In post-Roe US, experts share how to keep your data private

In post-Roe US, experts share how to keep your data private

In the weeks since the Supreme Court of the United States removed a nationwide right to choose to have an abortion, millions of Americans have been forced to relearn what is and isn’t safe to do online, as their actions, words, and choices—many of which are tracked digitally—could potentially be used as evidence of wrongdoing in the future.

Complicating the matter is that, immediately after the Court released its decision on June 24, cybersecurity experts and novices alike flooded social media with a brand-new set of rules for those seeking and supporting abortions: Delete your period-tracking app, use a “burner” phone when attending a protest, change how you search for abortion providers, download a new secure messenger app, maybe download entirely new online tools altogether.

Pretty much, change your life.

But according to Cooper Quintin, senior staff technologist with Electronic Frontier Foundation, some of the more common pieces of advice that were first spread online, while well-intentioned, are not entirely practical or useful.

“The advice to delete your period-tracking app or use a burner phone, I think just completely misses the mark,” Quintin said on the latest episode of the Lock and Code podcast from Malwarebytes. “It’s somehow both an oversimplification and an over-complication, and [it] completely fails to understand the threats that people seeking abortions are actually facing.”

On Lock and Code last week, we discussed those exact threats with Quintin and his colleague, staff attorney Saira Hussain. The full discussion, which can be heard below, reveals how the Supreme Court’s most recent decision could impact data privacy practices for millions of people in the United States.

Underpinning much of this potential shift in data privacy is, of course, the new, legal uncertainty sweeping across the country.  

Myriad, statewide legislative efforts to ban abortion outright or to place new restrictions around it have moved forward, with neighboring states sometimes implementing different rules just miles apart. In Alabama, South Dakota, Arkansas, and Missouri, abortion is now banned with no exceptions for rape or incest, and in North Dakota, Tennessee, and Wyoming, similarly broad abortion bans are expected this summer. But in Louisiana, Kentucky, and Utah, wide-ranging abortion bans been challenged in court, with judges in each state placing temporary holds on those laws before they may go into effect.

How these laws will overlap, or how individual states will enforce their own laws across state lines—if at all—is unknown, Hussain said.

“This is what legal experts and reproductive rights experts have been warning about for years—that our system is not equipped to handle issues like this,” Hussain said on the podcast, explaining that the federal right to choose to have an abortion at least provided somewhat a bulwark against decades of state interventions to restrict and limit access to abortions. “Now, all of that has been undone, and the entire question of whether somebody can seek an abortion or somebody can help provide abortion services has been left entirely to the states.”

Succinctly, Hussain warned: “It’s essentially legal chaos.”

With few answers on what will and won’t be explicitly illegal, both Hussain and Quintin shared the following, key pieces of advice on Lock and Code for those who are worried about how to secure their reproductive choices:

  • Above all else, limit any sensitive information that you share with others and that you store on your own devices.
  • Practice extra caution on social media and don’t post about seeking or providing abortion services.
  • Use a privacy-preserving search engine that won’t record your history when looking up abortion services.
  • Use a secure messenger app with disappearing messages when discussing abortion with friends or family.
  • Read the resources on abortion and reproductive health privacy provided by Digital Defense Fund and Electronic Frontier Foundation.

The next year in America could include not only a test of legal theories, but of data privacy, as law enforcement agencies will potentially rely on forms of data that are everywhere around them but that, at least until now, have not been used at an immense scale to prove whether or not someone obtained or performed an abortion.

For Hussain, the lack of clarity is worrying.

“We don’t know what the landscape will look like in this post-Roe world, but as a privacy attorney, I’m deeply concerned about the surveillance tools that law enforcement will use to investigate alleged abortions.”

It’s about more than period-tracking apps

The weekend after the Supreme Court issued its decision in Dobbs v. Jackson Women’s Health Organization, users of period-tracking apps scrambled to either delete their data or find a way to lock it down. The companies that make period-tracking apps themselves also responded to the new landscape, with at least one company promising to provide an anonymous mode for users so that any legal requests for user data could not meaningfully be fulfilled.

On Lock and Code, Quintin said that, while the supposed catch-all advice for users to delete period-tracking apps lacks some nuance, the concern around these apps makes sense.

