In 2020, Privacy International published a report
documenting the surveillance and disinformation tactics anti-abortion groups use to limit people’s access to reproductive health care. Can you describe some of the findings?
Lazaro Cabrera: We found that a fair bit of users’ online interactions and personal information was being collected by these organizations through a range of different technologies. For instance, some anti-abortion groups targeted advertisments and information at people inside abortion clinics through the use of geofencing. This means that many pregnant people inside these facilities were likely being targeted with false information.
Lastly, we discovered that anti-abortion organizations were developing digital dossiers, or personal profiles of people who were connecting with crisis pregnancy centers. For instance, we wrote about a type of software called Next Level developed by Heartbeat International, a U.S.-based anti-abortion organization, which crisis pregnancy centers commonly use as data management software.
advocacy group the Alliance wrote
that the crisis pregnancy center industry “is now functioning as surveillance infrastructure for the anti-abortion movement, amassing data that could be used in pregnancy- and abortion-related prosecutions.” What are the risks of these centers?
Lazaro Cabrera: Crisis pregnancy centers are operations run by organizations whose primary aim is to dissuade people with an unplanned pregnancy from accessing abortion care. Many of these pregnancy centers will be ideologically entrenched, as many of them are affiliated with religious networks.
It can sometimes be hard to identify a crisis pregnancy center because they often don’t present as such, and they frequently use neutral language presumably to appeal to a wider range of people. They are dangerous because they often deliberately give the impression that they are clinical centers offering legitimate medical services and advice, but in reality this is often not the case. An investigation by Open Democracy
found that crisis pregnancy centers in some Latin American countries provided individuals with inaccurate medical advice.
There are two connected concerns here. The first is whether they’re giving out misleading or inaccurate medical advice. The second is whether or not they can be held accountable for it. Currently, they are treated as if they’re exempt from the regulatory oversight that health care facilities are typically subject to.
Now that some states have passed laws
that criminalize abortion and incentivize individuals to turn people in, this kind of data could be really dangerous. How can people protect themselves against this kind of surveillance?
Lazaro Cabrera: This is very concerning. These laws seek to encourage third-party disclosures by providing financial incentives to crisis pregnancy centers, or other similarly minded individuals, to disclose the data they already have. It would only take a moment for any of them to share that information with law enforcement.
As far as protecting oneself online goes, it’s tough because information can come from a range of sources. You can use a VPN [virtual private network] to make sure that you’re protecting your online activity including your browser history, you can choose to browse privately—that’s a simpler step to take—and you can disable cookies. You may also want to look back and identify the actors with whom you shared relevant information, whether online or offline. That involves tracing back your steps and reflecting on what, in hindsight, may be the most incriminating. What sort of data did you provide that clearly provides a link with, for instance, a potential abortion? And what can you do about that data?
In my personal opinion, evidence of browsing history on its own can rarely be used as conclusive evidence to prove an event or action occurred. However, considered cumulatively in light of other sources of information, it can potentially be damning. Privacy is a time-shifted risk: The information that we could be comfortable sharing one day could lead to trouble the next. This is one of the reasons why we advocate for privacy-preserving approaches: We cannot always anticipate what information may subsequently have life-altering implications. We should always be careful about how we share our personal data, and particularly sensitive data, which includes health data, like information about a potential pregnancy.
Angwin: People have said everyone should delete their digital health apps, especially pregnancy and fertility ones. Do you have concerns about these apps?
Lazaro Cabrera: If you use a period-tracking app, and you share what could be regarded in hindsight as incriminating data, then there is very little a company can do to refuse turning over that data when it is requested by law enforcement in legally permissible ways.
There have been stories
about data brokers who can tell by your location if you’ve visited an abortion clinic. How incriminating is that evidence, and do you recommend that someone turn their phone off if they are going to an abortion clinic?
Lazaro Cabrera: When it comes to the use of location data as evidence, the location would need to be tied to a particular person. However, even if the data doesn’t include a person’s name or any other identifier, it could be aggregated with additional data that could then be used to identify a person.
As for data protection tactics, if you turn off your device, then you’re making sure that you’re avoiding location data being collected. Otherwise, you need to take lots of small steps to make sure that location data isn’t shared, including managing the permissions that each of the apps have, not connecting to the local Wi-Fi (unless you have a VPN), and turning GPS off. So turning off your phone completely would be the quickest way to ensure nothing is shared.
The problem is that data brokers–those who sell and purchase location data, among others–remain an unknown unregulated ecosystem, which makes it very concerning. And that means that basically anyone can get the data, potentially even governments.
Angwin: Here in the U.S., we don’t even have a baseline privacy law. What do you recommend that would make this a better situation?
Lazaro Cabrera: We think the GDPR [General Data Protection Regulation] is a good blueprint for the world to follow. It’s not perfect, but it gives protection to health data regardless of the processing entity. HIPAA [the U.S. health privacy law] applies only to certain data processors instead of applying to all health data. So while there are no hard-and-fast guarantees against law enforcement access in GDPR, there are additional layers of safeguards that a processor has to overcome in order to process health data in any way, shape, or form. So the U.S. could offer better protections if sensitive data was put at the heart of the law rather than the type of entity holding the data.