Navigating Data Privacy in a Post-Roe World | Media Pyro

End Roe v. Wade — a woman’s constitutional right to an abortion — has prompted some digital privacy experts, including Stanford’s Rhianna Pfefferkorn, to ask what could happen to women seeking reproductive health care in a world where their online behavior can be used against them.

Riana Pfefferkorn (Image courtesy of Riana Pfefferkorn)

With little regulation of how websites and apps can collect data about their users, coupled with a legal system that allows authorities to access that information (sometimes even without a warrant), the end of Roe illustrates how seemingly mundane digital tools people use every day can become sinister, said Pfefferkorn, a research fellow at Stanford’s Internet Observatory, an interdisciplinary program that studies Internet abuse and proposes policy and technical solutions.

Here, Pfefferkorn talks about the importance of digital privacy and why the federal government should do more to protect it, especially now thatRoe v. Wade world.

In the post-Roe v. Wade world, why is data privacy an important issue right now?

In the United States, we do not have a comprehensive legal framework at the federal level to protect the privacy of people’s data. Lawmakers are scrambling to catch up after years of light regulation of how our digital data can be collected, stored, used and disclosed by private entities.

This makes data privacy important after Roe for two reasons. First, with due process of law, law enforcement agencies can go to and request private organizations that hold digital data about us. For example, with a warrant, the police can obtain your email, web browser history, or search history. And sometimes they don’t need a lawsuit at all – law enforcement agencies can buy data about people from data brokers, just like any other client, bypassing the need for a warrant. Second, organizations hostile to abortion rights may collect information about abortion seekers and then use it for purposes that are not in that person’s best interests. For example, crisis pregnancy centers trick people seeking abortion information into visiting their websites and providing information about themselves, and they are advanced users of online tracking and advertising technologies.

For these reasons, we see tech companies and pro-choice lawmakers scrambling to figure out how to protect people’s online privacy when it comes to abortion.

Some people may argue that they have nothing to hide or fear from digital surveillance. What would you say to get people to care about the issues at stake?

Privacy is available to everyone because everyone has something to hide. You may not have to hide it today, but you may have to hide it next year. The end of Roe is a stark illustration of how once innocuous digital surveillance can turn sinister as the political winds shift. What was a constitutional right for half a century has simply become a crime in much of the country. Protecting our digital privacy today is a way to try to “protect” against what might happen tomorrow.

Even outside the context of criminalization, we all have aspects of our lives that just don’t concern anyone. They’re not illegal, they’re not bad or wrong, they’re just private. We deserve protection for these things too. People need privacy to be fully human. We need privacy for our thoughts, for our conversations, for our intimate relationships. It shouldn’t be so difficult to protect our privacy, thoughts and needs from being used by someone else, whether for commercial purposes, for law enforcement purposes, or for malicious or illegal purposes.

We need real laws to protect our digital privacy, instead of expecting 330 million Americans to do it themselves, do it perfectly, and do it against all the parts of the online data collection ecosystem they may not even know exist.

What do you think about President Biden’s recent executive order to protect the privacy of patient data and information?

An executive order (EO) is a good start, although it necessarily leaves the details to others. EO inherently recognizes how difficult it will be for Congress to pass anything, whether it’s abortion-related legislation such as the codification of Roe, or online and/or offline privacy legislation more generally.

EO also respects the subject matter expertise of federal agencies, encouraging them to think creatively (as I’m sure they already have) about how to use their regulatory authority. The EO identifies agencies that are most important to the fight to preserve abortion access and reproductive privacy at the federal level, such as the Department of Health and Human Services and the Federal Trade Commission, as well as agencies that will be critical to helping certain groups population – such as military personnel and their families who don’t really have much control over what state they are stationed in.

Do you think EO is going far enough? What other safeguards should be put in place to protect privacy?

EO can certainly go further. I wrote in a recent article for Hill that we will see state investigators turn to the federal government for help in collecting digital evidence from the phones of people suspected of seeking, obtaining or performing an abortion. The federal government has far more resources than state and local law enforcement, so there is a federal-state partnership to share those resources, provide training, and more. I believe the federal government needs to stop using federal resources (equipment, technology, personnel, etc.) to prosecute people for state crimes related to abortion.

In the meantime, what can people do to manage their online data and minimize their digital footprint?

The Biden EO includes links to HHS guidance on protecting your health information. Also, I would suggest using a messaging app with end-to-end encryption like Signal to protect your private conversations from eavesdroppers. Turn on disappearing messages to make your chats disappear after a certain period of time. Check out privacy-focused browsers like Tor or Firefox Focus and install extensions to block ads and block online trackers (like AdBlock and Privacy Badger). If you don’t want your searches to be logged, try DuckDuckGo, or if you prefer your current search engine, change its settings to stop saving your search history (but remember that your searches will still be logged, this can be attributed to you). Check the privacy and security of the services you use (for example, your search engine or map application) and choose settings that minimize data. Review the access privileges that apps on your phone have: you might find some surprises. Also look at what’s backed up to the cloud: Is there app data (like your messaging conversations) that you don’t want backed up?

What about tech companies and the people who work for them?

Review what data you collect and store, how long you store it, how securely you store it, whether it is stored in a way that can reasonably be linked to a specific user and, most importantly, Why. Why do you collect certain types of data in the first place? Do you really need to collect it at all, or so that the user can identify it, or for so long? Can you delete what you have already collected? It was nice to see Google announce that it will begin immediately removing users’ location history around sensitive locations, such as abortion clinics, for example. More of this, please.

I would also caution tech companies to strengthen internal controls on access to people’s data. There is a long and sordid history of technology company employees abusing their data access rights for malicious purposes. I think we can also expect to see this in the context of abortion.