New digital tools, laws protect data privacy of abortion seekers

By N’dea Yancey-Bragg, originally published July 19, 2024, USA TODAY/Nation

Advocates warn messages, search history, location data and even period trackers can be too easily accessed by police, anti-abortion groups and others.

New ‘Vagina Privacy Network’ aims to keep data safe

Two years after the Supreme Court overturned Roe v. Wade, reproductive rights and data privacy advocates teamed up to launch a new kind of VPN: The Vagina Privacy Network.

The campaign offers a how-to guide on protecting digital privacy for people worried their data could be used against them after they’ve had an abortion, particularly those in one of the 14 states that ban the procedure. The seven tips range from using encrypted messaging apps to communicating on burner phones, which campaign creator MSI Reproductive Choices has been handing out at reproductive rights marches nationwide, according to Whitney Chinogwenya, the organization’s global marketing manager.

“Confidentiality is quite a big part of searching for information on health, so we really want to protect that,” Chinogwenya said.

The Vagina Privacy Network is just one new tool launched to help people proactively reduce their digital footprint as the legal landscape around abortion and data privacy continues to shift.

The Electronic Frontier Foundation offers a guide on how digital surveillance works and how to protect yourself called Surveillance Self Defense. The Digital Defense Fund has a guide to help people seeking abortions protect their privacy by browsing safely without tracking, private messaging and securing devices with strong passwords.

Advocates say instant messages, search histories, location data and even period trackers can be too easily accessed by not only police, but also anti-abortion groups, friends or family. Authorities have used digital footprints to investigate abortion-related cases long before the Dobbs decision, including in Indiana, where a woman was convicted of feticide in 2015 using evidence including private text messages and emails.

“There’s people who have been targeted and whose information has been posted online and whose travel routes to and from home and commutes are also posted,” said Cynthia Conti-Cook, director of research and policy at the Surveillance Resistance Lab. “There’s a lot of potential use of access to digital information in interpersonal violence, and so the threats can come from within one’s family, the threats can come from within one’s community if someone disagrees with you.”

How data can be used against abortion seekers

Ahead of the high court’s decision in Dobbs v. Jackson Women’s Health, one piece of advice went viral: delete your period tracking apps. But Eva Galperin,  director of cybersecurity at the Electronic Frontier Foundation, said deleting those kinds of apps alone provides a false sense of security.

“It’s bad advice because, simply, this is not the data that is being used in these prosecutions right now,” said Galperin.

Galperin said that communications on platforms like Facebook messenger, inquiries on search engines like Google and location data collected by all kinds of apps are among the digital evidence she is most immediately concerned about.

In 2023, a Nebraska woman was sentenced to two years in prison after pleading guilty to ordering abortion pills online for her teenage daughter and helping to dispose of the fetus, the Associated Press reported. Norfolk police used a search warrant to gain access to Facebook messages between the pair, which allowed investigators to charge Jessica Burgess with illegally providing an abortion after 20 weeks, the outlet reported.

Facebook parent company Meta said in a blog post about the case that the warrants did not mention abortion and were accompanied by non-disclosure orders that have since been lifted.

Conti-Cook, who authored a 2020 paper on the digital evidence used in abortion prosecutions, found targets of abortion-related prosecutions are often people who “are already very much in the crosshairs of police and prosecutors,” like those who are on parole, probation or are being monitored for immigration proceedings.

“It’s being used against people who are already targeted and criminalized,” she said. “So people who are already either belonging to criminalized community who are relying on criminalized economies.”

While law enforcement has the most sophisticated tools for extracting and interpreting our personal data, Conti-Cook said this kind of information can also be accessed by other third parties, noting that reproductive health care providers have increasingly been the target of online harassment and doxxing.

Last year, a Texas man used text messages to file a wrongful death lawsuit against three women he claims helped his ex-wife terminate a pregnancy. In February, an investigation by a U.S. senator and the Wall Street Journal found an anti-abortion group used location data to target women who visited 600 Planned Parenthood locations with anti-abortion advertisements on social media.

“There’s a great deal of threats coming from multiple directions,” Conti-Cook said.

“It is important to to know and to tell your friends that you do have the right to refuse a search,” Conti-Cook said. “You do have the right to refuse consenting to searches of your person, of your belongings, of your car, of your house and of your phone.”