“The reason that people are worried about period-tracking apps, in specific, is that these apps are collecting a ton of data about you, which, could potentially be used to prove that you were at some point pregnant, and then, at some point, stopped being pregnant, without actually having a child,” Quintin said.

But, Quintin added, “period-tracking apps aren’t the only apps that are problematic.”

“The fact is that the majority of apps are harvesting data about you. Location data, data that you put into the apps, personal data. And that data is being fed to data brokers, to people who sell location data, to advertisers, to analytics companies, and we’re building these giant warehouses of data that could eventually be trawled through by law enforcement for dragnet searches.”

In recent years, this data has been used to not only reveal pregnancies and advertise around them, but to also target those who potentially considered receiving an abortion.

In 2012, the New York Times reported that a teenager’s pregnancy had been revealed to her father because of her shopping habits at Target. By analyzing the teenager’s recently purchased items, Target determined that she was likely pregnant and then, as a follow up, sent coupons to her home for things like cribs and baby clothes.

In 2015, the evangelical adoption agency Bethany Christian Services, which opposes abortion, found a way to send anti-abortion ads to the phones of women who physically visited Planned Parenthood locations.

In 2016, after a woman diligently tracked her pregnancy in a pregnancy-tracking app, she miscarried. But along the way, the app she used had been sharing her data with marketing groups. But her miscarriage, which she also reported, was not shared with those same groups, and so, weeks before what would have been her due date, she received a package of baby formula in the mail, under a likely assumption that all pregnancies end the same way, with a baby.

Though the stories could alarm people, Quintin and Hussain stressed that this type of algorithmic data matching is far from the norm for how most abortions are revealed. Instead of any behind-the-scenes technology, Hussain said that when law enforcement have investigated an allegedly illegal abortion, they have first been tipped off by an informant.

Quintin added:

“If you talk to the people on the front lines of the abortion fight, they’ll tell you that the way people are being prosecuted right now is first and foremost through informants. Friends, family, spouses, medical professionals—who disagree with their decision—deciding to notify law enforcement.”

Once an informant has shared information with law enforcement, then, Quintin said, will “secondary evidence come into play.” That includes things like Google search history, posts and direct messages on social media, text messages, and emails.

“Those pieces of information are what’s being used to build a case and convict somebody, typically after they’ve already been informed on,” Quintin said.

To limit that information, our guests offered several recommendations.

Limit your circle of trust

Both Hussain and Quintin emphasized that one of the most important things that people can do right now to secure their reproductive choices is to limit their circle of trust. That means that people should be careful with any online and digital interactions that could reveal whether or not they plan to get an abortion.

In practice, Quintin said that means not posting about getting an abortion or providing abortion services on social media. That also means not talking about the same topics over text messages.

But the information shared with other people isn’t the only type of information that should be locked down, said Quintin. People concerned with their digital privacy should also find ways to limit the data they have on their own devices that could be used as evidence by law enforcement.

For starters, people can look up abortion services using a search engine that does not record their search history, Quintin said, naming the service DuckDuckGo.

Second, people can also download a secure messenger app with disappearing messages, so that even if people are discussing abortion options with one another, the messages themselves will disappear. Here, Quintin named the end-to-end encrypted app Signal.

Quintin stressed that these are not necessarily easy changes to make, as many are based on changing a person’s behavior as much as they are about adopting new technologies. In a society that has trained the public to broadcast so many parts of their day-to-day lives, choosing silence can be unfamiliar, Quintin said, and that includes the many individuals who are merely trying to show support on social media even if they are not personally considering an abortion.

“I think part of the reason people are doing this, and part of what’s so hard right now, is that ever since social media has become ubiquitous in our culture, we’ve been incentivized into sort of shout about everything we do,” Quintin said. “The culture has shifted to be one of always saying what you’re doing.”

But Quintin stressed the importance of this moment to change habits and to opt for saying less online. Not only could these posts get people in trouble, Quintin said, but they could also make it harder for people to find help from the organizations that are already doing this work and have been doing it, quietly, for years.

“I think that shouting that you have a whisper network is not the way to go about this,” Quintin said.

ABOUT THE AUTHOR

David Ruiz

Pro-privacy, pro-security editor. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.