Period-tracking apps, online search histories could be scrutinized in post-Roe world
Photo by Ketut Subiyanto via pexels.
Within days of the Supreme Court ruling overturning the landmark Roe v. Wade case, information about abortion spread rampantly online.
One area of ambiguity has been the use of femtech, or technology such as period-tracking mobile apps to support women’s health. People have raised concerns about what will happen regarding computer or phone search histories for reproductive care.
“There’s a lot of information floating out there,” said Bethany Corbin, senior counsel with Nixon Gwilt Law, in an interview with AHCJ. “The main concern is that period-tracking apps or other femtech apps will serve as a way for law enforcement to get access to sensitive reproductive health data and criminalize a woman for having an abortion or even a suspected abortion. It is a legitimate concern.”
Law enforcement can access data from apps in multiple ways, Corbin said. But if women start to delete apps, there may be a longer-term negative impact on women’s health, she said, adding that some apps partner with research institutions to use data to gain valuable insights into women’s health. Removing these apps could also could result in decreased access to care for some people, particularly those living in rural areas at or below the poverty line who otherwise may not have access to reproductive health care.
“I’ve advised my clients that it’s an individual choice,” she said. However, she doesn’t recommend abandoning femtech. “I think we need to be encouraging and pushing some tech apps to heighten their privacy and security protection and reinstill the trust with consumers.”
Period-tracking apps’ privacy is variable
Period-tracking apps do not fall under federal privacy protections like the Health Insurance Portability and Accountability Act of 1996 (HIPAA), noted in an article by the Rewire News Group. These apps can share any data they collect, provided they state this in their privacy disclosures. Law enforcement also can get access to data from data brokers downstream, the article notes. So can any private citizen who chooses to buy the data and use it to sue or turn in someone they suspect of having an abortion. Some apps allow users to store data on their phones rather than in the cloud, which could be safer, but won’t necessarily protect them in the face of a search warrant, Wired magazine reported.
A European app called Clue issued a statement assuring users its data was secure, Australian news source news.com.au reported. “As we are based in Berlin, as a European company, Clue is obliged under European law (the General Data Protection Regulation) to apply special protection to our users’ reproductive health data,” executives wrote. “We will not disclose it. We will stand up for our users.”
Flo app leaders announced they were adding a new “Anonymous Mode” feature, allowing users to remove their identity, including their name, email address and technical identifiers, according to a recent article in Mobihealthnews. This feature was already in development but was accelerated after the Supreme Court decision. “If Flo were to receive an official request to identify a user by name or email, Anonymous Mode would prevent us from being able to connect data to an individual, meaning we wouldn’t be able to satisfy the request,” the company said in a letter to users. They also said they would do everything in their power to protect the data and privacy of their users.
Corbin questioned how anonymous settings like this could work, noting that skilled tech professionals may be able to identify people based on other data characteristics or embedded locations. If someone has used the app for a while and then went anonymous, their data has already been shared.
A recent analysis by cybersecurity and virtual private network company Surfshark found that nearly half of 20 popular period-tracking apps used or shared data for third-party advertising. The review ranked each of these depending on the amount and sensitivity of the information collected, Mobihealthnews reported. The apps Eve, Glow and Ovia ranked highest in the amount of potentially sensitive data collected, including name, coarse location and device ID, the analysis found. Eight apps also collect users’ photo and video library data. Life and Apple’s Cycle Tracking apps collected the least amount of data, none of which is linked to users or used for third-party advertising.
Per the 2018 United States CLOUD Act, companies subject to U.S. jurisdiction are required to disclose data (such as user data) for legal purposes, regardless of where the company stores the data, the analysis said. “This means that officials can possibly get access to information such as ethnicity, menstrual cycle info, weight and even information about sexual activities.”
To delete or not delete?
Deleting tracking apps alone does not necessarily remove the information recorded, according to a Business Insider article. Users also must contact the companies and request that their already-recorded data be deleted.
People who find period-tracking apps useful shouldn’t feel they need to get rid of them because the risk of data being handed to law enforcement is low right now, tech policy researcher Eva Blum-Dumontet told Business Insider. But users should know the risks, she said: “It’s unlikely that those data will be shared, but not impossible.”
Meanwhile, members of Congress, including Sens. Mazie Hirono (D-Hawaii), and Ron Wyden (D-Oregon), and Rep. Sara Jacobs of California, on June 23 introduced the My Body, My Data Act — a federal law protecting personal reproductive health data by minimizing the information companies can collect and retain through these apps or other means. The bill would prevent organizations from disclosing or misusing information and create a new national standard to protect reproductive health data, enforced by the Federal Trade Commission, according to an article in Ms. magazine. It is supported by several advocacy organizations including Planned Parenthood. However, all data still can be subpoenaed by law enforcement.
Search histories may also be subject to scrutiny
A report released in May by a New York-based privacy group called Surveillance Technology Oversight Project (S.T.O.P.) described how anti-abortion governments and private entities already can use digital technologies to surveil women’s search histories, location data, messages and more using geofencing (a technology that uses location information from a smart device), keyword warrants (which provide access to terms used in online searches that may hint at criminal behavior), and more. They also could purchase data from commercial data brokers or leverage commercial databases that use machine learning to predictively identify pregnant women. With these techniques, police potentially could track anyone who travels out of state for abortion services and prosecute them upon their return, the Ms. article explained.
Police and prosecutors commonly seek search histories, location data and even text messages while investigating suspected crimes, according to an article in Grid. The risk now is that noncriminal behavior, such as searching for information on abortion services or enduring a miscarriage, could be criminalized. Interactions with digital devices leave a record. It is crucial to understand how these data are being used, the article said.
The Washington Post wrote an article on how to avoid a digital trail while seeking abortion services or other reproductive health care. Limit who you tell, it said, and use private messaging apps that use encryption. Use passcodes for your phones and tablets. Avoid health-tracking wearables. And turn off location sharing on your smartphones, or leave them home altogether. A similar article appeared previously in Wired magazine. The Electronic Frontier Foundation published a guideline for consumers and providers to avoid surveillance, as did the Department of Health and Human Services’ Office of Civil Rights, and the Digital Defense Fund.
On May 24, approximately 42 Democrat members of the House and Senate sent a letter to Google CEO Sundar Pichai demanding that the search engine stop unnecessarily collecting and retaining users’ location data out of concern that extremists could use the information to pursue those who have had abortions. Then on June 24, four congressional members asked the Federal Trade Commission to investigate Apple and Google for engaging in “unfair and deceptive practices by enabling the collection and sale of hundreds of millions of mobile phone users’ personal data.” A previous letter to the FTC, sent in May by 16 members of Congress, asked the agency to crack down on data brokers buying and selling location information that could reveal visits to clinics.
Clinic web schedulers may share data, too, and some health records could be investigated
Even online scheduling tools such as those used by Planned Parenthood could share people’s locations with big tech companies, the Washington Post reported. An investigation by an app that blocks online tracking found Planned Parenthood’s web scheduler could share information with third parties such as Google, Facebook, TikTok and Hotjar. The companies receive data, including IP addresses, approximate ZIP codes and service selections. Planned Parenthood told the Post it would suspend marketing pixels on webpages related to abortion searches and engage with Meta/Facebook and others about how to better protect people seeking abortion care.
And the HIPAA federal privacy rule contains exceptions that could allow prosecutors to compel businesses to relinquish information relevant to criminal investigations, including abortion records in states that ban the procedure, STAT reported. In response, clinics could say they want to see warrants or subpoenas before handing over the information.