What tech companies can do to keep abortion seekers’ data private

The Electronic Frontier Foundation published a guide on steps companies can take to make sure they aren’t collecting sensitive data about people seeking abortions “so that they don’t have it when the government comes looking for it,” Galperin said. She said some companies have taken steps to increase privacy protections, but with mixed results. A 2023 Washington Post investigation found Google was not consistently deleting location data of people who visited “particularly personal” places, including abortion clinics as the company had promised to do.

The company disputed these claims and said they are following through on their pledge to delete this data. In December, Google announced it would store location data on a user’s device and encrypt location data backed up to the cloud, meaning they won’t be able to respond to geographical fence or geofence warrants from law enforcement once the update is rolled out, the company said. Geofence warrants allow police to drop a virtual dragnet over crime scenes and locate people’s phones within about 10 feet of accuracy.

That same month, Meta began rolling out end-to-end encryption for Messenger, which keeps data entirely private between sender and recipient. Both Meta and Google comply with the majority of government requests for user data, according to their own reports.

“Meta responds to government requests for data in accordance with applicable law and our terms of service,” the company says on its transparency website. “Each and every request we receive is carefully reviewed for legal sufficiency and we may reject or require greater specificity on requests that appear overly broad or vague.”

Conti-Cook said there’s more tech giants like these can do to push back on broad requests from law enforcement. When asked how period and ovulation tracking app Clue would handle a request for user data from U.S. law enforcement, CEO Audrey Tsang told USA TODAY simply “we would not give it up.”

“We never want our users’ data to be used against them,” she said.

Tsang said that because the company is based in Germany, they are required to follow data privacy laws set by the European Union, which she called “some of the strictest in the world.” Given that high standard, Tsang the company did not make any changes in how they handle the sensitive data of their more than 10 million users worldwide following the overturning of Roe v. Wade.

“I think people everywhere reacted to the fear that perhaps their data could be used against them in some form of reproductive surveillance,” she said. “I think that that fear is very understandable. I empathize quite a bit with that. But we’ve always been very careful with that.”

State lawmakers step up efforts to protect data privacy for abortion-seekers

Meanwhile, several states including Washington, Nevada, Connecticut, New York, Vermont, Massachusetts, New Jersey and California have recently passed or introduced legislation designed to protect sensitive health information, according to Amie Stepanovich, vice president for U.S. policy at The Future of Privacy Forum. In Illinois, a new law went into effect in January that bans providing government license plate reading data to law enforcement in states with abortion bans, the Associated Press reported.

As states like Idaho and Alabama seek to criminalize helping residents travel out of state to obtain an abortions, Stepanovich noted a federal rule related to the Health Insurance Portability and Accountability Act, also known as HIPAA, was recently updated to prevent healthcare providers from disclosing sensitive information to conduct a criminal, civil, or administrative investigation targeting someone seeking reproductive health care in a state where it remains legal.

After hearing concerns about period tracking apps from constituents, Washington state Rep. Vandana Slatter said she began investigating the issue and learned that HIPAA doesn’t apply to all apps and websites. After meeting with dozens of stakeholders, Slatter introduced the My Health, My Data Act, which went into full effect last month.

“What the bill is doing is it ensures, first of all, that deeply personal information about our private health care decisions can’t be collected or shared without your consent, and protects the data from being sold to third parties,” Slatter said.

The bill also prevents companies from using geofencing to track when people visit places like doctor’s offices or hospitals and using that data to serve them advertisements or collect data on their health, Slatter said. Given the popularity of medication abortion, she said these protections may need to be expanded to other vulnerable locations like pharmacies and clinics.

Slatter said she’s been contacted by several other lawmakers wanting to enact similar legislation, and she hopes to see more federal protections for reproductive health data. Stepanovich noted that Congress recently canceled a hearing on a piece of privacy legislation called the American Privacy Rights Act.

“I think ultimately, if we’re looking at the need to protect individuals across the country and make sure that we have privacy protections available to everybody, that we might need to see federal government action on this,” Stepanovich said. “And I don’t know if we’re in a place where that’s going to happen imminently.”

N’dea Yancey-Bragg is a National Correspondent and breaking news reporter who previously wrote for USA TODAY’s Daily Briefing and This is America newsletters