Concerns over Digital Surveillance Surge in the Wake of Overturning Roe v. Wade
By CHHS Extern Quinn Conlan
Photo Credit: Getty Images
Since the landmark decision Dobbs v. Jackson Women’s Health Organization was released on June 24, 2022, everyone, from Congress to the FTC to the White House, is talking about data privacy and digital surveillance. Reproductive health and wellness apps track a person’s menstruation cycle and ovulation windows as well as predict upcoming cycles. With no constitutional right to an abortion, can the data in these apps be used to prosecute a person for seeking an abortion?
Certain sensitive information is protected by law, such as private health information, which is protected by HIPAA. HIPAA, however, only protects health information that is held by a party subject to the law including healthcare providers, insurance companies, and research labs. In the broader marketplace, health information is only protected to that extent that is agreed between the user and the data-gathering entity. For example, the only protection available to an app user is the app developer’s privacy policy and nothing more. (And as we’ve seen before, privacy policies can be abused by corporations, including reproductive health apps, or compromised by a cyberattack).
With no legal protection for information given to a non-health care provider app (such as a period tracking app), the data collected by the app can be sold, transferred, or subpoenaed, per the privacy policy of that app’s developer or parent company. This collected data can range from what you enter voluntarily (such as the date of your last period) or information you did not willingly supply (such as your location). Legal redress for an app developer surrendering your wellness data to law enforcement is minimal or very unlikely because your health data in the app is not protected by HIPAA, and sometimes even protected health information can be subpoenaed under the right conditions.
The current landscape of protections for health data ultimately leads to the conclusion that the best way to protect your reproductive health data is to not digitize it. Free-to-use apps make their profit off of user data, consequently that data is their most valuable asset. Beyond digital-free tracking with pen and paper, each user must assess the risk of using a period tracking app for themselves.
Some companies have introduced “Anonymous Mode” where the person who input the data cannot be identified by the company. Therefore, if the company is subpoenaed, they are unable to truthfully tie the data to any individual. (Though anonymized data is not as anonymous as you think.)
Other companies are relying on their jurisdiction to protect their users’ data. EU based companies are subject to EU privacy laws, even for their US users, but this does not mean that a US subpoena would be unable to reach that app’s collected data. EU companies are subject to treaty agreements and may have to comply with US criminal investigations. Further, if the EU company uses a US-based processor than that processor will have to comply with a criminal investigation. (See Section 6.1 of this privacy policy, for example which states this to be the case for an EU based company).
Beyond the data stored within the apps themselves, there are many other ways your privacy is at risk digitally. For example, through “geofencing”, where police can identify all cellphones in a given area at a given time. This poses a serious threat to people seeking an abortion because they can be geographically tracked to a clinic, health care provider, or other pro-abortion site even when they are not physically seen entering or leaving the facility. Other data, such as search engine history or unencrypted text messages (like your phone’s SMS messaging) could also put a person at risk of prosecution for seeking an abortion; or even in some States, helping someone find safe medical resources for an abortion.
One immediate legislative solution to protect users’ data would be for Congress to pass a law that protects app users’ health and wellness data from investigation. In June, the My Body, My Data Act was introduced in Congress by Rep. Sara Jacobs of California. The bill tasks the FTC with enforcing privacy protections for reproductive and sexual health apps. Another bill introduced in June by Sen. Elizabeth Warren of Massachusetts, the Health and Location Data Protection Act, would ban the sale or transfer of health data with some limited exceptions. Until these introduced bills become law, however, health and wellness data in apps continues to be at risk of sale, transfer, or subpoena.
Surveillance concerns in the US have only intensified since Edward Snowden’s infamous leak of NSA activity in 2013, and the overturning of Roe v. Wade by the Supreme Court will be seen as yet another evolution in Americans’ fight for privacy. Privacy has continued to erode as more and more Americans data is collected digitally, sometimes for no planned purpose. While this decision raises health and wellness data privacy concerns specifically, it should also act as a warning to Americans that data privacy and protection in general is paramount to upholding liberty.