Possible Roe v. Wade repeal raises location data privacy red flags

The leaked Supreme Court document detailing an overturn of Roe v. Wade sent the U.S. in a tailspin, keenly focused on women’s health risks and reproductive rights. But the possible shift in abortion rights has privacy advocates, and congressional Democrats, sounding the alarm on healthcare privacy and security risks.

For healthcare organizations in particular, the possible upheaval undermines their ability to provide women with the care they need. But there are deeper issues at stake surrounding women’s privacy, particularly as multiple states seek not only to ban abortion, but to criminalize the practice.

In a letter to Google issued on May 24, a group of 40 Democrats, led by Sen. Ron Wyden of Oregon and Rep. Anna Eshoo of California, are urging Google to stop the collection and storage of location information.

Their concern is that the data could be targeted by “extremist prosecutors” who could use the information to identify people seeking to obtain abortions. Calling the removal of abortion rights “likely,” the members of Congress are particularly concerned with states like Texas and Oklahoma that have laws in place criminalizing the practice.

What overturning Roe v. Wade means for data

Republicans in Congress are already considering a bill to criminalize abortion in all states. If abortion is made illegal, the letter stressed that it will be “inevitable that right-wing prosecutors will obtain legal warrants to hunt down, prosecute and jail women for obtaining critical reproductive healthcare.”

As it stands, it’s Google’s policy to store historical location information on “hundreds of millions of smartphone users,” some of which is routinely shared with the government. The most detailed of this information comes from Androids, which collects and transmits location information to Google, regardless of the phone model or app usage.

For what it’s worth, Google was one of the first companies to insist on a warrant before disclosing this type of data to law enforcement. But Democratic lawmakers say “it’s not enough.”

Although Google requires users to opt-in to the practice, the design of the Google-sponsored Android OS only lets consumers “enable third-party apps to access location data” if Google is also allowed to do so. The data is only used for business purposes.

However, reports show “law enforcement officials routinely obtain court orders forcing Google to turn over its customers’ location information,” the group wrote. “This includes dragnet ‘geofence’ orders demanding data about everyone who was near a particular location at a given time.”

The letter includes Google-published data that shows 25% of law enforcement orders received by the vendor are “for these dragnet geofence orders.” In total, Google received 11,554 geofence warrants in 2020.

The group believes Google may be able to step in and protect those individuals seeking abortion care. As the group explained, “Google cannot allow its online advertising-focused digital infrastructure to be weaponized against women.”

“In a world in which abortion could be made illegal,” the practice of collecting and retaining extensive records of location data will allow it to be come a tool for conservative extremists “looking to crack down on people seeking reproductive healthcare,” according to the letter.

In a recent interview with SC Media, Lucia Savage, Omada Health’s chief privacy and regulatory officer, raised similar concerns.

“The bottom line is that law enforcement has always been very powerful, and that’s why we have things like the due process clause: to counterbalance the powers of the state in a criminal prosecution. And that always has existed,” said Savage.

“For example, when the Patriot Act was enacted after 9/11, it reached to health records, by statute, so that’s not a new thing,” said Savage. The new element here is that it’s criminalizing things that were previously allowed by law, and “that’s really the watch point.”

The concern here is that there will be a “new basis for law enforcement to come and access the health records that they didn’t have before,” she continued. “Then all the rules of criminal prosecution that fit into it. To get a subpoena, you have to have reasonable cause.”

But due to the rather obscure language, it raises a number of concerns around what is considered reasonable, or how “cause” is defined, as well as who is in control of the data and how much control?

Patient beware: past incidents offer hint of future

To Savage, the potential privacy impacts of the abortion situation mirrors the fight Apple had with the Department of Justice in the wake of a string of terrorist attacks California about five years ago.

Apple does not have control over the data on users’ phones when it’s encrypted. If an individual dies and no one knows how to decrypt the data or even unlock the phone, the device is rendered useless.

“That’s why who controls the security of the storage mechanism is so important,” said Savage.

These are elements that law enforcement will likely focus on, if the law is overturned.

Even before the abortion issue resurfaced, the security of health apps — especially women’s health apps, were already problematic. Year after year, reports consistently find these apps routinely share information with third-parties, not to mention the overall inconsistencies with API security. State regulators have settled with multiple women’s health app vendors in recent years.

Those issues dealt with violations of consumer protection laws, and vendors “lying to consumers about how much privacy they were going to afford the consumer,” Savage explained. Although there are some vendors that get privacy and security right, setting themselves apart from those developers who don’t.

With states like Texas offering bounties for tips on individuals who have sought or are seeking an abortion, could these issues become even more alarming for abortion patients? “Absolutely,” Savage said.

For any person wanting to track their reproductive health or use other apps, consumers should “100% be looking under the hood.”

“You need to find the tool that gives you the level of confidence in the privacy and security of the data that you want,” said Savage. Especially with this emerging issue, consumers must “be paying very close attention. From a security perspective, that’s absolutely true, and it’s always been true for people in marginalized groups.”

“People with HIV status … and for LGBTQ people, obviously, they’ll want and their families will want to be careful about how they use social media and what their digital footprint is that they leave behind,” she continued. “In this very fraught time, we’re passionate about civil discourse.”

In light of these tangible concerns, the Democratic lawmakers urged Google to reconsider its policy, especially as there is no law requiring the company to “collect and keep records of its customers’ every movement.”

In contrast, Apple has demonstrated the practice isn’t necessary.

Google’s “intentional choice” is only serving to further the digital divide, “in which privacy and security are made a luxury,” according to the letter from the lawmakers. “Americans who can afford an iPhone have greater privacy from government surveillance of their movements than the tens of millions Americans using Android devices.”

The only way the company can protect consumers’ data from “outrageous government surveillance” is to stop the practice,” the letter explains. The group urges the tech giant to “promptly reform its data collection and retention practices.”

Ideally, Google would no longer collect “unnecessary customer location data nor retain any non-aggregate location data about individual customers, whether in identifiable or anonymized form.”