A leak last week revealed that the Supreme Court plans to overturn the landmark Rowe vs. Wade answer. If that happens, so-called trigger laws that have already been passed in 13 states – along with other laws that are being drafted – will immediately ban abortions in much of the country. And one of the ways the courts can find people to prosecute is to use the data that our phones produce every day.
A smartphone can be a huge store of personal information. Most people wear one at all times, automatically registering their daily activities by searching the web, browsing, location data, payment history, phone records, chat apps, contact lists, and calendars. “Your phone knows more about you than you do. Your phone has data that can show how many times a day you go to the bathroom, things that are incredibly intimate, “said Evan Greer, director of the non-profit digital rights organization Fight for the Future. “If, because of these draconian laws, major activities such as seeking or providing reproductive health care are criminalized in a way that would allow law enforcement to obtain a valid order for your device, it could reveal incredibly sensitive information – not just about this person but about everyone they interact with. “
Even with deer intact, this type of digital fingerprint has already been used to prosecute those who want to terminate a pregnancy. In 2017, a woman in Mississippi suffered a pregnancy loss at home. Grand jury later accused her of second-degree murder, based in part on her online search history, which states that she searched for how to induce a miscarriage. (The charge against the woman was eventually dropped.)
Such information can be retrieved directly from the phone. But this legally requires a judge to issue an order. And that is why law enforcement officials need to show that they have a good reason to think that such a search is justified. This requirement can deter frivolous searches, but can also be avoided with relative ease. In particular, privacy activists warn that law enforcement agencies can circumvent the need for an order by receiving much of the same information from private companies. “A little-known treasure trove of information about Americans is kept by data brokers who sell their digital human files to anyone who pays their fees,” said Rihanna Pfefferkorn, a researcher at the Stanford Internet Observatory. “Law enforcement agencies have used data brokers to carry out a final check on the Fourth Amendment order requirement. They are just buying information that they would otherwise need an order for. “
They can also access this data by presenting a subpoena to a technology company, which is easier to obtain by order because it requires only “reasonable suspicion” of the need to search, Greer explains, not the higher band. of probable cause. “We also saw law enforcement in the last issue [subpoenas for] incredibly broad demands, “says Greer. “For example, ask the search engine to pass on the IP addresses of anyone who searches for a specific term, or ask a mobile phone company to pass on what is considered ‘geozone data’.” [which reveal] all mobile phones that have been in a certain area at a certain time. “
By receiving this data in bulk – whether by purchase or subpoena – an agency can strike at large numbers of people at once. A geozone and other location data can easily reveal who has visited a clinic that provides abortion care. Greer’s concerns are not just theoretical: DeputyThe online news publication Technology Motherboard recently reported two cases of location data brokers for sale or free sharing information on people who have visited abortion clinics, including where they traveled before and after those visits. Although both companies claimed to have stopped selling or sharing this information after the coverage of the news, other data brokers are free to continue this type of tracking.
Such information can be even more revealing when combined with health data. For this reason, some privacy advocates warn of period tracking applications, which many use to maintain their menstrual cycle and track their fertility. When the software “tracks your cycle and your cycle is regular, then your cycle is delayed, [the app] she can certainly identify a pregnancy before anyone is aware of it, ”said Daniel Grossman, a professor of obstetrics, gynecology and reproductive sciences at the University of California, San Francisco. In fact, government officials have already drawn up periods to determine a person’s pregnancy status. For example, in 2019, a Missouri official said that his office had created a spreadsheet for tracking patient periods who had visited the only state center for planned parenting. In this case, the government did not receive its information from an application, but the incident demonstrates the interest the authorities may have in such data.
Although policies vary depending on the application used, experts say that companies that produce menstrual programs usually do not have an obligation to keep this data confidential. “If it’s not part of the health care system, which I think most of them are [apps] they are not, I don’t think there will be any [privacy] requirement, ”says Grossman. Despite the fact that these data are for personal health, they are not protected by the Portability and Accountability of Health Insurance Act 1996 (HIPAA), which protects health information from sharing without patient consent. “Everyone needs to understand that HIPAA, the federal health privacy law, is not the huge magic shield that many people seem to believe it is,” warns Pfefferkorn. “HIPAA is actually quite limited in terms of which entities it applies to – and your period tracking application is not one of them. In addition, HIPAA has exceptions for law enforcement and litigation. So even if an entity (such as an abortion clinic) is covered by HIPAA, this law does not provide absolute protection against disclosing your reproductive health records to the police.
“This reveals that the business model of the entire technology industry to extract as much data as possible in the hope that it can be turned into profits has created this vast surface for an attack on surveillance and repression of fundamental human rights,” Greer said. . “And when we start thinking about how activities that are completely legal right now could be criminalized in the very near future, it reveals how even very seemingly secular or harmless data collection or storage can put people at risk. Lawmakers have introduced privacy laws such as The fourth amendment to the Act is not for sale, which would prevent law enforcement agencies from circumventing the need for an order by purchasing information from data brokers. But this has not passed into law.
Instead of relying on the government to protect confidentiality, some advocates suggest that it would be more effective to put direct pressure on companies. “I think our best bet for making a systemic change now is to call on the companies that collect this data to just stop collecting it and stop sharing it and make plans for what will happen when the government asked for it, ”said Eva Galperin, director of cybersecurity at the non-profit Electronic Frontier Foundation, which promotes digital rights.
Individuals can also take steps to maintain their privacy now, instead of waiting for action from the government or the technology industry. As a first line of protection, Greer recommends secure account locking: protecting phones and computers with strong passwords, using password managers for other programs, and enabling two-factor authentication. “These three steps will protect you from most attacks other than law enforcement,” Greer said. For those concerned about law enforcement, they have published organizations such as the Digital Defense Fund security guides how to further hide your information. Potential steps include using encrypted chat apps, privacy-oriented browsers such as Tor or Brave, and VPNs to check someone’s online communications and activity. In addition, disabling location tracking or leaving a phone at home while visiting a clinic can protect a person’s location.
Such measures may seem unnecessary now, but Galperin warns that without the protection of Rowe vs. Wade, the fear that our most personal information may be armed against us is justified. “I have spent more than a decade working with journalists and activists, people from vulnerable groups around the world and especially in authoritarian regimes,” she said. “And the most important lessons I’ve learned from this work are that when rights are restricted, it happens very quickly. And when that happens, you should already have all your privacy and security plans in place, because if you’re making these changes after your rights have been revoked, it’s too late.