One year after Roe vs Wade fell, where does reproductive data privacy in the US stand?
"The burden should not just be on users"
It was exactly one year ago today when the US Supreme Court signed off a dramatic decision to overturn the right to abortion protected by Roe vs Wade.
Now, 12 months later, millions of Americans are at risk of persecution to undergo or enable such a practice. About 14 states—including Texas, Alabama, and West Virginia—ban abortion altogether, with a few exceptions. Strict restrictions are also in place in states like Florida, Idaho, and Nebraska. Abortion is a legal option (up to 23 to 25 weeks) for women living in only 27 states.
The information women share online, especially their private reproductive data, are the primary source feeding abortion-based investigations. Plus, while individuals might be able to use VPN services and other tools to boost their privacy online, digital rights groups like the Centre of Democracy and Technology (CDT) are working hard to ensure the burden isn't left only on users.
The issue - the state of US abortion surveillance
"After the Dobbs decision finally came down, CDT quickly realized just how much tech issues were going to be at stake in the implementation of that decision and in the course of people's daily lives," said Alexandra Givens, President, and CEO at CDT.
People persecuted upon data collected online are nothing new. Yet, the climate enforced across many US states following last year's June 24 events brought the risks of government surveillance to a new level.
A couple of incidents linked to the reach of today's abortion surveillance practices have already made headlines. Less than two months after Roe vs Wade fell, police persecuted a woman in Nebraska for having helped their daughter seek an abortion by accessing their Facebook private communications.
This Spring in Texas, an ex-husband sued his wife's friends who helped her get abortion information and medication. Again, private text messages exchanged between them were used as evidence.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
In the past, doctors were the ones most likely to report illegal pregnancy termination practices. Now, a "push for deterrence and punishment is going to be a much more common method of enforcing these bans as opposed to the preventative side and person-to-person interactions," said Jake Laperruque, Deputy Director of CDT Security and Surveillance project.
The solution - what companies should do
"In the post-Dobbs era, companies must play a more active role in protecting their consumers and users' private information," said Andrew Crawford, Senior Counsel with the CDT's Data and Privacy.
To help businesses facing these new uncertain times around health privacy and prevent being dragged deeper into the political debate, Crawford put together the Data After Dobbs report with the best practices to follow.
His #1 recommendation is that companies should "not have that data in the first place," but this isn't always possible in today's digital landscape.
General practices include minimizing data collection and retention as much as possible, limiting sharing of people's sensitive information with third parties, and encrypting user data so that only customers can access this info.
It's important to understand that while the privacy of health data is protected by the Health Insurance Portability and Accountability Act (HIPAA), countless health-related products generate tons of data that aren't. These include fitness and period trackers.
🚺 Protecting Privacy: The Dark Side of Period Tracking Apps 🚺Period tracking apps collect personal data, raising privacy concerns. Recent legal changes make it crucial to prioritise privacy. Here is how to protect yourself when tracking your period. pic.twitter.com/bTfM6sHMqvJune 21, 2023
Yet, strictly health data aren't the only piece of information that could lead to a prison sentence. Things like location data, search queries, browsing and purchase history can be extremely sensitive when linked to abortion-related investigations. As we have seen, private communications are a crucial area to protect. Implementing strong encryption is key here.
Crawford also invites companies to more transparency around law enforcement requests, by both notify individuals when these occur whenever possible and publish periodical reports.
How to protect your reproductive data privacy
"As an advocacy organization, we believe strongly that the burden should not just be on users in today's day and age, it's actually impossible for users to carry the burden of protecting their own privacy," said Givens.
Yet, there are still things that people can do to get some agency back on their own health data. According to CDT, the first thing is choosing services that actually pledge to respect user privacy—especially when it comes to period tracking apps. This means ditching your Gmail account for a more secure option like ProtonMail or Tutanota, for example.
Making sure to share as little as possible online is also very important. Revise the privacy settings of devices and apps for making sure location data is only being collected and shared when necessary for a particular app function. Same goes for the apps' access to microphone and camera. When you go to a sensitive location—an abortion clinic or hospital, in this instance—even better leaving the phone at home.
People should also use only encrypted messaging apps to exchange sensitive communications. Services like Signal and WhatsApp are now offering ephemeral or disappearing messages for extra security in case officers manage to break the encryption.
Considering that browsing data is a relevant source of sensitive reproductive information, we also recommend using secure browsers like Tor or Mullvad browser when carrying on highly sensitive search queries. Using Incognito mode isn't enough, in fact, to be truly private.
A virtual private network (VPN) is a good tool to secure everyday browsing, too, as it spoofs user IP addresses while encrypting internet connections. Even better is choosing a no-logs VPN to be extra sure that no personal data is ever stored.
CDT experts suggest heading to the advocacy group Digital Defense Fund's website for further tips on how to secure health data.
What comes next?
Protecting citizens' sensitive reproductive data is only one side of the story. A significant chunk of CDT's work includes, in fact, closely monitoring proposed legislation like the Texas social media law that could limit access to abortion-related information, among other things.
Also ensuring that privacy doxxing practices—meaning the act of redirecting on crisis pregnancy centers sites instead to reproductive services, for example—aren't implemented is an important area of focus for CDT after Dobbs.
For not talking about social media content moderation practices. Social media providers have inevitably been caught in this political debate, receiving strong pressure to censor content from states where abortion bans are now in place.
Unlike many other countries worldwide, the US is still worryingly lacking a comprehensive privacy law on a federal level like, for example, the GDPR in the EU and UK. A proposed bill, the American Data Privacy and Protection Act (ADDPA), was introduced to Congress last year, but it appears not many developments have been made so far.
On this point, Givens said: "The reproductive privacy is just an even clearer, more specific example of the downstream dangers of this type of widespread data collection and inferences that can be made about people's health and healthcare choices. The push for federal privacy legislation continues and is an active debate right now."
In the meantime, single states are stepping in with so-called shield laws. These are directions to prevent companies from sharing user data and communications with law enforcement for abortion investigations carried out in other states. They also refer to rules to expand access to medication abortion for patients who live where such a practice is now outlawed.
At the time of writing, the states of California, Washington, and New York have all such legislation in place. "We think these shield laws could provide a significant impact in stopping those kinds of investigations or at least stopping that type of [abortion] surveillance from being part of those investigations," said Laperruque from CDT's Security and Surveillance project.
Last February, 30 Democratic senators, and representatives signed a letter to call the White House to prevent federal aid (meaning the additional tools and skills to surveil citizens) from supporting state law enforcement bodies with abortion-based investigations. The Biden administration has kept silent on this point so far.
What's certain is that the country is now divided on the matter, with many states from both sides of the political spectrum voting against further abortion bans.
Chiara is a multimedia journalist committed to covering stories to help promote the rights and denounce the abuses of the digital side of life—wherever cybersecurity, markets and politics tangle up. She mainly writes news, interviews and analysis on data privacy, online censorship, digital rights, cybercrime, and security software, with a special focus on VPNs, for TechRadar Pro, TechRadar and Tom’s Guide. Got a story, tip-off or something tech-interesting to say? Reach out to chiara.castro@futurenet.com