INTRODUCTION
It’s been four months since the Supreme Court’s Dobbs ruling, and scholars have rapidly digested the far-reaching implications of the decision. Today’s In Conversation brings together three of them: Duke Unversity’s Jolynn Dellinger, the Electronic Frontier Foundation’s Eva Galperin, and Susanna Birdsong, a Planned Parenthood lawyer and Duke adjunct professor.
Since May’s ruling overturning Roe v Wade, journalists and analysts have taken a fresh look at the way technology can be used to monitor women’s reproductive choices, with disturbing findings. Shoshana Wodinsky and Kyle Barr at Gizmodo recently reported that 32 different data brokers in the U.S. actively sell profiles on millions of women labeled “actively pregnant” or “shopping for maternity products.” Meanwhile, data broker SafeGraph collected and sold cellphone-based location information on people who visited Planned Parenthood clinics until they were shamed into stopping by a Vice article. And Duke’s Justin Sherman recently profiled Massachusetts Attorney General Maura Healey’s 2017 action to prohibit an advertising company from using geofencing technology to target women who were inside abortion clinics with anti-abortion ads.
What additional risks do women face from data collection and other technologies in the post-Roe world? What can Congress or state lawmakers do to protect them? And what can women do to protect themselves? Let’s begin with Prof. Dellinger, who is teaching a class at Duke this semester on Reproductive Rights and Big Data.
From: Jolynn Dellinger
To: Bob, Susanna, and Eva
Dobbs affects our bodies, our minds, and our data. After Dobbs, decisions about whether and when to become a parent are taken out of our hands, and state laws that restrict access to abortion can force us to carry pregnancies to term, give birth, and have children, all of which carry substantial physical risks, including death. But the Dobbs aftermath is not limited to assaults on bodily integrity and autonomy. The criminalization of abortion and the provision of reproductive healthcare necessarily enables the investigation, surveillance and prosecution of women, providers, and individuals who help people obtain the health care they need. The data that we generate every day – using the internet, apps, and mobile devices – can be used as evidence against us in prosecutions of criminal laws and in civil suits brought pursuant to bounty hunter laws like Texas’s SB 8. Surveillance and the threat of prosecution, in turn, chill intimate, intellectual and associational privacy, and the consequences are legion.
As long as those laws are on the books, the Fourth Amendment is not going to be much help.
Prior to Dobbs, the self-regulatory, notice and consent system favored by the US had already enabled a data free-for-all — a commercial environment in which companies’ collection, use and disclosure of data is circumscribed only by the imagination of the least ethical digital innovator. Companies decide how they want to handle data – it is up to each of us to affect this ecosystem (and ostensibly to protect ourselves) by choosing not to use apps and sites that engage in irresponsible or harmful practices. If only we knew. If only we had the information, understanding and frankly, time, that would enable us to make informed decisions. But we don’t. And both convenience and shiny new gadgets are enticing.
When people think the stakes are as minor as getting that unwanted ad for a weight loss product, or an ad for Adidas when they prefer Nike, they tend not to get too riled up about commercial surveillance. When they begin to understand the proliferation of surveillance technologies, choice architecture, dark patterns, data mining and data brokerage, people tend to become a bit more concerned. Now that many of us are living in states where data brokers’ sale of health and location data (to law enforcement or other individuals) could land people in prison or subject them to a lawsuit for $10,000, people should be getting very serious about the gaping holes in our data protection regime and about the serious privacy harms that follow from the Supreme Court’s decision in Dobbs.
While women and people who can become pregnant can theoretically take a variety of steps to protect themselves – using Signal for messaging, ProtonMail for email, Duck DuckGo for search, and a VPN; disabling location permissions; avoiding loyalty cards and rewards programs; using cash for purchases; avoiding apps that collect health data; avoiding Crisis Pregnancy Centers; avoiding online purchases with credit cards; leaving phones at home during protests – self-management is not a realistic answer to the problem. The problem is systemic. We need a comprehensive federal privacy law. We need a federal law that prohibits the collection, inference, use, and sale of health and location data by data brokers. We need a federal law that prohibits law enforcement from accessing health data. And we certainly need laws that prevent law enforcement from buying access to the reams of data available on the open market that they would otherwise need a warrant to obtain.
