The abortion clues that can hide on your phone

After the Supreme Court overturned citizens’ constitutional right to abortion in the US, there has been concern about data protection, particularly in the 13 states which have already moved to make ending a pregnancy illegal.

But what sort of data might incriminate someone, how could the authorities get hold of it, and what are the tech firms doing?

Gina Neff, professor of technology and society at University of Oxford, tweeted the day after the ruling: “Right now, and I mean this instant, delete every digital trace of any menstrual tracking.”

Her message has so far received more than 200,000 likes and been retweeted 54,000 times.

Period trackers are used to help women predict when their next period is likely to be, and are often used to either try to prevent pregnancy or to try to conceive.

There are fears that the apps could be used to punish those seeking a termination, if law enforcement got hold of the data.

Like a number of other high-profile apps, Natural Cycles, which is billed as a digital form of contraception, insisted last month that all the data it stored was “safe and will be protected”.

However, on Monday it told the BBC it is working on “creating a completely anonymous experience for users”.

“The goal is to make it so that no-one – not even Natural Cycles – can identify the user,” it said.

That sounds like it is considering encryption. Speaking of which, how about messaging services – that confidential exchange between two close friends that feels so private at the time?

The use of end-to-end encryption messaging services such as WhatsApp and Signal (Telegram is not by default encrypted, although it can be) to discuss sensitive issues is generally preferred by security experts and privacy campaigners.

The firms which run them cannot see the content of the messages themselves, and do not receive or store them – only the sender’s and recipient’s devices are able to decode them.

However, this is only useful if those devices are themselves not taken away or unlocked by anybody else.

Generally in the US, the police need a warrant to search an electronic device such as a phone or laptop, just as they would to search a house. Broadly speaking, the protection here comes under the Fourth and Fifth Amendments.

However, there are some exceptions. Digital rights group the Electronic Frontier Foundation says US police have a right to search without a warrant if they “have probable cause to believe there is incriminating evidence in the house, or on an electronic device that is under immediate threat of destruction”.

Under the Fifth Amendment, which is the individual’s right not to incriminate themselves, a person can refuse to unlock a device even if it is taken, but the reality is blurry, according to various lawyers.

“Courts have reached conflicting conclusions as to whether and when the compelled decryption of a password – or biometric identifier-protected device runs afoul of the Fifth Amendment,” wrote the Congressional Research Service in a report in 2020.

And if the device itself is not seized – a subpoena from the authorities to the tech firms, asking for an individual’s data, is a powerful tool.

Giants like Google and Apple not only run back-up and cloud services for their customers using their own storage, but also collect their own separate user data, including internet activity and location.

Google says that even after something has been deleted by a user and is therefore not visible to them – such as a browser history – some of it may still be retained “to comply with legal or regulatory requirements”.

If these firms receive an official demand, they can challenge it, but the pressure is on them to comply.

In 2021, the New York Times reported that in the first six months of 2020, Apple challenged only 4% of requests for customer account data. and generally complied with 80-85%.

According to Google’s transparency report, it supplied “some data” in 82% of cases requesting information in the first six months of 2021. Of almost 51,000 cases, 20,701 were subpoenas and 25,077 search warrants.

Is this the time for tech firms to reconsider their data practices?

Last month, a number of senior members of the US Congress, including Elizabeth Warren and Bernie Sanders, signed an open letter to Google asking it to collect and store less data about its users, including location information, out of concern that it could be used to bring about abortion prosecutions.

“No law requires Google to collect and keep records of its customers’ every movement,” they wrote.

So far, the tech firms have not commented on whether they plan to make any changes to the way in which they collect and manage customer data in light of the ruling.

The BBC has asked for this information.

What many large US firms – including Facebook owner, Meta, as well as Disney and Amazon – have said is that they will fund expenses for employees who have to travel to another state for medical care which is not available where they are, including abortion.

There is some concern that people who live in a state where abortion is banned but travel out of state to have one, may face prosecution when they return. It is unclear whether this could be the case, but it is not routinely applied to other laws which vary from state to state, such as gambling.

Dr Stephanie Hare, author of the book Technology is not Neutral, says that while the companies’ commitment is “a welcomed first step”, it’s not enough.

“That’s only going to help a very small amount of people, assuming some of them want to share this information with their employer in the first place,” she said.

“What we need to know is what these firms are going to do to limit data collection on all users, and how they can prevent user data from being used against them in their healthcare choices.”

The EFF has published a privacy guide which includes this advice:

As for researching abortion online, Prof Alan Woodward, from University of Surrey, believes it’s unlikely that law enforcement will speculatively begin to seek this sort of personal data.

“They’re not likely to be going after people who are thinking about having an abortion,” he said.

“But if they are gathering evidence after the event, if they have arrested someone – that evidence could then include browser history, emails and messages.”