get it
For now, as long as they follow the appropriate legal channels, law enforcement agencies can obtain pretty much everything you do on your devices. For almost all of us, that’s a lot of data. You can try to lock down your own device, but if the data is also possessed by a third party like Google, that’s where the police will go to get the information they want.
This can include what’s known as reverse search warrants or keyword searches for devices that were in a certain location — say, a building in which police suspect illegal abortions are being performed — or for devices that searched for certain keywords, like “where can I get an abortion.” There’s a legal gray area here. Some judges have ruled that such searches are unconstitutional, but they’re still happening. In fact, the use of them has increased exponentially in the last several years.
“There’s a lot of opportunity for police to take advantage of the lack of clarity in the law,” Nathan Freed Wessler, deputy director of the ACLU’s speech, privacy, and technology project, said. “Which is why lawmakers can and should step in.”
But there’s no gray area when it comes to evidence law enforcement can get about you specifically if they have reason to believe you’ve committed a crime. To give a recent example: Many cases against alleged January 6 insurrectionists were built on data the FBI got from Google and social media. In some cases, this included the suspect’s movements to and from their homes as well as within the Capitol building. It also included the contents of their emails, web searches, websites visited, and YouTube videos watched. You might think the police having such a large data trail to follow is a good thing when it’s used against people whose actions you disagree with. You might not feel the same way if it’s used against people whose actions you support.
That means that in places where abortion is illegal — assuming such a thing does happen — there won’t be much a company like Google can do if police have a warrant for data that could be evidence of a crime. There’s also the possibility that people pretending to be the police could obtain data, too. As Bloomberg recently reported, it has happened before. That’s why privacy and civil rights advocates say the less data those companies are forced to give to law enforcement, the better. Laws that minimize the amount of data collected, that restrict what other parties can do with that data, and that allow consumers to delete their data would go a long way here.
There’s also the data that the police (and any other especially motivated private citizens) can buy. Data brokers, it turns out, make for a nice workaround to the Fourth Amendment. Law enforcement can simply buy data it would otherwise have to get a court order for, which it may then use to help in its investigations.
We have plenty of examples of this to draw from: The IRS, the FBI, the DEA, ICE, and even the military do this. This data can be as granular as the movements of an individual in the real world, and data brokers love to combine it with what that individual does online for an even more comprehensive and revealing profile. During the Trump administration, ICE didn’t just use cellphone location data to find a tunnel underneath an abandoned KFC that was used to smuggle drugs over the border; it also used it to find out where undocumented immigrants were crossing the border. It’s entirely possible that authorities could use this type of movement data to find out where illegal abortions are being performed.
It’s not just the government that can buy this data. Private businesses and people do it all the time. Vice recently purchased aggregated location data for a week’s worth of visits to 600 “family planning centers,” some of which offer abortions, for just $160 from a company called SafeGraph. (The government is one of SafeGraph’s customers, by the way.) After Vice published a story detailing how it sold data about family planning centers, SafeGraph said it would stop, but it’s safe to assume there are other companies out there still doing similar things. We also have cases of advertising companies using geofencing, or targeting ads to devices within a certain location, to send anti-abortion ads to people inside women’s health clinics.
Data brokers will often say that their data is aggregated and anonymized, but we know there’s no guarantee that the data will stay aggregated and anonymous. Last summer, a priest was outed after a Catholic news outlet obtained location data sourced from Grindr. The Wall Street Journal recently reported that Grindr’s data was routinely shared with or sold to Grindr’s ad partners. These are very real, very bad examples of how location data can be obtained, re-identified, and used against someone if it falls into the wrong hands — perhaps those belonging to anti-abortion activists who believe any actions they take are righteous. They also highlight why we need to regulate this industry to prevent it from happening again.
If abortion laws can change, so can privacy laws
There are privacy bills out there that would slow or stop the flow of data that could be used against them. Perhaps the end of Roe v. Wade will be what gets these languishing bills over the finish line.
“There are a number of types of laws that could really make a difference,” Wessler said. “Some of them aimed at what law enforcement can get access to, and some aimed at what companies are allowed to collect and sell about us without our express permission and consent.”
The Fourth Amendment Is Not for Sale Act would close the loophole that allows law enforcement to buy information from data brokers that they’d otherwise have to get with a warrant. Sen. Wyden introduced the bill in April 2021, and it has bipartisan and bicameral support.
“Passing the Fourth Amendment Is Not For Sale Act would make it harder for Republican states to persecute women by buying up big databases of information without warrants and then hunt down anyone seeking an abortion,” Wyden told Recode.
But it doesn’t stop all this data from being out there to be purchased in the first place, and not just by the police. “Far more needs to be done to protect the rights of pregnant people. Every company that collects, stores, or sells personal data should be aware that they could soon be a tool for a radical far-right agenda that is trying to strip women of their fundamental privacy rights,” Wyden explained.
All this assumes that these companies care about who uses their data and how. It also suggests that they’ve implemented measures to minimize and control the flow of it. The fact is, they usually don’t have to do this, and they make more money if they don’t.
Consumer privacy laws would go a long way toward reducing what data is out there and available for anyone to access in the first place. Several bills like this have been introduced in Congress over the years, some with better protections than others. What they all have in common is that none of them went anywhere. Meanwhile, other countries and even some states have advanced stronger consumer privacy laws in recent years.
Privacy laws that require affirmative opt-in consent to collect data — especially sensitive data, like location, health data, and search histories — and give consumers control over if that data is sold or shared would go a long way here. Opt-in consent is the difference between Apple’s App Tracking Transparency feature, which doesn’t give out certain types of data unless you tell it to, and Facebook, which just lets you opt out of being tracked after the fact, as long as you can find the option in your privacy settings.
Many privacy advocates also believe opt-in consent should be required before a company can share or sell that data to third parties. Data minimization rules, they say, would also help because these would only allow what an app needs to function to be collected. Customers should also have the right to delete their data upon request.
In lieu of a federal consumer privacy law, individual states have tried to pass their own. A few have recently passed industry-friendly laws that privacy advocates aren’t fond of. But then there’s California, which has the strongest privacy law in the country, or Illinois, which has a biometric privacy law, or Maine, which bans internet service providers from selling their customer’s data without the customer’s consent. New York state lawmakers have been trying to ban reverse search and keyword warrants for years.
A lack of digital privacy might have been a deal you were willing to make when you thought you knew the laws and assumed you’d never break them. But, as we may soon see, laws change. Unless privacy laws also change, by the time you realize you do have something to hide, it’ll be too late.