But as states continue to criminalize abortion, of course, warrants will be obtainable, so the real solution is to prohibit states from criminalizing reproductive health and pregnancy outcomes. As long as those laws are on the books, the Fourth Amendment is not going to be much help.
As the Griswold Court explained in 1965 discussing a criminal law prohibiting the use of contraceptives,
“Such a law cannot stand in light of the familiar principle, so often applied by this Court, that a ‘governmental purpose to control or prevent activities constitutionally subject to state regulation may not be achieved by means which sweep unnecessarily broadly and thereby invade the area of protected freedoms.’ . . . Would we allow the police to search the sacred precincts of marital bedrooms for telltale signs of the use of contraceptives? The very idea is repulsive to the notions of privacy surrounding the marriage relationship.”
Criminalization of abortion sweeps unnecessarily broadly, invades multiple areas of freedom we should be protecting, allows the police to search far more than the sacred precincts of the marital bedroom, and is repulsive to any reasonable notion of privacy
.
FROM: Eva Galperin
To: Jolynn, Bob, Susanna
I’m just going to pick up a few of Jolynn’s points here and elaborate on them.
Jolynn rightly points out that there is an enormous quantity of data that is collected about us by companies every day and that this data is frequently made available to third parties including law enforcement officials. Because of the ways in which the data broker market works, with data being packaged and repackaged, sold and resold, it is not reasonable for any of us to expect the average person to fully understand their data footprint.
Often the digital security advice coming from the information security industry for this newly-vulnerable population borders on the absurd
This poses a real problem for abortion providers, people who are pregnant or who may become pregnant, and people providing abortion support services, who must now navigate a murky digital environment in addition to an ever-shifting legal landscape. Often the digital security advice coming from the information security industry for this newly-vulnerable population borders on the absurd: before you can drive to Planned Parenthood, you must first alter your car’s software to disable its ability to track your location. You should not have to turn yourself into Jason Bourne in order to provide abortion support or to avoid being prosecuted for the outcome of your pregnancy, intentional or otherwise.
Digital security advice for people dealing with the fallout from the Dobbs decision needs to stop its obsession with elaborate hypothetical scenarios and should instead focus on the kinds of evidence we are seeing brought to court in existing cases. Right now, people who are being prosecuted for their pregnancy outcomes are usually turned in by medical professionals or by family members—usually someone they trust. The evidence at trial usually includes SMS messages, emails, social media posts, and in the recent case in Nebraska, Facebook messenger. The best security advice right now is: be careful who you trust and only discuss your pregnancy using end-to-end encrypted messaging services with disappearing messages enabled. Right now, we are not seeing location-based dragnets for abortion-seekers, and I wouldn’t want to scare and confuse people by giving them advice that is meant to circumvent a threat that has not yet emerged.
Having said that, there are people who do need to look to the future right now: anyone who runs a company that collects data about peoples’ location or health, as well as anyone whose products include a messaging service that allows users to communicate with one another. It is time for companies to enable end-to-end encryption for all messages, so that when law enforcement comes with a warrant for the contents of a conversation, as they came to Meta in the Nebraska case, the company does not have it. Additionally, it is incumbent on companies to enable disappearing messages, so that sensitive conversations are automatically deleted from endpoint devices. Companies should also take this moment to rethink their data collection and data deletion practices: don’t collect what you don’t need and don’t keep it for any longer than you absolutely have to. And certainly this should be a time of reckoning for the companies whose business model depends on gathering data about users and selling it to brokers.
FROM: Susanna Birdsong
TO: Eva, Jolynn, and Bob
It goes without saying that Dobbs created a seismic shift in access to abortion care across the country, and as I type this I’m counting 17 states across the country with abortion bans currently in effect. For people of childbearing age, this is the first time in their lifetimes that there hasn’t been a constitutional backstop, a right to abortion–and suddenly in so many states across the country, abortion is banned outright or access is severely restricted. The access patchwork that results is confusing and incredibly challenging to navigate, and people are of course turning to online resources to help them figure out where to go, and how to get the reproductive health care they need..
When people’s personal data is tracked and stored, as it continuously is in the times in which we live, people’s location data, texts, search histories, emails and other communications could potentially be used in ways they never imagined. As Eva rightly points out, we are not seeing location-based dragnets for abortion seekers right now. Nor are there many laws on the books currently that explicitly criminalize the abortion seeker; rather, most penalties in existing abortion bans currently target abortion providers. But like so many other reproductive rights advocates, in addition to laws targeting providers I worry about the proliferation of laws that will also target the pregnant person seeking an abortion. Just as I worry about the future laws that will attempt to limit people traveling out of state to seek abortion care. To be clear – there are no laws like this yet. But bills have been introduced, they are on the priority list of anti-abortion organizations and advocates, and they are likely to pass in some states as legislatures come back into session next year..
Limiting someone’s ability to travel to seek health care isn’t how we understand the protections of federalism to work, and yet — how far will state lawmakers go, and how far will the courts allow them to go, to restrict bodily autonomy and access to abortion? I don’t think any of us can or should say we know for sure right now..
And so yes, the big data problem worries me a lot. I agree with the points made by both Eva and Jolynn about the need to pass comprehensive federal protections for data privacy that don’t exist now. In the meantime, states can go above and beyond the federal floor of course, in the abortion access and data sharing context specifically. California did just that last week, with a package of several bills to protect and expand access to abortion in the state. Two of the bills address patient privacy, prohibiting providers from releasing medical information in response to a subpoena or request from out-of-state, and prohibiting law enforcement and corporations from cooperating with out-of-state entities regarding lawful abortion in California. More of this please, from the states and Congress.
FROM: Jolynn Dellinger
TO: Eva, Susanna, and Bob
I agree 100% with Eva’s recommendations for companies regarding minimizing data collection, eradicating sale of health data to data brokers, enabling features like disappearing messages, and using encryption. Companies need to be stepping up to the challenges presented by this new landscape from a design perspective as well as a business practices perspective. (Companies should have been doing this all along frankly, but Dobbs has magnified the risks and implications of inadequate privacy protections.)
And I do think that the concerns raised so thoughtfully by Susanna are already here – and that risks and chilling effects arise from the laws that already exist. While the existing laws do tend to target abortion providers, rather than pregnant people, for prosecution, an historical perspective illustrates how the evidence necessary to prosecute providers inevitably originates with the women they treat. Professor Leslie Reagan, in her book When Abortion Was a Crime, comprehensively details the ways women were used to build cases against providers: through dying declarations elicited by medical professionals (often as a precondition to treatment of complications from an illegal abortion); through testimony at trial by women who had been tracked down using patient records obtained during raids of clinics; through examination of women’s bodies during coerced gynecological exams; and through interrogations of sexual partners, family members, and friends following coroner’s inquests featuring invasive questions about women’s intimate sexual histories and practices, among others. Our modern-day communications technologies that record our every interaction and thought shared with partners, friends and family, health records (increasingly designed and even required to be interoperable, sharing data across state lines), and exhaustive and granular browsing histories and digital purchase records can and will be used in prosecutions targeting providers. And some of the existing laws (both criminal and civil) also implicate anyone who aids and abets a person seeking or providing an abortion. Personal data about these individuals as well as the person seeking an abortion can be sought and used in these type of actions as well.
Finally, like Susanna I cannot imagine a world in which states intent on eliminating abortion do not eventually pass laws that target the pregnant person seeking an abortion. First, even during the Roe era, states have already found numerous ways to target pregnant women for prosecution for a variety of pregnancy outcomes. Michele Goodwin provides a plethora of examples in Policing the Womb. Second, I am not at all persuaded by Justice Kavanaugh’s apparent faith in the strength of the (unenumerated) right to travel. And third, the reality of medication abortion available by mail means that physically running abortion providers out of your state will not end abortion in your state. Penalizing self-managed abortion is undoubtedly on the to-do list for red state legislators – it is just a matter of how they accomplish it. One thing is sure – whatever route they select will entail surveillance and multi-faceted invasions of privacy.